Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 01:33
Static task
static1
Behavioral task
behavioral1
Sample
9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe
Resource
win10v2004-20230220-en
General
-
Target
9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe
-
Size
274KB
-
MD5
59ab8997244079855e9af6aa577cb8c3
-
SHA1
0aecd525dddccda85aec5ea07a5648cfa8fad1e9
-
SHA256
9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5
-
SHA512
66188ad1bd708fd2e11aec23b638048bd8aae63c55091805a8c445884dbe5405db4f3809c9cb0600185dd31db2842d2023f937827260d23926a6a83db11c5ee7
-
SSDEEP
3072:j3uRWX6TzugTWRYcSu6u+bZh7YzgNIs8ukBosYg3/rGpNN4TJY:iX1TSYcby38uoL/r8NN4T
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exepid process 2016 9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe 2016 9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1264 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exepid process 2016 9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe"C:\Users\Admin\AppData\Local\Temp\9f253f6abcd703cb920e2825df26b468164d15ca2d50f154a5b12fbf84c05ca5.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection