Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-10-2022 15:06
Behavioral task
behavioral1
Sample
747400b85ea1a32f41016b22496ca24e.exe
Resource
win7-20220901-en
General
-
Target
747400b85ea1a32f41016b22496ca24e.exe
-
Size
258KB
-
MD5
747400b85ea1a32f41016b22496ca24e
-
SHA1
9c4dce7638007955d9d259e7f11f3c1f237b1ce7
-
SHA256
dc48e95839bcfd343c62e0a574a94e9640b8463e9c5c29bf04e7423135307994
-
SHA512
aa97d2d29c97b17005e48ae540a74d127e568cbcaea514352dd5aa84c5c434aebc23ef4dd31bd890ceb617d49a60d4f15200a774ec23a211b68642759b333024
-
SSDEEP
6144:k9b3LPLnIJ1GTXZQOz1nJjVgmxaOAxyc9:S3zcfG9pQm0xyY
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1316-63-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
747400b85ea1a32f41016b22496ca24e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 747400b85ea1a32f41016b22496ca24e.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
Processes:
747400b85ea1a32f41016b22496ca24e.exepid process 1316 747400b85ea1a32f41016b22496ca24e.exe -
Loads dropped DLL 3 IoCs
Processes:
747400b85ea1a32f41016b22496ca24e.exepid process 1768 747400b85ea1a32f41016b22496ca24e.exe 1768 747400b85ea1a32f41016b22496ca24e.exe 1768 747400b85ea1a32f41016b22496ca24e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
747400b85ea1a32f41016b22496ca24e.exedescription ioc process File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 747400b85ea1a32f41016b22496ca24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 747400b85ea1a32f41016b22496ca24e.exe -
Drops file in Windows directory 1 IoCs
Processes:
747400b85ea1a32f41016b22496ca24e.exedescription ioc process File opened for modification C:\Windows\svchost.com 747400b85ea1a32f41016b22496ca24e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
747400b85ea1a32f41016b22496ca24e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 747400b85ea1a32f41016b22496ca24e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 747400b85ea1a32f41016b22496ca24e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 747400b85ea1a32f41016b22496ca24e.exe -
Modifies registry class 1 IoCs
Processes:
747400b85ea1a32f41016b22496ca24e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 747400b85ea1a32f41016b22496ca24e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
747400b85ea1a32f41016b22496ca24e.exepid process 1316 747400b85ea1a32f41016b22496ca24e.exe 1316 747400b85ea1a32f41016b22496ca24e.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1204 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
747400b85ea1a32f41016b22496ca24e.exepid process 1316 747400b85ea1a32f41016b22496ca24e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
747400b85ea1a32f41016b22496ca24e.exedescription pid process target process PID 1768 wrote to memory of 1316 1768 747400b85ea1a32f41016b22496ca24e.exe 747400b85ea1a32f41016b22496ca24e.exe PID 1768 wrote to memory of 1316 1768 747400b85ea1a32f41016b22496ca24e.exe 747400b85ea1a32f41016b22496ca24e.exe PID 1768 wrote to memory of 1316 1768 747400b85ea1a32f41016b22496ca24e.exe 747400b85ea1a32f41016b22496ca24e.exe PID 1768 wrote to memory of 1316 1768 747400b85ea1a32f41016b22496ca24e.exe 747400b85ea1a32f41016b22496ca24e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\747400b85ea1a32f41016b22496ca24e.exe"C:\Users\Admin\AppData\Local\Temp\747400b85ea1a32f41016b22496ca24e.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exeFilesize
217KB
MD56903b880b28cdbb6ebe035f688cbbf91
SHA10284b6258ce09bf173427bebdfca62f47536e39f
SHA25660ee5a863af6fe7be9f2ed1e647b47aff63ce373103ed3f450778d6a70126824
SHA51299309e4ce5a11e9042b40a670cbae122eb1a719ec14b9e284583025e3cddae460c32c6e223eda864b46af43380960781f360a51dafab9591deac01e900fdd433
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exeFilesize
217KB
MD56903b880b28cdbb6ebe035f688cbbf91
SHA10284b6258ce09bf173427bebdfca62f47536e39f
SHA25660ee5a863af6fe7be9f2ed1e647b47aff63ce373103ed3f450778d6a70126824
SHA51299309e4ce5a11e9042b40a670cbae122eb1a719ec14b9e284583025e3cddae460c32c6e223eda864b46af43380960781f360a51dafab9591deac01e900fdd433
-
\Users\Admin\AppData\Local\Temp\3582-490\747400b85ea1a32f41016b22496ca24e.exeFilesize
217KB
MD56903b880b28cdbb6ebe035f688cbbf91
SHA10284b6258ce09bf173427bebdfca62f47536e39f
SHA25660ee5a863af6fe7be9f2ed1e647b47aff63ce373103ed3f450778d6a70126824
SHA51299309e4ce5a11e9042b40a670cbae122eb1a719ec14b9e284583025e3cddae460c32c6e223eda864b46af43380960781f360a51dafab9591deac01e900fdd433
-
memory/1316-57-0x0000000000000000-mapping.dmp
-
memory/1316-60-0x00000000006D8000-0x00000000006E9000-memory.dmpFilesize
68KB
-
memory/1316-62-0x00000000006D8000-0x00000000006E9000-memory.dmpFilesize
68KB
-
memory/1316-63-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1316-64-0x0000000000400000-0x0000000000594000-memory.dmpFilesize
1.6MB
-
memory/1316-65-0x0000000000400000-0x0000000000594000-memory.dmpFilesize
1.6MB
-
memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB