Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
22/12/2022, 16:46
General
-
Target
86fe386cc3662c6b8228b24edd8b41be9cb586b68cb33e6d2633dc79baf383ac.exe
-
Size
316KB
-
MD5
e64b17d519a1c3895a11dcfed3c58049
-
SHA1
d95b08f29b90967f75c9ee736c2abcf9ae910647
-
SHA256
86fe386cc3662c6b8228b24edd8b41be9cb586b68cb33e6d2633dc79baf383ac
-
SHA512
37867f26ac464a693ff7121a66dba36edab421992a7b829cc80076a4a7ce52ea06be3be9db68eb0f2511cd3e5049541a594312c1cfcb3379b5f61139fb2e0568
-
SSDEEP
6144:PJL3Igi2ZniB/6Z8kVVIMoCo2RR0cSpQTtyzsduHNIvD:PJzIgiSiB/6wMoX2RR0TCtyYduHNI
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\86fe386cc3662c6b8228b24edd8b41be9cb586b68cb33e6d2633dc79baf383ac.exe"C:\Users\Admin\AppData\Local\Temp\86fe386cc3662c6b8228b24edd8b41be9cb586b68cb33e6d2633dc79baf383ac.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E024.exeC:\Users\Admin\AppData\Local\Temp\E024.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Dsdoiysdsysh.tmp",Ieoftteeywo2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 204453⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 5442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1720 -ip 17201⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows multimedia platform\pdfsigqformalrep.dll",aUYjTTI=2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777KB
MD5d9d354e5d3524d9456ac220fae5a4b87
SHA170a70572b033a36281349df804cedd497d49a544
SHA25613d7f5e0a08b5564631ec47c900a04794bea34424e8c38cb82973103cd1da5a6
SHA5128d6945859258a218fdf93dae614165fff28fc9541e946ac3fd58491af17082b5be9bbc5a6184db6dcfbdc780ae64f9e8faaeec7efd1d68cf51e7257feb8c1317
-
Filesize
777KB
MD5d9d354e5d3524d9456ac220fae5a4b87
SHA170a70572b033a36281349df804cedd497d49a544
SHA25613d7f5e0a08b5564631ec47c900a04794bea34424e8c38cb82973103cd1da5a6
SHA5128d6945859258a218fdf93dae614165fff28fc9541e946ac3fd58491af17082b5be9bbc5a6184db6dcfbdc780ae64f9e8faaeec7efd1d68cf51e7257feb8c1317
-
Filesize
16KB
MD5ada34b241139f06addc86a9e8d1108f0
SHA1909a92a4e970ae4edcfc365a119d4f4410b0bcf6
SHA2563069814db0a03ed2ce383cb97739d07545d3b67a2b532d9c07d0d5aa3c6a4f3a
SHA5122797c6087798660773cfa65f002a4232d75c8b8f787deb12364af683653b41de411ca2de54be1aa86356ba3b6203775c9afaedd513ad33c26f273047f87537a0
-
Filesize
10KB
MD5220ae72aa2505c9276da2056b7e34936
SHA16dfb0f4fd5c0d25062d3d1235fc20358560fdb89
SHA256afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c
SHA512cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd
-
Filesize
3.5MB
MD50a198bd426f678d018458dce5bbef5c5
SHA1890e5d91cf489cd89048236825e9f937e2550e54
SHA2563d67810022086cd5a8c77db610ba4f559917b72387a029af8f54b943a76c5a5e
SHA512683d06388459e15d480a0b9281d85643ada7ea9bdf9376b21daad0db55b615f2cf3387b56e1da4f3a8e6d1d830e3322afe9573ddb6cadf1309f2e6e6d265a55f
-
Filesize
2KB
MD5e819bd42f70abd4d77fcdd8e9027f87d
SHA1a6c541f7cc2c56b7e249f8c56c24208e742acce7
SHA2568931d34acc2d60b807f30ae7fc661691fb03d18a7f1448b84d0fd92d7ba8efac
SHA512cab282bd90653a067c760e65205bb26353af21649ba559ac3599077d4258e84752d1c67b697f745cf116a4c91ea82d111c2501128aa908aa55f4c24c3ac0dec4
-
Filesize
2KB
MD5b92eea712a8a63a66e21156d66a5fcfc
SHA186f3274afee32518c49307c92b586ca67fbd98ae
SHA256d6ca1a7c439c5e1d33f71959740e9991c89152ff6f4c429c146d13f40a4b428e
SHA51294577d5a1b344af5862e9f0ed430cbae21f4d955604684faf57e236a6aeb03f0340816dc8b4d758f943e24e105d0dce420984b082621f6f57745ba758870464f
-
Filesize
5KB
MD5d7ee4543371744836d520e0ce24a9ee6
SHA1a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0
SHA25698817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9
SHA512e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808
-
Filesize
777KB
MD5ce65845185ffec12b1b8990bb48f280d
SHA1df36bfa7bd5170bf24c58fef9d0978c4d3f9c1fe
SHA25616e766159a5706f4278b48824d00707ecc8329f55af3204cf6b96f8c573ac1a9
SHA512323e93e8e7d77a3303fc778fabc0f405e5d11938ac135b28a96a603455a5e38c80713f0d0fbe84ea35d1018238f977cf5af3d0c700c3bb9305d2c67f0e56068b
-
Filesize
777KB
MD5ce65845185ffec12b1b8990bb48f280d
SHA1df36bfa7bd5170bf24c58fef9d0978c4d3f9c1fe
SHA25616e766159a5706f4278b48824d00707ecc8329f55af3204cf6b96f8c573ac1a9
SHA512323e93e8e7d77a3303fc778fabc0f405e5d11938ac135b28a96a603455a5e38c80713f0d0fbe84ea35d1018238f977cf5af3d0c700c3bb9305d2c67f0e56068b
-
Filesize
1.1MB
MD5ac8da6860bce96a8c6454d2f407a3869
SHA1f3b69c17ffec0e089bbe6cd75c84b9a9519422ab
SHA25632b7c949d8e4330a1e8b8400a9c554f86f0bf380656e1ce092ec769c3d127efa
SHA512675bb1fe6011f8ce767c39b888a0f49fd50b0d32fb15835361a152b4098a07059dd7cb56c943207b0eaabef2555e065e0616be96a12a036d5762ccaefcf03682
-
Filesize
1.1MB
MD5ac8da6860bce96a8c6454d2f407a3869
SHA1f3b69c17ffec0e089bbe6cd75c84b9a9519422ab
SHA25632b7c949d8e4330a1e8b8400a9c554f86f0bf380656e1ce092ec769c3d127efa
SHA512675bb1fe6011f8ce767c39b888a0f49fd50b0d32fb15835361a152b4098a07059dd7cb56c943207b0eaabef2555e065e0616be96a12a036d5762ccaefcf03682
-
Filesize
777KB
MD5d9d354e5d3524d9456ac220fae5a4b87
SHA170a70572b033a36281349df804cedd497d49a544
SHA25613d7f5e0a08b5564631ec47c900a04794bea34424e8c38cb82973103cd1da5a6
SHA5128d6945859258a218fdf93dae614165fff28fc9541e946ac3fd58491af17082b5be9bbc5a6184db6dcfbdc780ae64f9e8faaeec7efd1d68cf51e7257feb8c1317
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
860KB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
11.4MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
11.4MB
-
Filesize
1.2MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
340KB
-
Filesize
84KB
-
Filesize
340KB
-
Filesize
36KB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
1.2MB
-
Filesize
1.2MB
