Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2023 11:51
Static task
static1
Behavioral task
behavioral1
Sample
761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe
Resource
win10v2004-20230220-en
General
-
Target
761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe
-
Size
243KB
-
MD5
516b69533919439c5cc5da9eb9584362
-
SHA1
fce1cfced4670e038da306e103a9ef16d08ad592
-
SHA256
761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32
-
SHA512
6d760123f46e68b7513d46c70bd46254b623d2716c9e6a61f578dcfb59468772d32aa08d0c88ec7f31a34596c2cc08150604fc9302ff843baa642897aab1892e
-
SSDEEP
3072:dEk+Lu/SjYIXhIJ890jU3suDgW1V7zBjZ8vtyes7u:n+LqSjYlJlmdvL7zBV68
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exepid process 2028 761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe 2028 761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1244 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exepid process 2028 761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe"C:\Users\Admin\AppData\Local\Temp\761ddc943a88d0d0888ac5a46abce823808a82c6185abd178a0a102097c1fa32.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection