Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2022, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
file.exe
-
Size
223KB
-
MD5
48c2031b82e27f60b5c07b84ab3ccfe5
-
SHA1
d7ac785078d95d63b221e508bdc22e41dfb709cd
-
SHA256
932ba1468220264f7f2991e8ca915a6ba3c2bc9a37b747a16c50d983fe89c5d2
-
SHA512
3058f2bb1f77bae27717b581ec5e81e474f0ef21ac6980ac4c8061a69883f1aa9c09e7a52bb8dbeb066ad666fb381fd2864e00e9a6f331bbf95e3907bf0c57df
-
SSDEEP
3072:ZDn7pjqKLTU5sSc3/pHfO3fdomGiHs02GauDrkf/ln:LjqKLTtScPp/YfdomGzGaMq
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/2064-133-0x00000000006F0000-0x00000000006F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 38 2236 rundll32.exe 41 2236 rundll32.exe 82 2236 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2384 127E.exe -
Loads dropped DLL 1 IoCs
pid Process 2236 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2236 set thread context of 3624 2236 rundll32.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4980 2384 WerFault.exe 80 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 19 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Modifies registry class 30 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009955bb30100054656d7000003a0009000400efbe0c551d9c9955c2302e0000000000000000000000000000000000000000000000000014c66600540065006d007000000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2688 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2064 file.exe 2064 file.exe 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2064 file.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2688 Process not Found 2688 Process not Found 2688 Process not Found 3624 rundll32.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2688 Process not Found 2688 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2384 2688 Process not Found 80 PID 2688 wrote to memory of 2384 2688 Process not Found 80 PID 2688 wrote to memory of 2384 2688 Process not Found 80 PID 2384 wrote to memory of 2236 2384 127E.exe 81 PID 2384 wrote to memory of 2236 2384 127E.exe 81 PID 2384 wrote to memory of 2236 2384 127E.exe 81 PID 2236 wrote to memory of 3624 2236 rundll32.exe 87 PID 2236 wrote to memory of 3624 2236 rundll32.exe 87 PID 2236 wrote to memory of 3624 2236 rundll32.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2064
-
C:\Users\Admin\AppData\Local\Temp\127E.exeC:\Users\Admin\AppData\Local\Temp\127E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp",Dsdupihuqo2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 223543⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3624
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 5402⤵
- Program crash
PID:4980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2384 -ip 23841⤵PID:4880
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5508915087ec0d6ddd748e6909d4ce2c2
SHA148b9f1ba1850b00b6c70ab8fb5f90ad95974388e
SHA25657fc707035ee2b9c7efcc96750d7c7f733798d502971478e0f8b9c682cf1c0de
SHA512803f5178cbe530a5ba5b92ea6fe94bc471ef089c884714fb45b8f95fe2cd68a5ea3c21f09473fb9a3bb458922014e379fe30e7e4a91870105f45777c6938a438
-
Filesize
1.1MB
MD5508915087ec0d6ddd748e6909d4ce2c2
SHA148b9f1ba1850b00b6c70ab8fb5f90ad95974388e
SHA25657fc707035ee2b9c7efcc96750d7c7f733798d502971478e0f8b9c682cf1c0de
SHA512803f5178cbe530a5ba5b92ea6fe94bc471ef089c884714fb45b8f95fe2cd68a5ea3c21f09473fb9a3bb458922014e379fe30e7e4a91870105f45777c6938a438
-
Filesize
792KB
MD59e3ff54c77c7d43bfdf8cff1d31c3c51
SHA19681f127f0300093ac15d8a3fc16c289f0b9c045
SHA2562c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d
SHA512d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec
-
Filesize
792KB
MD59e3ff54c77c7d43bfdf8cff1d31c3c51
SHA19681f127f0300093ac15d8a3fc16c289f0b9c045
SHA2562c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d
SHA512d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec