Analysis
-
max time kernel
300s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/02/2023, 05:23
Static task
static1
Behavioral task
behavioral1
Sample
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
Resource
win10-20230220-en
General
-
Target
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
-
Size
552B
-
MD5
e4e334efd3ed0f23499a75127e2662aa
-
SHA1
7e460968dcbc7ddc8b8c6ede94798e54fbfc5e63
-
SHA256
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9
-
SHA512
75d26061e143542f13a05839b054aaaac2146b5ea79bcf94b587169e822f27c525a8cf30f39e3048d5249346adacbeb2695a45a68e0bee48fdd2035ed068ade8
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/files/0x000e00000000366b-68.dat family_smokeloader behavioral1/files/0x000e00000000366b-70.dat family_smokeloader behavioral1/memory/1856-71-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1856-73-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1160 powershell.exe -
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1160 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1856 agent.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI agent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI agent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI agent.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1160 powershell.exe 1160 powershell.exe 1856 agent.exe 1856 agent.exe 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1236 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1856 agent.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1160 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1160 wrote to memory of 1856 1160 powershell.exe 28 PID 1160 wrote to memory of 1856 1160 powershell.exe 28 PID 1160 wrote to memory of 1856 1160 powershell.exe 28 PID 1160 wrote to memory of 1856 1160 powershell.exe 28
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps11⤵
- Blocklisted process makes network request
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\agent.exe"C:\Users\Admin\AppData\Local\Temp\agent.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1856
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD51496b98fe0530da47982105a87a69bce
SHA100719a1b168c8baa3827a161326b157713f9a07a
SHA256c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6
-
Filesize
29KB
MD51496b98fe0530da47982105a87a69bce
SHA100719a1b168c8baa3827a161326b157713f9a07a
SHA256c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6