Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-01-2023 06:51
Static task
static1
Behavioral task
behavioral1
Sample
a522c99b34d385b2cb8acea48c7f811f.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a522c99b34d385b2cb8acea48c7f811f.exe
-
Size
334KB
-
MD5
a522c99b34d385b2cb8acea48c7f811f
-
SHA1
b07f4b2e72a7bf20f80d5b0e3919ea6cd2f5bd61
-
SHA256
41d1677b3cd13f23fcab0fe8c1d65c2d246553840ac4ddfe0371c95253c927be
-
SHA512
cc2e917ab2a433cbfcf367b52116b838739a4881dfe160f5f5fd089385b65e228bc309cb2c142acf090739bbbd49d4054edce21f34878f49139dfc367fcf9994
-
SSDEEP
6144:faL5fOS0ddXqRC2/pdRtQK/fu1d0+Q+qpmTb:SBOSasPxtQKXu1hQ+w
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1844-56-0x00000000003B0000-0x00000000003B9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a522c99b34d385b2cb8acea48c7f811f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a522c99b34d385b2cb8acea48c7f811f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a522c99b34d385b2cb8acea48c7f811f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a522c99b34d385b2cb8acea48c7f811f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a522c99b34d385b2cb8acea48c7f811f.exepid process 1844 a522c99b34d385b2cb8acea48c7f811f.exe 1844 a522c99b34d385b2cb8acea48c7f811f.exe 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a522c99b34d385b2cb8acea48c7f811f.exepid process 1844 a522c99b34d385b2cb8acea48c7f811f.exe
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1844-54-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB
-
memory/1844-55-0x00000000008DB000-0x00000000008F1000-memory.dmpFilesize
88KB
-
memory/1844-56-0x00000000003B0000-0x00000000003B9000-memory.dmpFilesize
36KB
-
memory/1844-57-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1844-58-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB