Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16/09/2023, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe
-
Size
268KB
-
MD5
ec3bd9d34fd06a8e83cb2a003e59a0eb
-
SHA1
097a9f9fa54e0e6deefb394c5d8fbf2f3b94b7a7
-
SHA256
06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b
-
SHA512
4a07bebf79d47a817de90f4c58cd7488da55d56308c53a681eb8e87a99f1cc1c137162393baba598f4c871942ccd32b03c5e167afcb167783222c97899fb5aa4
-
SSDEEP
6144:/2LuX8E/d2ltBWWIQ8CK95boCsh+eY24b:/LP/dwmWIQzKfoCaC
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 1280 Process not Found -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3040 06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe 3040 06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3040 06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1280 Process not Found 1280 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1280 Process not Found 1280 Process not Found
Processes
-
C:\Users\Admin\AppData\Local\Temp\06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe"C:\Users\Admin\AppData\Local\Temp\06f3c31343921c5f63bc0803569db1a31f0ecdf6029f167dcc234754eabacc9b_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3040