Analysis
-
max time kernel
150s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13/02/2023, 01:54
Static task
static1
Behavioral task
behavioral1
Sample
e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe
-
Size
196KB
-
MD5
afcc5a1db6500492b9f62c213f43fb77
-
SHA1
35695719f6cadc3b574b484dea7c2f4b2871b5d3
-
SHA256
e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742
-
SHA512
584338da1edbcf1d3e13a8bcc46b7cff630f9cf62bf7e79da547e640bcab58c37f0c8061ae49dd5687e79d5c22be1eb05d2df91e28c84536e0d3da110965757a
-
SSDEEP
3072:plE9sQ+sJJw5e99bP1GrGzxnw6kYiky+CVTJhjte:bqTbJJT91cizg6qlJ
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1816-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1816 e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe 1816 e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1816 e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe"C:\Users\Admin\AppData\Local\Temp\e8173e1e90657aab2795034f66accf274f6b73bcca18ff6223ce2490906d2742.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1816