Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2022 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    597KB

  • MD5

    adf266d3870069d9c6ec30091d347f68

  • SHA1

    dc27468702ccd3139f773c72ba64d38d8a50ff07

  • SHA256

    dd44612801b32da18885221e9211c565eecceeef71217b5b9858b839d6f8dc0d

  • SHA512

    cf57167932dde49b92cfcb72ee84dca1df51fe66d2ca2d832488bb4d410fd1f5ed9e0e8755a8fd5de41bb96f0e40fce35fa6c678ff4c794b7077026441ba26cd

  • SSDEEP

    6144:xSyBmqk0G78MNNhrXN8d9sx40RZGI8i6e6jherVXLw1Ig:xSycICXhrMWx/4Iae6VkXUWg

Score
10/10
asyncratsmokeloaderbackdoorcollectionpersistencerattrojan

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Detects Smokeloader packer 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bmomsm.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4680
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bmomsm.exe"'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Users\Admin\AppData\Local\Temp\bmomsm.exe
            "C:\Users\Admin\AppData\Local\Temp\bmomsm.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3888
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3440
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              6⤵
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              PID:3884
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
    • Accesses Microsoft Outlook profiles
    • outlook_office_path
    • outlook_win_path
    PID:4924
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    1⤵
      PID:4028

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      def65711d78669d7f8e69313be4acf2e

      SHA1

      6522ebf1de09eeb981e270bd95114bc69a49cda6

      SHA256

      aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

      SHA512

      05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      15KB

      MD5

      119f870c8094dd187c3eaaecc44b1d74

      SHA1

      55a09a38679f12ddd4b46964cbfd7ef88eee3a7e

      SHA256

      cfb257a829fad79a59c4149ec11b41c73c93da409f89f60d19a031f14fe926c7

      SHA512

      4a2a6e57b5b674783207a47a3935c6bbdfac19338b18a1f9031e2f577243bbfc3c840f3c221ebdf9a4f170888df2fe90e17d4cfdfea61232f2b0e4fa4e156fdc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bmomsm.exe
      Filesize

      2.3MB

      MD5

      a08e5952ddaaabe4b7deaf30e3e522d3

      SHA1

      d111978b9e2ea04f53ce48a36a4fde0e0e900ba3

      SHA256

      52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f

      SHA512

      2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bmomsm.exe
      Filesize

      2.3MB

      MD5

      a08e5952ddaaabe4b7deaf30e3e522d3

      SHA1

      d111978b9e2ea04f53ce48a36a4fde0e0e900ba3

      SHA256

      52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f

      SHA512

      2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

      Download Submit
    • memory/1412-150-0x0000000006D40000-0x0000000006D5A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1412-151-0x0000000006D90000-0x0000000006DB2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1412-145-0x0000000005D80000-0x00000000063A8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1412-149-0x0000000006DC0000-0x0000000006E56000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1412-148-0x0000000006770000-0x000000000678E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1412-147-0x0000000005B40000-0x0000000005BA6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1412-146-0x00000000059A0000-0x00000000059C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1412-143-0x0000000000000000-mapping.dmp
      Download
    • memory/1412-144-0x0000000002F30000-0x0000000002F66000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3004-183-0x00000000027F0000-0x0000000002800000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-192-0x0000000002720000-0x0000000002730000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-201-0x00000000026D0000-0x00000000026E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-200-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-199-0x00000000026D0000-0x00000000026E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-198-0x00000000026E0000-0x00000000026F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-197-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-177-0x00000000027F0000-0x0000000002800000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-196-0x00000000026C0000-0x00000000026D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-173-0x00000000027F0000-0x0000000002800000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-195-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-194-0x0000000002720000-0x0000000002730000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-172-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-181-0x00000000027F0000-0x0000000002800000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-193-0x0000000002720000-0x0000000002730000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-175-0x00000000027F0000-0x0000000002800000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-191-0x0000000002720000-0x0000000002730000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-190-0x0000000002720000-0x0000000002730000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-189-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-188-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-187-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-185-0x0000000002720000-0x0000000002730000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-186-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-184-0x0000000002970000-0x0000000002980000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3004-182-0x00000000027F0000-0x0000000002800000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3044-132-0x0000000000040000-0x00000000000DC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3044-133-0x0000000005070000-0x0000000005614000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3044-134-0x0000000004AC0000-0x0000000004B52000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3044-135-0x0000000004A70000-0x0000000004A7A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3044-136-0x00000000373E0000-0x0000000037446000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3440-160-0x00000000070D0000-0x0000000007102000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3440-156-0x0000000000000000-mapping.dmp
      Download
    • memory/3440-159-0x0000000007820000-0x0000000007E9A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3440-161-0x000000006F400000-0x000000006F44C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3440-162-0x00000000064C0000-0x00000000064DE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3440-163-0x0000000007280000-0x000000000728A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3440-164-0x0000000007430000-0x000000000743E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3440-165-0x00000000074A0000-0x00000000074BA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3440-166-0x0000000007480000-0x0000000007488000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3884-168-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/3884-167-0x0000000000000000-mapping.dmp
      Download
    • memory/3884-169-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/3884-170-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/3888-153-0x0000000000000000-mapping.dmp
      Download
    • memory/3888-155-0x0000000000AE0000-0x0000000000D36000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4028-180-0x00000000003F0000-0x00000000003FC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4028-178-0x0000000000000000-mapping.dmp
      Download
    • memory/4680-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4856-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4856-138-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4856-139-0x00000000052D0000-0x000000000536C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4856-140-0x00000000064D0000-0x0000000006546000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4856-141-0x0000000006490000-0x00000000064AE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4924-174-0x0000000001150000-0x00000000011C5000-memory.dmp
      Filesize

      468KB

      Download
    • memory/4924-176-0x00000000010E0000-0x000000000114B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/4924-179-0x00000000010E0000-0x000000000114B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/4924-171-0x0000000000000000-mapping.dmp
      Download