Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    186KB

  • MD5

    212889c268e37fdf0052b3ec0e6dd6fe

  • SHA1

    78037cf5caa71fb7ab0f9fa44b22dc988cfab2c0

  • SHA256

    438aa9cc91d13dfa86644426b8f90be7f3302bbdbb70fcd71b3ede8c5ff9e464

  • SHA512

    549c9adc2d0346162854d34aeea5d55490e071e64705c8549f8e41a18af75502bbf913afb095240380e748fe67a906c82115948f924f0aa33e1b9f1899d878b4

  • SSDEEP

    3072:WkfRIWEJ/Fk2wLE4k3Vxj5RttJFtDQ5KMoupWGERWM:XfKwLE4iXbJFDhVGEg

Score
10/10
smokeloaderbackdoorcollectiondiscoveryspywarestealertrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 25 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4344
  • C:\Users\Admin\AppData\Local\Temp\F349.exe
    C:\Users\Admin\AppData\Local\Temp\F349.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:100
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14177
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3716
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 536
      2⤵
      • Program crash
      PID:752
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 216 -ip 216
    1⤵
      PID:5072

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\F349.exe
      Filesize

      1.0MB

      MD5

      50dc29462e6fa8a11f318d807bf8e576

      SHA1

      f451955773ef0c5a2381aeb0dccfbc9d3ee85c7e

      SHA256

      3aad58d46fbe80b58a6d7eb22f1049c7c900a9764c36d3b10708dd8d536b6862

      SHA512

      0aa13299262046781208158e5b046e1df155e198927d2bb9fad5358e8255fc50dfc906c98f42c9d057c8078a1af91e088cab5e4920ea4b7478ccce19d7178a70

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\F349.exe
      Filesize

      1.0MB

      MD5

      50dc29462e6fa8a11f318d807bf8e576

      SHA1

      f451955773ef0c5a2381aeb0dccfbc9d3ee85c7e

      SHA256

      3aad58d46fbe80b58a6d7eb22f1049c7c900a9764c36d3b10708dd8d536b6862

      SHA512

      0aa13299262046781208158e5b046e1df155e198927d2bb9fad5358e8255fc50dfc906c98f42c9d057c8078a1af91e088cab5e4920ea4b7478ccce19d7178a70

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
      Filesize

      774KB

      MD5

      d5e88f35e214f2dff51a7d494316bac2

      SHA1

      6306dfa71c4e32dede210631cf90732693c0afcf

      SHA256

      f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

      SHA512

      ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
      Filesize

      774KB

      MD5

      d5e88f35e214f2dff51a7d494316bac2

      SHA1

      6306dfa71c4e32dede210631cf90732693c0afcf

      SHA256

      f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

      SHA512

      ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

      Download Submit

    • memory/100-151-0x0000000004A90000-0x0000000004BD0000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/100-153-0x0000000004A90000-0x0000000004BD0000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/100-158-0x0000000005330000-0x0000000005E91000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/100-152-0x0000000004A90000-0x0000000004BD0000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/100-150-0x0000000007070000-0x00000000071B0000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/100-149-0x0000000004A90000-0x0000000004BD0000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/100-148-0x0000000004A90000-0x0000000004BD0000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/100-147-0x0000000005330000-0x0000000005E91000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/100-146-0x0000000005330000-0x0000000005E91000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/216-144-0x00000000024A0000-0x00000000025C5000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/216-143-0x0000000002253000-0x0000000002335000-memory.dmp

      Filesize

      904KB

      Download

    • memory/216-145-0x0000000000400000-0x000000000071E000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3716-156-0x0000000000160000-0x00000000003F2000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/3716-155-0x0000012CCFED0000-0x0000012CD0010000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3716-157-0x0000012CCFED0000-0x0000012CD0010000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3716-159-0x0000012CCE480000-0x0000012CCE724000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/4344-135-0x0000000000400000-0x000000000064C000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/4344-133-0x0000000000650000-0x0000000000750000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4344-134-0x0000000002380000-0x0000000002389000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4344-136-0x0000000000400000-0x000000000064C000-memory.dmp

      Filesize

      2.3MB

      Download