Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
10/10/2022, 17:59
General
-
Target
2e42b0bed4d0228cde60b27436b54eef.exe
-
Size
275KB
-
MD5
2e42b0bed4d0228cde60b27436b54eef
-
SHA1
0ad015065304467a659575eca8e322485982eda2
-
SHA256
7e24caf0355d2816bec83ce942643a52213d676f5ebf03f2ff40d46c2af8ce21
-
SHA512
1519f668f81b7fc412e29c0726b7c46a216dc8adb64117eb7533d8e0cc2e676a2510965d022e255384cf54d5b6c0f33c33ca0e38fef255bf5d21228f64300e27
-
SSDEEP
3072:uXrN9JMhlH3THrjUggq5fbn8+F2XNrEuZ29rBFrDv2i2bC0QhOM/h3qpZa9uD6Vq:2Z9JMTHbEYbnOXWNzr7HHhOrwVfquS
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e42b0bed4d0228cde60b27436b54eef.exe"C:\Users\Admin\AppData\Local\Temp\2e42b0bed4d0228cde60b27436b54eef.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\FF92.exeC:\Users\Admin\AppData\Local\Temp\FF92.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 18562⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\2089.exeC:\Users\Admin\AppData\Local\Temp\2089.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2647.exeC:\Users\Admin\AppData\Local\Temp\2647.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2ACC.exeC:\Users\Admin\AppData\Local\Temp\2ACC.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1988 -ip 19881⤵
-
C:\Users\Admin\AppData\Local\Temp\3A4E.exeC:\Users\Admin\AppData\Local\Temp\3A4E.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exe"C:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN wfyoot.exe /TR "C:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exe" /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 8962⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\4413.exeC:\Users\Admin\AppData\Local\Temp\4413.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1716 -ip 17161⤵
-
C:\Users\Admin\AppData\Local\Temp\4A1F.exeC:\Users\Admin\AppData\Local\Temp\4A1F.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\jtbtwhvC:\Users\Admin\AppData\Roaming\jtbtwhv1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exeC:\Users\Admin\AppData\Local\Temp\0fd408e638\wfyoot.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 3162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4568 -ip 45681⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD56936c8f6779f32cd60bf3b635107307d
SHA169ead13e469b06d8b1aac9eecb14a6e56613648a
SHA2565f433b6cef3cbf82c18ab9631e5c1b4c0896664ba107c234aeccf79ab419b9b4
SHA5124f6bd6afa4636a12f54e461cf60e1b3fc2ab457c1bdb510d36d6680ff2de6cd73242b34d865256950da1de4fe71fd398979b5f895093a1e96c7e3bdd87ee07b1
-
Filesize
324KB
MD56936c8f6779f32cd60bf3b635107307d
SHA169ead13e469b06d8b1aac9eecb14a6e56613648a
SHA2565f433b6cef3cbf82c18ab9631e5c1b4c0896664ba107c234aeccf79ab419b9b4
SHA5124f6bd6afa4636a12f54e461cf60e1b3fc2ab457c1bdb510d36d6680ff2de6cd73242b34d865256950da1de4fe71fd398979b5f895093a1e96c7e3bdd87ee07b1
-
Filesize
324KB
MD56936c8f6779f32cd60bf3b635107307d
SHA169ead13e469b06d8b1aac9eecb14a6e56613648a
SHA2565f433b6cef3cbf82c18ab9631e5c1b4c0896664ba107c234aeccf79ab419b9b4
SHA5124f6bd6afa4636a12f54e461cf60e1b3fc2ab457c1bdb510d36d6680ff2de6cd73242b34d865256950da1de4fe71fd398979b5f895093a1e96c7e3bdd87ee07b1
-
Filesize
720KB
MD5b637a1732d44cad9c877a10707d26528
SHA19c4163e9d319564b50131f51475baa86c83f8b34
SHA256ac6552f97c938cf1d32f0b06857f89e285e7d261a11855950bb62b642be65b37
SHA512a11102b1e8830e7c4d8d4b879a465f0f14e5d5b97749b843508abd99f1714a468d260b959a785515881e793a3832e9a5501209fcaa8215c5447e2700405c52b6
-
Filesize
720KB
MD5b637a1732d44cad9c877a10707d26528
SHA19c4163e9d319564b50131f51475baa86c83f8b34
SHA256ac6552f97c938cf1d32f0b06857f89e285e7d261a11855950bb62b642be65b37
SHA512a11102b1e8830e7c4d8d4b879a465f0f14e5d5b97749b843508abd99f1714a468d260b959a785515881e793a3832e9a5501209fcaa8215c5447e2700405c52b6
-
Filesize
783KB
MD5d25caf342644a7a9653465b933cd07d7
SHA1cdf0df62a942101c883265eedeae97310cd8c9ed
SHA2569862e86cb6b2ee8c93d6ad9697a8242c10d43e61354e79659eacc5406e59ce57
SHA512807a2e8aeff934dd3719a421379d6e6fda9546e65d3b41852d85c63f8edea90b4455a3102d179b52e81dbf717e4c17044fde2c513e2984164b5243aa17cc55e0
-
Filesize
783KB
MD5d25caf342644a7a9653465b933cd07d7
SHA1cdf0df62a942101c883265eedeae97310cd8c9ed
SHA2569862e86cb6b2ee8c93d6ad9697a8242c10d43e61354e79659eacc5406e59ce57
SHA512807a2e8aeff934dd3719a421379d6e6fda9546e65d3b41852d85c63f8edea90b4455a3102d179b52e81dbf717e4c17044fde2c513e2984164b5243aa17cc55e0
-
Filesize
720KB
MD54db6298298391f1c8d358622bc57e7b8
SHA1ac9cb8990e928df59056dfaf054f414b10134422
SHA256ec14da0d097482515910a8c92dd9759b290b5323924c5e18a412e9161e8718a9
SHA512b7a1b56388c9cc6fb2f1033c4bef9cd8b46f2122ed68eeda8f9e87e94f823b1e409adb4bbfbf80c98e2435ba2c05523c2673142e543e58a26b936ecd008607c7
-
Filesize
720KB
MD54db6298298391f1c8d358622bc57e7b8
SHA1ac9cb8990e928df59056dfaf054f414b10134422
SHA256ec14da0d097482515910a8c92dd9759b290b5323924c5e18a412e9161e8718a9
SHA512b7a1b56388c9cc6fb2f1033c4bef9cd8b46f2122ed68eeda8f9e87e94f823b1e409adb4bbfbf80c98e2435ba2c05523c2673142e543e58a26b936ecd008607c7
-
Filesize
324KB
MD56936c8f6779f32cd60bf3b635107307d
SHA169ead13e469b06d8b1aac9eecb14a6e56613648a
SHA2565f433b6cef3cbf82c18ab9631e5c1b4c0896664ba107c234aeccf79ab419b9b4
SHA5124f6bd6afa4636a12f54e461cf60e1b3fc2ab457c1bdb510d36d6680ff2de6cd73242b34d865256950da1de4fe71fd398979b5f895093a1e96c7e3bdd87ee07b1
-
Filesize
324KB
MD56936c8f6779f32cd60bf3b635107307d
SHA169ead13e469b06d8b1aac9eecb14a6e56613648a
SHA2565f433b6cef3cbf82c18ab9631e5c1b4c0896664ba107c234aeccf79ab419b9b4
SHA5124f6bd6afa4636a12f54e461cf60e1b3fc2ab457c1bdb510d36d6680ff2de6cd73242b34d865256950da1de4fe71fd398979b5f895093a1e96c7e3bdd87ee07b1
-
Filesize
720KB
MD576f49e4c7c466ca27af9420399608af5
SHA10d61a9e9cecae0b259fec2aac1a89938fe5265d9
SHA256579392006c5a06592ed6d56e0593e8c272b704c0849ecf6d8f1502ea02c75435
SHA5121dee0a768259f168d5d71f296c2ecbf1068c59d56be24a5b48f40d26c5cb5114cce2ccd76a3147b5d89ebdfde3331696be58f828eb4ba6ee581efce95aff1a3d
-
Filesize
720KB
MD576f49e4c7c466ca27af9420399608af5
