Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
16/09/2022, 04:49
General
-
Target
624a20698d87689fae6d81db2d3bce7932e6ef3e65aabbd7d98ff97e4f7ee70d.exe
-
Size
256KB
-
MD5
fd51cd7518ae01e52802694c6e8f5db9
-
SHA1
35008bd25ff1c9f6d433e931ebfb19cf55d2efd4
-
SHA256
624a20698d87689fae6d81db2d3bce7932e6ef3e65aabbd7d98ff97e4f7ee70d
-
SHA512
5ca39d6ad720f2967bf8c893812a65dcdb46f5d7b4dd6cb6074944cd5e3f2a783e35a0558e776536cd750b59f00f11d69607abf0bb22a730c6e865bb325c59db
-
SSDEEP
3072:LXMxCSz2xOeoTLS5E6UJmPeVbUPbvQkjTXMi0KuoITFPiM/h3BsxkgaBChULu:jWKRoTzJkwUTvDjTXMi027niga
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\624a20698d87689fae6d81db2d3bce7932e6ef3e65aabbd7d98ff97e4f7ee70d.exe"C:\Users\Admin\AppData\Local\Temp\624a20698d87689fae6d81db2d3bce7932e6ef3e65aabbd7d98ff97e4f7ee70d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3642.exeC:\Users\Admin\AppData\Local\Temp\3642.exe1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe"C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\5C59.exeC:\Users\Admin\AppData\Local\Temp\5C59.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5789598a08bc57fea514d9ffd8f072b71
SHA17fc3b548b599eca588b54a5d78378be24ba4fc91
SHA2566a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
SHA5126bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b
-
Filesize
2.5MB
MD5789598a08bc57fea514d9ffd8f072b71
SHA17fc3b548b599eca588b54a5d78378be24ba4fc91
SHA2566a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8
SHA5126bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b
-
Filesize
5.1MB
MD5a9cc5d0e46269237dac25c47197ede31
SHA1bb7b724cbc05ef78bc56da3af2946aa90ed7630c
SHA256bbeb309a35a36cd351ea9fb7acf4ea8b16e1c692b1055e849efd57158d76033c
SHA5124c539338e85fa2cfd0460fec5e88d7c16e5a4fce4caffacdd408682542807c600b1a524f60a67fc7924207345100a332d063bc4d81f5fd4e9b6c2332eec86f6a
-
Filesize
5.1MB
MD5a9cc5d0e46269237dac25c47197ede31
SHA1bb7b724cbc05ef78bc56da3af2946aa90ed7630c
SHA256bbeb309a35a36cd351ea9fb7acf4ea8b16e1c692b1055e849efd57158d76033c
SHA5124c539338e85fa2cfd0460fec5e88d7c16e5a4fce4caffacdd408682542807c600b1a524f60a67fc7924207345100a332d063bc4d81f5fd4e9b6c2332eec86f6a
-
Filesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
259B
MD5cf5c9379d49e8627b9adc7c902298212
SHA1f49d19ca9bc87c0bc3c85a3651716eb9a457bc7e
SHA2562e944bcfca261a5bc15f012077dc00837b81295f5c19ef8417ad6b65ebdabc71
SHA51264ef0c20d0e1b6afb9ca9b262397b03dd5051b54a76decaa088b3e932a6ad93a4f6045f3c9ee4c852d3302c374f42a6f7c481287d3507740ec37a09d512b0d6e
-
Filesize
3.6MB
MD5d3d39180e85700f72aaae25e40c125ff
SHA1f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA25638684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f
-
Filesize
109KB
MD5b2b27ccaded1db8ee341d5bd2c373044
SHA11d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA5120987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1
-
Filesize
109KB
MD5b2b27ccaded1db8ee341d5bd2c373044
SHA11d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA5120987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1
-
Filesize
921B
MD5874c5276a1fc02b5c6d8de8a84840b39
SHA114534f690a2bd59c9dffa2e0ec6d8d7bf6d7d532
SHA25665f069cb4c4cb4986a5b175ac24d6db46ac443372afc59ce8d17e4a8aa4a5ee2
SHA512eb5bfe008f98abb855d2f5eee8f31e14c864af05561b7c31f2f454ca8e91518fa091c0bf6b2432a27ca3a4be1a1edd1ce1ec5f60ac37e25a873a9c0211bdb498
-
Filesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2
-
Filesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
Filesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
Filesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
Filesize
3.6MB
MD5d3d39180e85700f72aaae25e40c125ff
SHA1f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA25638684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
280KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
280KB
-
Filesize
1.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
18.6MB
-
Filesize
18.6MB
-
Filesize
18.6MB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB