Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-01-2023 01:17
Static task
static1
Behavioral task
behavioral1
Sample
6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe
-
Size
215KB
-
MD5
8f167e41b86d0b7e424fc734d9a33d68
-
SHA1
fb44ccf8819673390e453cd0f91aaf1f800395b2
-
SHA256
6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95
-
SHA512
eeaba95454f593c552428ef8ef5b4eb5d77508d2d457e71c9a94b8b5e631bd712b3a31921c87676a699bab173a7051c6ff75f5db6ffe8138e2f4a24c5123278f
-
SSDEEP
3072:nXMDIJI0L4PkPTf54ko9ebfyPrihwKtC88CbC5GxIds/HnpW6:X7JbL5Tmiy+hbtC8hEs/HB
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 5 IoCs
resource yara_rule behavioral1/memory/1252-55-0x0000000000402DD8-mapping.dmp family_smokeloader behavioral1/memory/1252-54-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/852-58-0x0000000000230000-0x0000000000239000-memory.dmp family_smokeloader behavioral1/memory/1252-59-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1252-60-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 852 set thread context of 1252 852 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1252 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 1252 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1212 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1252 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 852 wrote to memory of 1252 852 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 27 PID 852 wrote to memory of 1252 852 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 27 PID 852 wrote to memory of 1252 852 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 27 PID 852 wrote to memory of 1252 852 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 27 PID 852 wrote to memory of 1252 852 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 27 PID 852 wrote to memory of 1252 852 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 27 PID 852 wrote to memory of 1252 852 6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe"C:\Users\Admin\AppData\Local\Temp\6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe"C:\Users\Admin\AppData\Local\Temp\6e43498b0c00513823bc30f866a0a55c2d187b1b2ef83cfbe8bc2065c9d95a95.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1252
-