Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/12/2022, 18:04
Static task
static1
Behavioral task
behavioral1
Sample
842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe
-
Size
223KB
-
MD5
bfbfca5f9c558bf3171f999ba3459d12
-
SHA1
ced296dd2fa34b9b52cdb01e238af34dd8414399
-
SHA256
842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49
-
SHA512
59150c481eb0544897b09c53f52cd00f1068f410234c947ab24e96948713d6fb129ac01a98a747d84d918003555c7177e1cf40abd1cb099e2fb0d43ec0ca72a1
-
SSDEEP
3072:WDwILGHLb55+98kVwAgmv9LKxW42MLauDgI7H4f/ln:qLGrfkgm1XMLaMgIS
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1764-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1764 842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe 1764 842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1764 842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe"C:\Users\Admin\AppData\Local\Temp\842f4b4369331da215a52c5af21720d30d799557e41e493892f76078c18a4b49.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1764