Analysis
-
max time kernel
150s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-01-2023 05:28
Static task
static1
Behavioral task
behavioral1
Sample
790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe
-
Size
285KB
-
MD5
7a5143792783061157dcb2a4b0a9931a
-
SHA1
5cb654586b977c4c4d52bc1a1326bd50a3417a5b
-
SHA256
790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960
-
SHA512
2c09ef63c941ee86c209c43858a78251dbffd73711b7a6ca051aaa26997a0269f43dc3e7ee87f4cee5e3f55b2ffbf70932f95edfa0ff5d156dad16904f966141
-
SSDEEP
3072:JMqMJ0kQg6p56Y85uRIjvNXTRJiCq7S8nq:SqSL6mY8QSjRTOCqa
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1516-56-0x00000000001B0000-0x00000000001B9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1516 790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe 1516 790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1516 790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe"C:\Users\Admin\AppData\Local\Temp\790ed43e41cdce94bde4a267a45668a85ab4b7bc0679b76c3dca5231dbe81960.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1516