Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2023, 04:24
Static task
static1
Behavioral task
behavioral1
Sample
d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe
-
Size
194KB
-
MD5
ba266f8e0385c4b245b1f5313e81fb33
-
SHA1
d6999dbcd0fa9c3b07f1fb6ddaefefa8465a61de
-
SHA256
d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71
-
SHA512
752d5646fdc8919b1fb7f2b58d7fca54c995931c52e608fc48df44edefaef9ec0c8874b17fc80045dc76aff35ac7a80ba0e7517b7e101cb5ad422f5ddc2fe5d3
-
SSDEEP
3072:ozsOb7TKdksQDLvjmKOWja5qh8cG3FhL3cJ52ggoAVQfz:ozsI2uLvDODBLsJZgoAVQfz
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4308-133-0x00000000006D0000-0x00000000006D9000-memory.dmp family_smokeloader behavioral1/memory/2788-135-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2788-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2788-138-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4308 set thread context of 2788 4308 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe 77 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe 2788 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2984 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2788 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4308 wrote to memory of 2788 4308 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe 77 PID 4308 wrote to memory of 2788 4308 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe 77 PID 4308 wrote to memory of 2788 4308 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe 77 PID 4308 wrote to memory of 2788 4308 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe 77 PID 4308 wrote to memory of 2788 4308 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe 77 PID 4308 wrote to memory of 2788 4308 d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe"C:\Users\Admin\AppData\Local\Temp\d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe"C:\Users\Admin\AppData\Local\Temp\d6dd09b2a07d1e0ffa6bb3eaf8173e7cd158a13db35189500c3dff37bfee0a71.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2788
-