Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
09/01/2023, 14:28
Static task
static1
Behavioral task
behavioral1
Sample
c1d43aa7d4455f59a66ff383f5736931.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c1d43aa7d4455f59a66ff383f5736931.exe
Resource
win10v2004-20220812-en
General
-
Target
c1d43aa7d4455f59a66ff383f5736931.exe
-
Size
260KB
-
MD5
c1d43aa7d4455f59a66ff383f5736931
-
SHA1
a654ea0183d33c617cc58123a66b345a6b6bf62a
-
SHA256
bacad2e9d7ac1b82e9325db4258250f96ba279177b7ad010dd8e0bed81abc094
-
SHA512
c6a1bb8af7319b5874024d6341819a02df3dcf4e936d8632e3f01c2f3cd63ab89ca4ed71a5b2e0ca5e8cc98c7784e15080235a93e8203522d666422b229123d1
-
SSDEEP
6144:CHP/t3LrolN5n6JvaQDTPQkpamgEidcqgd3:CHP/t3IlN56J9RavEiG
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1808-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c1d43aa7d4455f59a66ff383f5736931.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c1d43aa7d4455f59a66ff383f5736931.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c1d43aa7d4455f59a66ff383f5736931.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1808 c1d43aa7d4455f59a66ff383f5736931.exe 1808 c1d43aa7d4455f59a66ff383f5736931.exe 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1400 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1808 c1d43aa7d4455f59a66ff383f5736931.exe