Analysis
-
max time kernel
152s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe
Resource
win10v2004-20230220-en
General
-
Target
f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe
-
Size
318KB
-
MD5
0ec380d842af57578af7c343c7adf7be
-
SHA1
a0e7c16e728152df30f89da036bc923b377efc33
-
SHA256
f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e
-
SHA512
b6e19a600fbb56274b078931d11916fb8244352ac6faffe4eecf508b6813c78c6a3fb7bf16295afc8bc0741fb11d64ae580c948ab1d233b8a5550dd3cf968d66
-
SSDEEP
3072:UEGY0nDO7X9Ktaqdq0tl+5SwkII8dZxJsK5wJ1DSdQcKX5hL4U7x/MtlQ:pGY0p5vJ8dZxJJ5wJJJcKrcbtlQ
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1588 f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe 1588 f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found 1312 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1312 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1588 f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe"C:\Users\Admin\AppData\Local\Temp\f050682765e46f6f5e7d66e507e2112db336d63d113c340ba67c565cc4c01c4e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1588