Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-12-2022 16:36
Static task
static1
Behavioral task
behavioral1
Sample
18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe
Resource
win10v2004-20221111-en
General
-
Target
18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe
-
Size
231KB
-
MD5
801d35bad81609af210c455e11d2f13d
-
SHA1
f3e56dde38c5d425d196ab218859a87250c1c0c3
-
SHA256
18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518
-
SHA512
95b36568c332e5a812d057a288b880b7161459b9b1474282f7cd843d5ff4c709c979fb00f04dc796098722662f1155f6cdf6e7da471e2eb732f05a8c48b96df9
-
SSDEEP
3072:Vni+LdxD4qH5W5EWfLv+tU6o+D8wxqUMTOLtJ/33bRS1w7RkxmJZs:V3L3D4qqEQL167jFigJ/7E1GymI
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1300-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exepid process 1300 18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe 1300 18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1212 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exepid process 1300 18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe"C:\Users\Admin\AppData\Local\Temp\18c6d5ec902169904318f43825aff792b44b35fd0df5c042ba391f716b609518.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1300