Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
25/12/2022, 00:58
General
-
Target
71a55e33faf8924035f5b856c7c0b38bd465648f5466c339f8f0eee3b6341549.exe
-
Size
222KB
-
MD5
507409118f8cfc83a539f11952a6e84a
-
SHA1
bfd41bd00d0f9a24a47c10586013e4aa93c7fd5e
-
SHA256
71a55e33faf8924035f5b856c7c0b38bd465648f5466c339f8f0eee3b6341549
-
SHA512
5a3860b34da2e42f179807443487cc99aa800b9a576faeb350944468deeb8814b8172585c355ec1c3b7bf35628b42344b11002c6ce5be35c0eb392203703583b
-
SSDEEP
3072:nDtKLDv+5K6atBO/qkSg9RpZT6vauDdfqTJsPPf/ln:ULDvV6X1HpZT6vaMdfKW9
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 36 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 39 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\71a55e33faf8924035f5b856c7c0b38bd465648f5466c339f8f0eee3b6341549.exe"C:\Users\Admin\AppData\Local\Temp\71a55e33faf8924035f5b856c7c0b38bd465648f5466c339f8f0eee3b6341549.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3865.exeC:\Users\Admin\AppData\Local\Temp\3865.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp",Dsdupihuqo2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 223703⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\htcarbwC:\Users\Admin\AppData\Roaming\htcarbw1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5fd93cff0c3c83837d728c575d846d8ab
SHA14a5c051b90f649a73998febf2e6695f035b119d9
SHA25695ac523cbc562f623f477ffb053dec759be95eabff249d6deac604d611b642cf
SHA512d223da0c49f9fc103a1fd186d7c2e9cb6786a38a95e9dd6f55cf1e2556ad41d144faf1883ee900fe6903fea537af09eb6a476e6e9aa4fbe9b21fad9bf79ff481
-
Filesize
1.1MB
MD5fd93cff0c3c83837d728c575d846d8ab
SHA14a5c051b90f649a73998febf2e6695f035b119d9
SHA25695ac523cbc562f623f477ffb053dec759be95eabff249d6deac604d611b642cf
SHA512d223da0c49f9fc103a1fd186d7c2e9cb6786a38a95e9dd6f55cf1e2556ad41d144faf1883ee900fe6903fea537af09eb6a476e6e9aa4fbe9b21fad9bf79ff481
-
Filesize
792KB
MD59e3ff54c77c7d43bfdf8cff1d31c3c51
SHA19681f127f0300093ac15d8a3fc16c289f0b9c045
SHA2562c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d
SHA512d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec
-
Filesize
222KB
MD5507409118f8cfc83a539f11952a6e84a
SHA1bfd41bd00d0f9a24a47c10586013e4aa93c7fd5e
SHA25671a55e33faf8924035f5b856c7c0b38bd465648f5466c339f8f0eee3b6341549
SHA5125a3860b34da2e42f179807443487cc99aa800b9a576faeb350944468deeb8814b8172585c355ec1c3b7bf35628b42344b11002c6ce5be35c0eb392203703583b
-
Filesize
222KB
MD5507409118f8cfc83a539f11952a6e84a
SHA1bfd41bd00d0f9a24a47c10586013e4aa93c7fd5e
SHA25671a55e33faf8924035f5b856c7c0b38bd465648f5466c339f8f0eee3b6341549
SHA5125a3860b34da2e42f179807443487cc99aa800b9a576faeb350944468deeb8814b8172585c355ec1c3b7bf35628b42344b11002c6ce5be35c0eb392203703583b
-
Filesize
792KB
MD59e3ff54c77c7d43bfdf8cff1d31c3c51
SHA19681f127f0300093ac15d8a3fc16c289f0b9c045
SHA2562c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d
SHA512d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
948KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
364KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
364KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
2.7MB
-
Filesize
2.7MB