Analysis
-
max time kernel
150s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/01/2023, 11:26
Static task
static1
Behavioral task
behavioral1
Sample
cfd57a3bbe2a49525cc1ff6183cc2085.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cfd57a3bbe2a49525cc1ff6183cc2085.exe
Resource
win10v2004-20221111-en
General
-
Target
cfd57a3bbe2a49525cc1ff6183cc2085.exe
-
Size
319KB
-
MD5
cfd57a3bbe2a49525cc1ff6183cc2085
-
SHA1
a2310517555e207a3c016364df67215dc69f7c33
-
SHA256
56e7b574029fa5272d7cdc325ffc8b93878efe5a008a021400fde5e97fd3fa76
-
SHA512
478a0bd7f0396c7a4047c00e85cde264ad0de1a5f8b9f6c0acc3c413819057840980205b609dc3ce2eba8232012e4156450c62be67cf7c801f5c0d1a600d5fe8
-
SSDEEP
3072:XbX9HILjd1r/Brz5Z2JlN/x5V7Jcvs9P2H+kNRlMK7xtvUOItnj/L5/1i6zSbFL:DeLjz9ChJcE9P2RPlMS/spj9Ni6Wb
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1160-56-0x00000000001B0000-0x00000000001B9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cfd57a3bbe2a49525cc1ff6183cc2085.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cfd57a3bbe2a49525cc1ff6183cc2085.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cfd57a3bbe2a49525cc1ff6183cc2085.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1160 cfd57a3bbe2a49525cc1ff6183cc2085.exe 1160 cfd57a3bbe2a49525cc1ff6183cc2085.exe 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found 1352 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1160 cfd57a3bbe2a49525cc1ff6183cc2085.exe