Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
25-01-2023 10:34
Static task
static1
Behavioral task
behavioral1
Sample
348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe
Resource
win10-20220901-en
General
-
Target
348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe
-
Size
341KB
-
MD5
eabca0bea7a7da07ea16ce6b3af25752
-
SHA1
c01354add056d8a8b2913475ccbdfb597eed349e
-
SHA256
348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4
-
SHA512
c2f8dad40e62f6b7bedbf5c21ba51e8a68075b49b3a96458de430287f5e9ba1c06a246328ac29d13a1c618d13470ebe9ad1592b356e3181d37a760e5e7360d39
-
SSDEEP
6144:tLmleO5dOLt8RF8aloOjq7VWRFBMolz90gXSWITm:taljCLt8jXE7VWR5lzVCG
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2764-152-0x00000000001E0000-0x00000000001E9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
227C.exepid process 4044 227C.exe -
Deletes itself 1 IoCs
Processes:
pid process 2588 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exepid process 2764 348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe 2764 348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2588 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exepid process 2764 348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 2588 -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
description pid process target process PID 2588 wrote to memory of 4044 2588 227C.exe PID 2588 wrote to memory of 4044 2588 227C.exe PID 2588 wrote to memory of 4300 2588 explorer.exe PID 2588 wrote to memory of 4300 2588 explorer.exe PID 2588 wrote to memory of 4300 2588 explorer.exe PID 2588 wrote to memory of 4300 2588 explorer.exe PID 2588 wrote to memory of 4952 2588 explorer.exe PID 2588 wrote to memory of 4952 2588 explorer.exe PID 2588 wrote to memory of 4952 2588 explorer.exe PID 2588 wrote to memory of 4504 2588 explorer.exe PID 2588 wrote to memory of 4504 2588 explorer.exe PID 2588 wrote to memory of 4504 2588 explorer.exe PID 2588 wrote to memory of 4504 2588 explorer.exe PID 2588 wrote to memory of 4548 2588 explorer.exe PID 2588 wrote to memory of 4548 2588 explorer.exe PID 2588 wrote to memory of 4548 2588 explorer.exe PID 2588 wrote to memory of 4308 2588 explorer.exe PID 2588 wrote to memory of 4308 2588 explorer.exe PID 2588 wrote to memory of 4308 2588 explorer.exe PID 2588 wrote to memory of 4308 2588 explorer.exe PID 2588 wrote to memory of 3828 2588 explorer.exe PID 2588 wrote to memory of 3828 2588 explorer.exe PID 2588 wrote to memory of 3828 2588 explorer.exe PID 2588 wrote to memory of 3828 2588 explorer.exe PID 2588 wrote to memory of 3808 2588 explorer.exe PID 2588 wrote to memory of 3808 2588 explorer.exe PID 2588 wrote to memory of 3808 2588 explorer.exe PID 2588 wrote to memory of 3808 2588 explorer.exe PID 2588 wrote to memory of 1800 2588 explorer.exe PID 2588 wrote to memory of 1800 2588 explorer.exe PID 2588 wrote to memory of 1800 2588 explorer.exe PID 2588 wrote to memory of 240 2588 explorer.exe PID 2588 wrote to memory of 240 2588 explorer.exe PID 2588 wrote to memory of 240 2588 explorer.exe PID 2588 wrote to memory of 240 2588 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe"C:\Users\Admin\AppData\Local\Temp\348f6734e53f25e6b3f4e66dec24c4e971d7c038192f563cab41d6303a2fcac4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\227C.exeC:\Users\Admin\AppData\Local\Temp\227C.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\227C.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\227C.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
memory/240-458-0x0000000000000000-mapping.dmp
-
memory/240-514-0x00000000004D0000-0x00000000004D8000-memory.dmpFilesize
32KB
-
memory/240-515-0x00000000004C0000-0x00000000004CB000-memory.dmpFilesize
44KB
-
memory/240-523-0x00000000004D0000-0x00000000004D8000-memory.dmpFilesize
32KB
-
memory/1800-453-0x0000000000000000-mapping.dmp
-
memory/1800-456-0x0000000000FE0000-0x0000000000FE7000-memory.dmpFilesize
28KB
-
memory/1800-457-0x0000000000FD0000-0x0000000000FDD000-memory.dmpFilesize
52KB
-
memory/1800-522-0x0000000000FE0000-0x0000000000FE7000-memory.dmpFilesize
28KB
-
memory/2764-131-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-149-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-130-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-129-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-118-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-132-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-133-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-134-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-137-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-136-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-135-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-138-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-139-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-140-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-141-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-142-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-143-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-144-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-145-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-146-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-147-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-148-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-150-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-128-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-151-0x00000000005AB000-0x00000000005C1000-memory.dmpFilesize
