Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2023 13:17
Static task
static1
Behavioral task
behavioral1
Sample
72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe
-
Size
326KB
-
MD5
c56bb49bed8f8ff542d61e39cee3ebe9
-
SHA1
e982acdddd9afb66ea5fafd1b1627d1db4e01570
-
SHA256
72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799
-
SHA512
63029f1d74fcc1ce3ed353b224d9298ca8a62ca9e31d3a11da8a8f551a8740dd9228214baa56391884ed9f79509dc98b0baba0db1383e1d66976b9fce1913f98
-
SSDEEP
6144:hgbI1jL6eXJVXnf/XtTm08P3Zi52AyX7LoCVxFz:hgKL6eXJxnXC3ZigV
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4716-133-0x00000000006F0000-0x00000000006F9000-memory.dmp family_smokeloader behavioral1/memory/4584-135-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4584-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4584-138-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4716 set thread context of 4584 4716 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe 80 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4584 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe 4584 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found 2576 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2576 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4584 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4716 wrote to memory of 4584 4716 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe 80 PID 4716 wrote to memory of 4584 4716 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe 80 PID 4716 wrote to memory of 4584 4716 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe 80 PID 4716 wrote to memory of 4584 4716 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe 80 PID 4716 wrote to memory of 4584 4716 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe 80 PID 4716 wrote to memory of 4584 4716 72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe"C:\Users\Admin\AppData\Local\Temp\72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe"C:\Users\Admin\AppData\Local\Temp\72eb25f8998ddba7d41f205af621b08bc7db01b765dcc80e6a62ab0b1e4cc799.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4584
-