Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-03-2023 11:27
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
248KB
-
MD5
d006e3ada47285de7c1e50a2a46bd381
-
SHA1
aac2bd978764e0e327461ea6a99dd2d19ded0a1a
-
SHA256
fb1bf08b724be23ef3e6301944d5c9efd1b919e0ed7055a174686cf26b8f3403
-
SHA512
56febe801fef708081555b58725e5d40a17db16f6296e9b7b3b0dd7a3a5e25501724fa7364db13f4db4f3100e1d8eb14e758c55936a2829ccbec3b328112494d
-
SSDEEP
3072:wD8hvaXsLNWtUuNHFQe9qWebdJNEr4ky6ccYO2xX53brpz:vaXsLN6f9y4q1mLylDO2Hvpz
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
setup.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setup.exepid process 1996 setup.exe 1996 setup.exe 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 1280 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1280 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
setup.exepid process 1996 setup.exe