88KB
-
memory/2764-152-0x00000000001E0000-0x00000000001E9000-memory.dmpFilesize
36KB
-
memory/2764-153-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2764-154-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2764-117-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-127-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-126-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-119-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-125-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-124-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-120-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-123-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-122-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/2764-121-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/3808-455-0x0000000002F90000-0x0000000002F9B000-memory.dmpFilesize
44KB
-
memory/3808-454-0x0000000002FA0000-0x0000000002FA6000-memory.dmpFilesize
24KB
-
memory/3808-395-0x0000000000000000-mapping.dmp
-
memory/3828-521-0x0000000003240000-0x0000000003245000-memory.dmpFilesize
20KB
-
memory/3828-337-0x0000000000000000-mapping.dmp
-
memory/3828-409-0x0000000003230000-0x0000000003239000-memory.dmpFilesize
36KB
-
memory/3828-408-0x0000000003240000-0x0000000003245000-memory.dmpFilesize
20KB
-
memory/4044-158-0x0000000000910000-0x0000000000918000-memory.dmpFilesize
32KB
-
memory/4044-155-0x0000000000000000-mapping.dmp
-
memory/4300-172-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-168-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-181-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-180-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-179-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-176-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-175-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-171-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-167-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-163-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-185-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-186-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-188-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-190-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-189-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-187-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-159-0x0000000000000000-mapping.dmp
-
memory/4300-160-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-161-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-518-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/4300-275-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/4300-162-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-165-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-166-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-276-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4300-164-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-183-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-170-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-182-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-169-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-174-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-178-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-177-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4300-173-0x0000000077450000-0x00000000775DE000-memory.dmpFilesize
1.6MB
-
memory/4308-341-0x0000000002FC0000-0x0000000002FE2000-memory.dmpFilesize
136KB
-
memory/4308-520-0x0000000002FC0000-0x0000000002FE2000-memory.dmpFilesize
136KB
-
memory/4308-280-0x0000000000000000-mapping.dmp
-
memory/4308-343-0x0000000002F90000-0x0000000002FB7000-memory.dmpFilesize
156KB
-
memory/4504-517-0x00000000001D0000-0x00000000001D5000-memory.dmpFilesize
20KB
-
memory/4504-277-0x00000000001D0000-0x00000000001D5000-memory.dmpFilesize
20KB
-
memory/4504-278-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/4504-213-0x0000000000000000-mapping.dmp
-
memory/4548-274-0x0000000000000000-mapping.dmp
-
memory/4548-279-0x0000000000B50000-0x0000000000B5C000-memory.dmpFilesize
48KB
-
memory/4548-519-0x0000000000B60000-0x0000000000B66000-memory.dmpFilesize
24KB
-
memory/4548-283-0x0000000000B60000-0x0000000000B66000-memory.dmpFilesize
24KB
-
memory/4952-516-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/4952-212-0x0000000000700000-0x000000000070F000-memory.dmpFilesize
60KB
-
memory/4952-211-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/4952-184-0x0000000000000000-mapping.dmp