Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 02:14
Static task
static1
Behavioral task
behavioral1
Sample
63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe
-
Size
211KB
-
MD5
4401d0b17863b86c313e1aa613697426
-
SHA1
ef6f039996d648d2d8b3e5cde715d7791b2733b4
-
SHA256
63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75
-
SHA512
52e6ee2e8a3de044b17783087f7680686260a8fe999d96ed768e63b434dc76e1f6ef02324c77799bcd4e31dbe215c837bf12021be282563a609a1be777955960
-
SSDEEP
3072:8MXm2M8LhS2d5azWNlQDBQ5sTLEN8uRmcHLi:8I3lSVWNeDX
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4196-134-0x00000000048D0000-0x00000000048D9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4196 63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe 4196 63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found 3080 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3080 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4196 63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe"C:\Users\Admin\AppData\Local\Temp\63b37cccb99dc5ce3a0a4f0ca8ee4eb1d004d8278482008e911cdabc99d28d75.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4196