Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2023, 21:07
Static task
static1
Behavioral task
behavioral1
Sample
ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe
-
Size
239KB
-
MD5
629b70f11e7592bce39d8d7cff6bb875
-
SHA1
b50756b7752644042f0be26f743b6202e52de9a2
-
SHA256
ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa
-
SHA512
442340e6a24b0e4fcbfa07ebdbd66410bf3f633a5b5e6712e59437c840dd76e207f922bd3c3fc429d0d2b1cf0d04f3e2e788c3c77c515ca55c1014fb0ebab18e
-
SSDEEP
3072:2X5WpWx9LR38Udxh5tQ+FOSqJbUkhaNnWkblM2nvQGW7iSWt:eX9LRdxBBFFsQNvlV4b7i
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4768-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1048-135-0x0000000002190000-0x0000000002199000-memory.dmp family_smokeloader behavioral1/memory/4768-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4768-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1048 set thread context of 4768 1048 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe 82 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4768 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe 4768 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3092 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4768 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1048 wrote to memory of 4768 1048 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe 82 PID 1048 wrote to memory of 4768 1048 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe 82 PID 1048 wrote to memory of 4768 1048 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe 82 PID 1048 wrote to memory of 4768 1048 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe 82 PID 1048 wrote to memory of 4768 1048 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe 82 PID 1048 wrote to memory of 4768 1048 ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe"C:\Users\Admin\AppData\Local\Temp\ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe"C:\Users\Admin\AppData\Local\Temp\ebf6ab4cef65dd63665dc39d5aac7963d70cf1b5980df94e2b5632074ecf93aa.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4768
-