Analysis
-
max time kernel
141s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
31-10-2022 19:20
General
-
Target
d5241af9dd7e7fe48fc043b520f3366a806269d869d9add684bcb37d2582b1ad.exe
-
Size
209KB
-
MD5
0429ffc783c6c4e2897966e485bdf9a3
-
SHA1
04aa9bb13bbd3f47b37ad38cdf289ab1127d1323
-
SHA256
d5241af9dd7e7fe48fc043b520f3366a806269d869d9add684bcb37d2582b1ad
-
SHA512
995b9d0c69607f12490f5ea23a863c303a87cbb4bab9bbe3326f7f1e0cd10c797e9fd825ef4d6b5c23924427286142ce94198b8fd0e3b397168af875d24eca07
-
SSDEEP
3072:C/OIaP6Z+NuX0LhfWcq5zNm6Ao7Ex5D+XjhumpktHm5I2txtfsXx:C/E6wNukLhfUNDAo7EmzkmpWHMpvtk
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 27 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5241af9dd7e7fe48fc043b520f3366a806269d869d9add684bcb37d2582b1ad.exe"C:\Users\Admin\AppData\Local\Temp\d5241af9dd7e7fe48fc043b520f3366a806269d869d9add684bcb37d2582b1ad.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C033.exeC:\Users\Admin\AppData\Local\Temp\C033.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 9242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 9922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 11442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 11242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 11402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 11442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 10002⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\C033.exe"C:\Users\Admin\AppData\Local\Temp\C033.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 6003⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 9963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 9923⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 10963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 11283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 11363⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 10043⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\C033.exe"C:\Users\Admin\AppData\Local\Temp\C033.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 6084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 9964⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 10044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 10044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 10644⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 11084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 11284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 10804⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\C033.exe"C:\Users\Admin\AppData\Local\Temp\C033.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 6005⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 9844⤵
- Program crash
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start4⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 9843⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 10682⤵
- Program crash
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 13162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4868 -ip 48681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4868 -ip 48681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4868 -ip 48681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4868 -ip 48681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4868 -ip 48681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4868 -ip 48681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4868 -ip 48681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4868 -ip 48681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1512 -ip 15121⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.1MB
MD5be5a8b97d052c3b1948bc79b8eeb7fa7
SHA10d4ace733fa6277b66e22d895c394a61dbc7531e
SHA256dab2b4dd7e40fcb026d0815a5fd4fcf94e3b47dada1c0be92cd893d9cd4b833c
SHA5125c359568a6ca293a4d90cb7f060dfd70feb4de08360f13964bb35fc3a8f51383800ab84aeadaea6f93c45f00973a815c47cabfbc07cbd741c04af0f130677b7b
-
Filesize
6.1MB
MD5be5a8b97d052c3b1948bc79b8eeb7fa7
SHA10d4ace733fa6277b66e22d895c394a61dbc7531e
SHA256dab2b4dd7e40fcb026d0815a5fd4fcf94e3b47dada1c0be92cd893d9cd4b833c
SHA5125c359568a6ca293a4d90cb7f060dfd70feb4de08360f13964bb35fc3a8f51383800ab84aeadaea6f93c45f00973a815c47cabfbc07cbd741c04af0f130677b7b
-
Filesize
6.1MB
MD5be5a8b97d052c3b1948bc79b8eeb7fa7
SHA10d4ace733fa6277b66e22d895c394a61dbc7531e
SHA256dab2b4dd7e40fcb026d0815a5fd4fcf94e3b47dada1c0be92cd893d9cd4b833c
SHA5125c359568a6ca293a4d90cb7f060dfd70feb4de08360f13964bb35fc3a8f51383800ab84aeadaea6f93c45f00973a815c47cabfbc07cbd741c04af0f130677b7b
-
Filesize
6.1MB
MD5be5a8b97d052c3b1948bc79b8eeb7fa7
SHA10d4ace733fa6277b66e22d895c394a61dbc7531e
SHA256dab2b4dd7e40fcb026d0815a5fd4fcf94e3b47dada1c0be92cd893d9cd4b833c
SHA5125c359568a6ca293a4d90cb7f060dfd70feb4de08360f13964bb35fc3a8f51383800ab84aeadaea6f93c45f00973a815c47cabfbc07cbd741c04af0f130677b7b
-
Filesize
1.5MB
MD5e74dcf46ba9020ef7a60970199f43bcd
SHA11b845051223385da27b116849f2aed1255e64ac3
SHA2563814674d5e44fbbade9df5469974c8df4940c6ffa392c55382de0965cac3e332
SHA5129fcaeb0797f39023bc45849c672a93de66749bcd9e6dc065809900c24797ddeee1208d0d94064b20a8d0c254a09fcfd5c8e862e1ae45b27c6fd2019147ce6798
-
Filesize
3.2MB
MD5ac6e0568c63f76df2bfd34c0467c7e6e
SHA16ed9fed7e268f5f0da3b8c8578f1f7a27160c3f3
SHA256e657e9b3be98017b27c5a99be3d2b2c287b7a40742669ba1ca95a987e4a91f9d
SHA51216ffed40ad84e9ef3dba5d9a45d90583e838b339efc4755277d4554892bd8a43983d2b8006b7cb91a8a6e86555d3380de4b5686018769629ac0bb741653496c7
-
Filesize
3.2MB
MD5ac6e0568c63f76df2bfd34c0467c7e6e
SHA16ed9fed7e268f5f0da3b8c8578f1f7a27160c3f3
SHA256e657e9b3be98017b27c5a99be3d2b2c287b7a40742669ba1ca95a987e4a91f9d
SHA51216ffed40ad84e9ef3dba5d9a45d90583e838b339efc4755277d4554892bd8a43983d2b8006b7cb91a8a6e86555d3380de4b5686018769629ac0bb741653496c7
-
Filesize
3.2MB
MD5ac6e0568c63f76df2bfd34c0467c7e6e
SHA16ed9fed7e268f5f0da3b8c8578f1f7a27160c3f3
SHA256e657e9b3be98017b27c5a99be3d2b2c287b7a40742669ba1ca95a987e4a91f9d
SHA51216ffed40ad84e9ef3dba5d9a45d90583e838b339efc4755277d4554892bd8a43983d2b8006b7cb91a8a6e86555d3380de4b5686018769629ac0bb741653496c7
-
Filesize
1.6MB
MD50b4e72c2c2673836f55be4807319fb7d
SHA14af8a882505bfb3ce2e1032a3820c2fa25c75550
SHA25665429c8a7606d2b5909b0091dbe8ed6c132008371738ec1a77a9dd02be5fc55c
SHA512e0749538e57fd1be684504127006fb63c766e9112ac6bfeb22f6774e7e4c30c406c4b7cd09b0beee43c1f85caee6515da2fa0c5a9e9672823a5d3af9633ec870
-
Filesize
1.1MB
MD5961a6036520b86b65e40d2ef147a3fd2
SHA127d532eccce6af9b89ad6b5def367f3f83cd0bf4
SHA256e476755a9fb86cc44735c9e213726c3ae61147fbdf4c71057c6cf63c17903595
SHA512639d64795a000817cc83ec60e472678706f4e4c5834e3469d235f829de6a3148d67eb2337aa63e4b22f35cfd67595c4a52b63cc64803a4ff1f1584958e831fc2
-
-
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
7.4MB
-
-
Filesize
5.9MB
-
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
6.1MB
-
Filesize
7.4MB
-
Filesize
6.1MB
-
Filesize
7.4MB
-
Filesize
5.9MB
-
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
5.9MB
-