Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2023, 19:33
Static task
static1
Behavioral task
behavioral1
Sample
1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe
-
Size
283KB
-
MD5
5336c2ec8236aec298d2959688711368
-
SHA1
113d75d83c0735dc298951976beeba5bf759c556
-
SHA256
1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1
-
SHA512
bf58539cd7f5c6b32070d5fc44c3cb5c2e79855bd4a7ea85f79885da43fcdab64e4e0f3c740d686753e678a094ca074cfa04b49c11a50ce5329e6c07fea380f9
-
SSDEEP
3072:BPPVO920+N337jLHBn4Wxs+954ly5npD1InBYx45B0qK3SGlyBUR6MyK:1PVi0NnLHB4/yl91+P5CQBURz
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/1248-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4464-135-0x0000000000580000-0x0000000000589000-memory.dmp family_smokeloader behavioral1/memory/1248-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1248-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4464 set thread context of 1248 4464 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe 80 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1248 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe 1248 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found 2432 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2432 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1248 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4464 wrote to memory of 1248 4464 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe 80 PID 4464 wrote to memory of 1248 4464 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe 80 PID 4464 wrote to memory of 1248 4464 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe 80 PID 4464 wrote to memory of 1248 4464 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe 80 PID 4464 wrote to memory of 1248 4464 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe 80 PID 4464 wrote to memory of 1248 4464 1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe"C:\Users\Admin\AppData\Local\Temp\1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe"C:\Users\Admin\AppData\Local\Temp\1fc3336878782f718710f5310cbb044c39776872332d4306a4337f5eedd5c9c1.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1248
-