Analysis
-
max time kernel
150s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-02-2023 08:36
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
8 signatures
150 seconds
General
-
Target
file.exe
-
Size
206KB
-
MD5
4cd82652cfa5e41116e174ea43afc656
-
SHA1
ac32e38bf60f4ec0843a079161727b2c61bc489a
-
SHA256
7b0dadd767602dc7b1c52e1c7d7dda882198e7c45e88d86df3b49fcb67385115
-
SHA512
cf61143e3a2d9d20cd29676a09116f23fd87d5058cd6439dc748e1f7a11b8f0e2fdd25364fb6fd4702eb69f699ad9e48128be42444a53e2d7f560c485c153748
-
SSDEEP
3072:B7a74f9Go3MmPIfVREmrS8FqAVeI4x23K1be2qpCpoEi5Dfy+:B7M4N3IfTEMSqzeI4x2Kbe2qpCtiBfy
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1184-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 1184 file.exe 1184 file.exe 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1268 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid process 1184 file.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1268 1268 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1268 1268
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/1184-55-0x00000000006EE000-0x0000000000701000-memory.dmpFilesize
76KB
-
memory/1184-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1184-57-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/1184-58-0x0000000000400000-0x0000000000568000-memory.dmpFilesize
1.4MB
-
memory/1268-59-0x000007FEF6C90000-0x000007FEF6DD3000-memory.dmpFilesize
1.3MB
-
memory/1268-60-0x000007FE81100000-0x000007FE8110A000-memory.dmpFilesize
40KB