Analysis
-
max time kernel
149s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 01:33
Static task
static1
Behavioral task
behavioral1
Sample
d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe
Resource
win10v2004-20230220-en
General
-
Target
d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe
-
Size
275KB
-
MD5
596d8f644ddca88aa583b978acdd24a7
-
SHA1
eee509b98db80540795a130bad1ab9565aa04fc8
-
SHA256
d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6
-
SHA512
06fd36a4e7be4f684721ccca0fba93933ce13e43ec23135869ee91bb40ccd003b9b5b2e03dc8259036ae872055698fd3c8b7c73a590321e885f0fa26d0194702
-
SSDEEP
3072:X3Uo6ySkvufjvrHedZuqBSabZs/kItvgNATvVPFPswkhZc8IBjWmE7/LpNN4TJY:IEajvLedQnvgNATjVkDTIBjWf/dNN4T
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exepid process 2008 d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe 2008 d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 1252 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1252 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exepid process 2008 d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe"C:\Users\Admin\AppData\Local\Temp\d936d6cacf0d0a07083a609ae2475729aa9571bb27f16e89e043cc84f3e08cc6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection