Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2023 23:53
Static task
static1
Behavioral task
behavioral1
Sample
5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe
-
Size
320KB
-
MD5
1fc683ab9d85f755cf8319a78e2138b5
-
SHA1
b32817f05254698bc978ef609c8de99239fc7d77
-
SHA256
5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0
-
SHA512
dee42eee554e582c1217c8d065e140cb12343c273e2919dd495219f2af49ba6bc8cd6c9f5596cdb28e828e988de2bb58de3080d6d34fea8659f6080e7b247364
-
SSDEEP
3072:hXO5AIMPhIlVz35ZdzyVGIjAPQvooqzM6Ga9m35wGCs0KeplCkF8M/WhJshMD5Uc:F0KwzJWRjAmrB6Gam5kO6WD5U82g
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/2220-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3488-135-0x00000000005F0000-0x00000000005F9000-memory.dmp family_smokeloader behavioral1/memory/2220-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2220-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3488 set thread context of 2220 3488 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe 83 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2220 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe 2220 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2540 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2220 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3488 wrote to memory of 2220 3488 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe 83 PID 3488 wrote to memory of 2220 3488 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe 83 PID 3488 wrote to memory of 2220 3488 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe 83 PID 3488 wrote to memory of 2220 3488 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe 83 PID 3488 wrote to memory of 2220 3488 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe 83 PID 3488 wrote to memory of 2220 3488 5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe"C:\Users\Admin\AppData\Local\Temp\5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe"C:\Users\Admin\AppData\Local\Temp\5c18fb58744f6d16e34cd85bfa2761f3901b755d2d1f0081062da45223e9cbf0.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220
-