Analysis
-
max time kernel
150s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16/02/2023, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe
-
Size
192KB
-
MD5
a0bf854d3adde4328160436162758347
-
SHA1
72be15c429b4a3e4441e0c1b10394b7549974a6c
-
SHA256
786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20
-
SHA512
f8d9c492f072a5bf4028fd0063d1341b6e8c13542bd37e0085a100a7dcb9ad00a34f9f0face7651679e7e40aeab72da7f2ff000de1e524b7560bd6f28ed37d37
-
SSDEEP
3072:4OONJO0LstBU5FguWlBWPQsHiDCgR8QIXNVxIjb9bj2s/bz0:oLCBorWlIsGgjSxKb9n2Q
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 5 IoCs
resource yara_rule behavioral1/memory/1228-55-0x0000000000402DD8-mapping.dmp family_smokeloader behavioral1/memory/1228-54-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1204-58-0x00000000001B0000-0x00000000001B9000-memory.dmp family_smokeloader behavioral1/memory/1228-59-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1228-60-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1204 set thread context of 1228 1204 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 28 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1228 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 1228 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1244 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1228 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1228 1204 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 28 PID 1204 wrote to memory of 1228 1204 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 28 PID 1204 wrote to memory of 1228 1204 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 28 PID 1204 wrote to memory of 1228 1204 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 28 PID 1204 wrote to memory of 1228 1204 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 28 PID 1204 wrote to memory of 1228 1204 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 28 PID 1204 wrote to memory of 1228 1204 786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe"C:\Users\Admin\AppData\Local\Temp\786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe"C:\Users\Admin\AppData\Local\Temp\786459d98380a766876fcf35996ccb829f909a2809a8b4bc62df294fd7231f20.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1228
-