SHA10d61a9e9cecae0b259fec2aac1a89938fe5265d9
SHA256579392006c5a06592ed6d56e0593e8c272b704c0849ecf6d8f1502ea02c75435
SHA5121dee0a768259f168d5d71f296c2ecbf1068c59d56be24a5b48f40d26c5cb5114cce2ccd76a3147b5d89ebdfde3331696be58f828eb4ba6ee581efce95aff1a3d
-
Filesize
272KB
MD5762d276b402209a5ce78d9a9258f1bd3
SHA1b09930f39b658639f06c83a6111be4c93ef712f8
SHA25682361af8f5303de90ff5757d8dbba87b8fc00fc0ea7b6fb922517c8078e71bdb
SHA512652df0eb36b4ab353aa1e932051a7ef299527bc985ddea7b7598f5845edaed16e111b1b27b01eee9078d56faefb6111155acd571cf397cf307d502cb2dd2846f
-
Filesize
421KB
MD5331e9467ace2c12e1142a7af3861be0a
SHA1d148319627a24bef5de80ee1dc8d805b7322db64
SHA2562c8158054be8f59049ffba2ef8555dbe76812ddef3628dc9e06491ee982f1c61
SHA51219c8c715d50771737803da03ed97a487012aa1586e68f51db3c437adbc8c69721400ab32b1ecedce05d53ffd7467d9f7cae054e3b763dde7f475155a6678b589
-
Filesize
421KB
MD5331e9467ace2c12e1142a7af3861be0a
SHA1d148319627a24bef5de80ee1dc8d805b7322db64
SHA2562c8158054be8f59049ffba2ef8555dbe76812ddef3628dc9e06491ee982f1c61
SHA51219c8c715d50771737803da03ed97a487012aa1586e68f51db3c437adbc8c69721400ab32b1ecedce05d53ffd7467d9f7cae054e3b763dde7f475155a6678b589
-
Filesize
95.4MB
MD53ba1e949d622284230abf7fdb4d7d3e1
SHA1d9e80ea034b53482f0596fcab723dd3b8adc6204
SHA25607446168848004f6f0ad35c4e838f01a33ec7b6c66d7745fb394eae2eb4747db
SHA512a94290e7ac232a2edc8750d4a45c18887c3996dabc55a4727d0d271321770ff355d810baa49f13bc946c68966d6342aeedda459f979a4b80ff385edcfdb5eb8d
-
Filesize
95.4MB
MD53ba1e949d622284230abf7fdb4d7d3e1
SHA1d9e80ea034b53482f0596fcab723dd3b8adc6204
SHA25607446168848004f6f0ad35c4e838f01a33ec7b6c66d7745fb394eae2eb4747db
SHA512a94290e7ac232a2edc8750d4a45c18887c3996dabc55a4727d0d271321770ff355d810baa49f13bc946c68966d6342aeedda459f979a4b80ff385edcfdb5eb8d
-
Filesize
275KB
MD52e42b0bed4d0228cde60b27436b54eef
SHA10ad015065304467a659575eca8e322485982eda2
SHA2567e24caf0355d2816bec83ce942643a52213d676f5ebf03f2ff40d46c2af8ce21
SHA5121519f668f81b7fc412e29c0726b7c46a216dc8adb64117eb7533d8e0cc2e676a2510965d022e255384cf54d5b6c0f33c33ca0e38fef255bf5d21228f64300e27
-
Filesize
275KB
MD52e42b0bed4d0228cde60b27436b54eef
SHA10ad015065304467a659575eca8e322485982eda2
SHA2567e24caf0355d2816bec83ce942643a52213d676f5ebf03f2ff40d46c2af8ce21
SHA5121519f668f81b7fc412e29c0726b7c46a216dc8adb64117eb7533d8e0cc2e676a2510965d022e255384cf54d5b6c0f33c33ca0e38fef255bf5d21228f64300e27
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
116KB
-
Filesize
348KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
348KB
-
Filesize
112KB
-
Filesize
220KB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
436KB
-
Filesize
220KB
-
Filesize
240KB
-
Filesize
120KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
1.0MB
-
Filesize
220KB
-
Filesize
1.8MB
-
Filesize
356KB
-
Filesize
436KB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
116KB
-
Filesize
348KB
-
Filesize
296KB
-
Filesize
1024KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB