Analysis
-
max time kernel
150s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
12-07-2023 01:27
Static task
static1
Behavioral task
behavioral1
Sample
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe
Resource
win10v2004-20230703-en
General
-
Target
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe
-
Size
240KB
-
MD5
5fad9a11081ecf50c16106ffc8777445
-
SHA1
0fdb015f0c016868a9d896be9ec8fd3f78c35ff2
-
SHA256
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3
-
SHA512
dbbe37965eeb7442a521b0cf1d2bd039d79a6a9867674a3fe211be0f2b18cf21ba5f6fb9c0469742eef91dbca4bef4c2981a4adcb926cec011c3b86d39473fb4
-
SSDEEP
6144:TnLTzWdHub3CXG4V0GFNaNa2sBICvUH8snh/:DHzWds3EG4V0u4RsBICM9n
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe 2428 8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found 1200 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1200 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2428 8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe"C:\Users\Admin\AppData\Local\Temp\8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2428