Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2022 00:36
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
file.exe
-
Size
316KB
-
MD5
aab9a89b440b4acd8da029dd7b4bbcdc
-
SHA1
3d3d0b2d8c3c6e03ac2c9869c17cceda3032bfc9
-
SHA256
ec715cf2382d818f116ffd7c8cb2c7f4f98298559cf3539ad44f88b231465eaf
-
SHA512
684e19590b04aba0fd15d2b4f24d583476245c5d87af484ac441653668370d396eae86c9dfac330c408671efa5dc99f90923df6f8a2629555fb96cc51a173f68
-
SSDEEP
6144:ltLcvJihMpm7x5BoFb9goRR0cSpQTtyzsduHNIv:ltgvJmM87rBYbJRR0TCtyYduHNI
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/1944-133-0x00000000005F0000-0x00000000005F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 31 4084 rundll32.exe 35 4084 rundll32.exe 90 4084 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2096 9F3.exe -
Loads dropped DLL 1 IoCs
pid Process 4084 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4084 set thread context of 1824 4084 rundll32.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4644 2096 WerFault.exe 76 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009755980c100054656d7000003a0009000400efbe0c551d9c97559d0c2e0000000000000000000000000000000000000000000000000041851600540065006d007000000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2688 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1944 file.exe 1944 file.exe 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1944 file.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2688 Process not Found 2688 Process not Found 2688 Process not Found 1824 rundll32.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2688 Process not Found 2688 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2096 2688 Process not Found 76 PID 2688 wrote to memory of 2096 2688 Process not Found 76 PID 2688 wrote to memory of 2096 2688 Process not Found 76 PID 2096 wrote to memory of 4084 2096 9F3.exe 81 PID 2096 wrote to memory of 4084 2096 9F3.exe 81 PID 2096 wrote to memory of 4084 2096 9F3.exe 81 PID 4084 wrote to memory of 1824 4084 rundll32.exe 85 PID 4084 wrote to memory of 1824 4084 rundll32.exe 85 PID 4084 wrote to memory of 1824 4084 rundll32.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1944
-
C:\Users\Admin\AppData\Local\Temp\9F3.exeC:\Users\Admin\AppData\Local\Temp\9F3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Oyiesauffusw.tmp",Wuuitfqhpt2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 171403⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1824
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 5562⤵
- Program crash
PID:4644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2096 -ip 20961⤵PID:552
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5fad710c44e1dba33cb1ff90e91f44dd8
SHA133bc81b3dbd23ddd186311b6a04c8eb6db1c7940
SHA256a5ea31d4ea9ad0fb43cacea0051ff43609ba0079736e9c1193969ed460471bd9
SHA512f538c8eecad0d0b86beef971af6546718f7b30e3a4d0f7982d8c5c56152fc1a07a789d57460cb44a2af9509f793e7fc1f8c8aa63b61822c8996f5a85660f8f7b
-
Filesize
1.1MB
MD5fad710c44e1dba33cb1ff90e91f44dd8
SHA133bc81b3dbd23ddd186311b6a04c8eb6db1c7940
SHA256a5ea31d4ea9ad0fb43cacea0051ff43609ba0079736e9c1193969ed460471bd9
SHA512f538c8eecad0d0b86beef971af6546718f7b30e3a4d0f7982d8c5c56152fc1a07a789d57460cb44a2af9509f793e7fc1f8c8aa63b61822c8996f5a85660f8f7b
-
Filesize
730KB
MD58d039a703875733043526555982e4e60
SHA1f583795e790e682db2feaa5f5b8d282216f581e2
SHA2565cb8e52b000f84494627db8e8e700e7731c9bfa2eb9e6a8a8280d2311327e81a
SHA5123e89ec3eb7e90aa93c0a3cc2d120521b1c2236a8a2169b2654fcc153f926b97e85267a177ef92f3ac3a7aa493a81a3a55c1b6b56ef8f8beb93b78bf3eb10373e
-
Filesize
730KB
MD58d039a703875733043526555982e4e60
SHA1f583795e790e682db2feaa5f5b8d282216f581e2
SHA2565cb8e52b000f84494627db8e8e700e7731c9bfa2eb9e6a8a8280d2311327e81a
SHA5123e89ec3eb7e90aa93c0a3cc2d120521b1c2236a8a2169b2654fcc153f926b97e85267a177ef92f3ac3a7aa493a81a3a55c1b6b56ef8f8beb93b78bf3eb10373e