Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2022, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe
-
Size
222KB
-
MD5
1b57ca9b17516f359f374a2476bfa39e
-
SHA1
6208127967b7d3fbf45ec8717d73968d77f99bd6
-
SHA256
f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903
-
SHA512
951d2f19ce9cf6b11fe425c47b569b668fb04dae1f3f0ec7d19a5e63475cc86964943ac03a7cd236d49c0eaa5d05b17ab832238fbbeca49d4911296b2811e4f3
-
SSDEEP
3072:vDY/L9BL5RSgnIHTB6QDFgccPN4t5auDygf/ln:GL9B/Sr0QDnA4t5aMy6
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4580-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4584-135-0x00000000005B0000-0x00000000005B9000-memory.dmp family_smokeloader behavioral1/memory/4580-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4580-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4584 set thread context of 4580 4584 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe 77 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4580 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe 4580 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found 2792 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2792 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4580 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4584 wrote to memory of 4580 4584 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe 77 PID 4584 wrote to memory of 4580 4584 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe 77 PID 4584 wrote to memory of 4580 4584 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe 77 PID 4584 wrote to memory of 4580 4584 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe 77 PID 4584 wrote to memory of 4580 4584 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe 77 PID 4584 wrote to memory of 4580 4584 f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe"C:\Users\Admin\AppData\Local\Temp\f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe"C:\Users\Admin\AppData\Local\Temp\f873b3eeb2f6601a084fbfe0961fd38560f2bb36a1f59db871acfa2948dd7903.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4580
-