Overview

overview

10

Static

static

10

747400b85e...4e.exe

windows7-x64

10

747400b85e...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2022 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    747400b85ea1a32f41016b22496ca24e.exe

  • Size

    258KB

  • MD5

    747400b85ea1a32f41016b22496ca24e

  • SHA1

    9c4dce7638007955d9d259e7f11f3c1f237b1ce7

  • SHA256

    dc48e95839bcfd343c62e0a574a94e9640b8463e9c5c29bf04e7423135307994

  • SHA512

    aa97d2d29c97b17005e48ae540a74d127e568cbcaea514352dd5aa84c5c434aebc23ef4dd31bd890ceb617d49a60d4f15200a774ec23a211b68642759b333024

  • SSDEEP

    6144:k9b3LPLnIJ1GTXZQOz1nJjVgmxaOAxyc9:S3zcfG9pQm0xyY

Score
10/10
neshtasmokeloaderbackdoorpersistencespywarestealertrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\747400b85ea1a32f41016b22496ca24e.exe
    "C:\Users\Admin\AppData\Local\Temp\747400b85ea1a32f41016b22496ca24e.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exe"
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exe
    Filesize

    217KB

    MD5

    6903b880b28cdbb6ebe035f688cbbf91

    SHA1

    0284b6258ce09bf173427bebdfca62f47536e39f

    SHA256

    60ee5a863af6fe7be9f2ed1e647b47aff63ce373103ed3f450778d6a70126824

    SHA512

    99309e4ce5a11e9042b40a670cbae122eb1a719ec14b9e284583025e3cddae460c32c6e223eda864b46af43380960781f360a51dafab9591deac01e900fdd433

    Download Submit
  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exe
    Filesize

    217KB

    MD5

    6903b880b28cdbb6ebe035f688cbbf91

    SHA1

    0284b6258ce09bf173427bebdfca62f47536e39f

    SHA256

    60ee5a863af6fe7be9f2ed1e647b47aff63ce373103ed3f450778d6a70126824

    SHA512

    99309e4ce5a11e9042b40a670cbae122eb1a719ec14b9e284583025e3cddae460c32c6e223eda864b46af43380960781f360a51dafab9591deac01e900fdd433

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exe
    Filesize

    217KB

    MD5

    6903b880b28cdbb6ebe035f688cbbf91

    SHA1

    0284b6258ce09bf173427bebdfca62f47536e39f

    SHA256

    60ee5a863af6fe7be9f2ed1e647b47aff63ce373103ed3f450778d6a70126824

    SHA512

    99309e4ce5a11e9042b40a670cbae122eb1a719ec14b9e284583025e3cddae460c32c6e223eda864b46af43380960781f360a51dafab9591deac01e900fdd433

    Download Submit
  • memory/1316-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1316-60-0x00000000006D8000-0x00000000006E9000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1316-62-0x00000000006D8000-0x00000000006E9000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1316-63-0x0000000000220000-0x0000000000229000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1316-64-0x0000000000400000-0x0000000000594000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1316-65-0x0000000000400000-0x0000000000594000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp
    Filesize

    8KB

    Download