Analysis
-
max time kernel
150s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 01:28
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
218KB
-
MD5
7edffce5f01d5ccf4f72327802464fb4
-
SHA1
42430da4275e074d6c48b83b8f50480e20a85294
-
SHA256
2c6674aef75a5084066d49ccd81b0c309ccc1940db9bd1fe866ad92264f431f4
-
SHA512
17cf2f360a7e2248e014f3cd7ba31e2c60c9b555eaacab961c861ed540a316b4df769348b09e480eaa38856427dfe0535e70c4e54f970078d7a1845b89eb123e
-
SSDEEP
3072:O87y1e0RVxuD+n4467soTdy7GcKK7+RKBRw0YtT5grsePM3VJ9m+X:t7zs5FCcKKaOU8rseEv9rX
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
setup.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setup.exepid process 1888 setup.exe 1888 setup.exe 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1372 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
setup.exepid process 1888 setup.exe