Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 03:16
Static task
static1
Behavioral task
behavioral1
Sample
569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe
Resource
win10v2004-20241007-en
General
-
Target
569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe
-
Size
211KB
-
MD5
20d9ca599cc0e8e73b77f5552a303637
-
SHA1
569b86219cba20b0c5f808b76026a4fb5ab6dc80
-
SHA256
24d6ba0a22ec78d588e2be35a4451c50620e206b0b542b9f010540e7704bad86
-
SHA512
299dd1b019cd9e80f2e6a527aeccdbdc7ee3251625e33270baab3c7515dfc263421b04c2693cef56afc6d21ef970ff7f60a04d0bf966c220e2cd9836ad60808d
-
SSDEEP
3072:PmoSdUCtu9MUy4xk2Q5Jco4RxJEPSvnARgYzbHOAg0FujDE5wjmaLJDfLG6PfDLC:PmogFu6U3xkxaRHEF+AOzLNDf66XXXC
Malware Config
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
569b86219cba20b0c5f808b76026a4fb5ab6dc80.exedescription pid process target process PID 1000 set thread context of 2224 1000 569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3828 1000 WerFault.exe 569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
569b86219cba20b0c5f808b76026a4fb5ab6dc80.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RegSvcs.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RegSvcs.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
569b86219cba20b0c5f808b76026a4fb5ab6dc80.exedescription pid process target process PID 1000 wrote to memory of 2224 1000 569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe RegSvcs.exe PID 1000 wrote to memory of 2224 1000 569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe RegSvcs.exe PID 1000 wrote to memory of 2224 1000 569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe RegSvcs.exe PID 1000 wrote to memory of 2224 1000 569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe RegSvcs.exe PID 1000 wrote to memory of 2224 1000 569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe"C:\Users\Admin\AppData\Local\Temp\569b86219cba20b0c5f808b76026a4fb5ab6dc80.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Checks SCSI registry key(s)
PID:2224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 2562⤵
- Program crash
PID:3828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1000 -ip 10001⤵PID:2096