Analysis

  • max time kernel
    150s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2023, 11:26

General

  • Target

    cfd57a3bbe2a49525cc1ff6183cc2085.exe

  • Size

    319KB

  • MD5

    cfd57a3bbe2a49525cc1ff6183cc2085

  • SHA1

    a2310517555e207a3c016364df67215dc69f7c33

  • SHA256

    56e7b574029fa5272d7cdc325ffc8b93878efe5a008a021400fde5e97fd3fa76

  • SHA512

    478a0bd7f0396c7a4047c00e85cde264ad0de1a5f8b9f6c0acc3c413819057840980205b609dc3ce2eba8232012e4156450c62be67cf7c801f5c0d1a600d5fe8

  • SSDEEP

    3072:XbX9HILjd1r/Brz5Z2JlN/x5V7Jcvs9P2H+kNRlMK7xtvUOItnj/L5/1i6zSbFL:DeLjz9ChJcE9P2RPlMS/spj9Ni6Wb

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe
    "C:\Users\Admin\AppData\Local\Temp\cfd57a3bbe2a49525cc1ff6183cc2085.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1160

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1160-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

          Filesize

          8KB

        • memory/1160-55-0x000000000028B000-0x00000000002A1000-memory.dmp

          Filesize

          88KB

        • memory/1160-56-0x00000000001B0000-0x00000000001B9000-memory.dmp

          Filesize

          36KB

        • memory/1160-57-0x0000000000400000-0x0000000003013000-memory.dmp

          Filesize

          44.1MB

        • memory/1160-58-0x0000000000400000-0x0000000003013000-memory.dmp

          Filesize

          44.1MB