Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2023 14:14
Static task
static1
Behavioral task
behavioral1
Sample
0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe
-
Size
193KB
-
MD5
3017411d25c4e01a26bb132300855db9
-
SHA1
d1e4b9dcb0c4ee076a7b7ce4ccf1bafa04862f66
-
SHA256
0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52
-
SHA512
e6c51114efb58eea64579b0e643a6f2ec67cd48f35c2b0c1c2866ecb11b85f7839f6a96385b8137214aaeaaabada9e1144bd579bb4a3beaf740fbb279feb698b
-
SSDEEP
3072:nuBNcLDk9N3tlQoxx8QtbjQ5/PfzUunMggsDsv5BEg8xHCWPy3:nCWD63bQoxxztbUhPfz3q5G9CW
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4484-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/5000-135-0x0000000000710000-0x0000000000719000-memory.dmp family_smokeloader behavioral1/memory/4484-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4484-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5000 set thread context of 4484 5000 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe 84 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4484 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe 4484 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found 2340 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2340 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4484 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4484 5000 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe 84 PID 5000 wrote to memory of 4484 5000 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe 84 PID 5000 wrote to memory of 4484 5000 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe 84 PID 5000 wrote to memory of 4484 5000 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe 84 PID 5000 wrote to memory of 4484 5000 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe 84 PID 5000 wrote to memory of 4484 5000 0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe"C:\Users\Admin\AppData\Local\Temp\0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe"C:\Users\Admin\AppData\Local\Temp\0c5a8b9476d0dfac33e144f79e1cdcf5aeb9c54dd30d3ebdcff10f25abab3c52.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4484
-