Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-01-2023 19:52
Static task
static1
Behavioral task
behavioral1
Sample
f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe
-
Size
211KB
-
MD5
442a961c402c10cfcb06345f3173ed09
-
SHA1
a91888e4f4e121a47ba6bd1565dc5d89d7ae6ddd
-
SHA256
f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b
-
SHA512
3ad169a651bcb9a783ae8a163c4b84d0a7dec7151044e2b58aa56d30fce5d0092876144eb9d95c2cc717af831f3421ca1913f49dee33bb825983b6ce914e5b86
-
SSDEEP
3072:jWXZtvO4LNyNGrIU56U9g75KIIff6m8tg7F2C97kEEg67csRDIdQPjW6:6rhLtsvU9FRXKqhXYEG7xRfP/
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1160-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1160 f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe 1160 f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1276 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1160 f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe"C:\Users\Admin\AppData\Local\Temp\f1976eb1a439881ee68eb43382cb2ca272c18d89b630f204b46690e4470a2c2b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1160