Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
30-11-2022 01:12
General
-
Target
e5f9a09271a50978fbe49763e8cb281930e5df2ab2aa87b94f02f4f97d95e8a4.exe
-
Size
139KB
-
MD5
892e33553e7bb81db9cf7a6f6c903a4a
-
SHA1
c7b0ec940666b9bf794f044b1213be5c8eaef745
-
SHA256
e5f9a09271a50978fbe49763e8cb281930e5df2ab2aa87b94f02f4f97d95e8a4
-
SHA512
f4c10e45cf4c479bd7e888bfc5e8d4166d5efa6174b85abae992a5009ab7370b950bf9453449685c50cc36a5ac554630a138a95e7dcea2d35f2f9888f94c9a1f
-
SSDEEP
3072:JTiOr52hks5b6h9wp0PQ0C63KQ8SHjUX5GnOn:89Z6h9y0Cm1HjUX5Hn
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 17 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5f9a09271a50978fbe49763e8cb281930e5df2ab2aa87b94f02f4f97d95e8a4.exe"C:\Users\Admin\AppData\Local\Temp\e5f9a09271a50978fbe49763e8cb281930e5df2ab2aa87b94f02f4f97d95e8a4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\50C0.exeC:\Users\Admin\AppData\Local\Temp\50C0.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll,start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 137363⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4040 -ip 40401⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\50C0.exeFilesize
3.6MB
MD5ca86f35479516529213d69fcdb5aa7c9
SHA10f70fc384937e8397d7d97e1943c72cfcb17570d
SHA256c6c0ca441ac29e200f7a50c330056564ce3d010eb9d6e284f8926b5a3be2ea29
SHA51247f78219af1725668fbe96047b8133189e1670d4835dbe0886ff198a4c35451981377e34e32a9ee9e903c2cecd16f008dd334e1472321c125f8adc332c506f6c
-
C:\Users\Admin\AppData\Local\Temp\50C0.exeFilesize
3.6MB
MD5ca86f35479516529213d69fcdb5aa7c9
SHA10f70fc384937e8397d7d97e1943c72cfcb17570d
SHA256c6c0ca441ac29e200f7a50c330056564ce3d010eb9d6e284f8926b5a3be2ea29
SHA51247f78219af1725668fbe96047b8133189e1670d4835dbe0886ff198a4c35451981377e34e32a9ee9e903c2cecd16f008dd334e1472321c125f8adc332c506f6c
-
C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dllFilesize
4.3MB
MD5f913e254ecb3dd80998ded86a886acf9
SHA18a03ca427454d944adb468ea8460cce070b9467e
SHA256f6bcc0d55b3bb23b6d1d32d37afe4bd9eedc79b5fc43ad637ef638c173fe6163
SHA51298ec95f2c64e65ff7e169b7e456102f5f96696703054ac8a0c82905ca4f87329592da3a5aed7397f368dbe4a3939c43286252a5f72fef29326d50792524824f0
-
C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dllFilesize
4.3MB
MD5f913e254ecb3dd80998ded86a886acf9
SHA18a03ca427454d944adb468ea8460cce070b9467e
SHA256f6bcc0d55b3bb23b6d1d32d37afe4bd9eedc79b5fc43ad637ef638c173fe6163
SHA51298ec95f2c64e65ff7e169b7e456102f5f96696703054ac8a0c82905ca4f87329592da3a5aed7397f368dbe4a3939c43286252a5f72fef29326d50792524824f0
-
C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dllFilesize
4.3MB
MD5f913e254ecb3dd80998ded86a886acf9
SHA18a03ca427454d944adb468ea8460cce070b9467e
SHA256f6bcc0d55b3bb23b6d1d32d37afe4bd9eedc79b5fc43ad637ef638c173fe6163
SHA51298ec95f2c64e65ff7e169b7e456102f5f96696703054ac8a0c82905ca4f87329592da3a5aed7397f368dbe4a3939c43286252a5f72fef29326d50792524824f0
-
memory/2936-142-0x0000000000000000-mapping.dmp
-
memory/2936-162-0x0000000004709000-0x000000000470B000-memory.dmpFilesize
8KB
-
memory/2936-156-0x0000000004690000-0x00000000047D0000-memory.dmpFilesize
1.2MB
-
memory/2936-155-0x0000000004690000-0x00000000047D0000-memory.dmpFilesize
1.2MB
-
memory/2936-154-0x0000000004690000-0x00000000047D0000-memory.dmpFilesize
1.2MB
-
memory/2936-152-0x0000000003A80000-0x00000000045CD000-memory.dmpFilesize
11.3MB
-
memory/2936-158-0x0000000004690000-0x00000000047D0000-memory.dmpFilesize
1.2MB
-
memory/2936-157-0x0000000004690000-0x00000000047D0000-memory.dmpFilesize
1.2MB
-
memory/2936-165-0x0000000003A80000-0x00000000045CD000-memory.dmpFilesize
11.3MB
-
memory/2936-146-0x0000000002550000-0x00000000029A7000-memory.dmpFilesize
4.3MB
-
memory/2936-147-0x0000000002550000-0x00000000029A7000-memory.dmpFilesize
4.3MB
-
memory/2936-153-0x0000000004690000-0x00000000047D0000-memory.dmpFilesize
1.2MB
-
memory/2936-149-0x0000000002550000-0x00000000029A7000-memory.dmpFilesize
4.3MB
-
memory/2936-150-0x0000000003A80000-0x00000000045CD000-memory.dmpFilesize
11.3MB
-
memory/2936-151-0x0000000003A80000-0x00000000045CD000-memory.dmpFilesize
11.3MB
-
memory/4040-140-0x0000000002980000-0x0000000002E65000-memory.dmpFilesize
4.9MB
-
memory/4040-136-0x0000000000000000-mapping.dmp
-
memory/4040-141-0x0000000000400000-0x00000000008F2000-memory.dmpFilesize
4.9MB
-
memory/4040-148-0x0000000000400000-0x00000000008F2000-memory.dmpFilesize
4.9MB
-
memory/4040-139-0x00000000025EE000-0x0000000002973000-memory.dmpFilesize
3.5MB
-
memory/4492-159-0x00007FF6298E6890-mapping.dmp
-
memory/4492-161-0x0000020268430000-0x0000020268570000-memory.dmpFilesize
1.2MB
-
memory/4492-160-0x0000020268430000-0x0000020268570000-memory.dmpFilesize
1.2MB
-
memory/4492-163-0x0000000000650000-0x00000000008E6000-memory.dmpFilesize
2.6MB
-
memory/4492-164-0x00000202669E0000-0x0000020266C88000-memory.dmpFilesize
2.7MB
-
memory/5068-135-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/5068-132-0x00000000005AD000-0x00000000005BE000-memory.dmpFilesize
68KB
-
memory/5068-134-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/5068-133-0x00000000004D0000-0x00000000004D9000-memory.dmpFilesize
36KB