Analysis
-
max time kernel
152s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-03-2023 15:44
Static task
static1
Behavioral task
behavioral1
Sample
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
Resource
win7-20230220-en
General
-
Target
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
-
Size
215KB
-
MD5
64e1d7ec7103d1a04029c4db2941a8d3
-
SHA1
706a486a113041efd175ed05bf86fd5aad67083f
-
SHA256
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f
-
SHA512
b38c7104b5406ef1ef212637c7bf201e182359f5bed078ca9718ebfbf0ed5f59927a612ce422e7eab692c591c9089c8c3231f49966e75e28af7c2ff0f675277d
-
SSDEEP
3072:paUIvLUh91b504gy5kJM0yD1h52aNfC6YQGJ58ZdIqxQYzEVb:sUwLk91sZyphoaNfLYrJ58FFzyb
Malware Config
Extracted
smokeloader
2023
Extracted
smokeloader
2022
http://c3g6gx853u6j.xyz/
http://04yh16065cdi.xyz/
http://33qd2w560vnx.xyz/
http://neriir0f76gr.com/
http://b4y08hrp3jdb.com/
http://swp6fbywla09.com/
http://7iqt53dr345u.com/
http://mj4aj8r55mho.com/
http://ne4ym7bjn1ts.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exepid process 1368 10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe 1368 10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 1236 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1236 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exepid process 1368 10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe"C:\Users\Admin\AppData\Local\Temp\10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection