Overview

overview

10

Static

static

bacf2c2d55...a1.exe

windows7-x64

10

bacf2c2d55...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/12/2022, 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bacf2c2d558a8f75f584c11c5780629892cbffde60b108621932954be5e983a1.exe

  • Size

    302KB

  • MD5

    b6546d5f2ac4c0c8886088b2ebb18e08

  • SHA1

    646e12b258181532e1657229021091d03c7bb660

  • SHA256

    bacf2c2d558a8f75f584c11c5780629892cbffde60b108621932954be5e983a1

  • SHA512

    a3ab074a1ab7d4a905321278a6d893395ff6afe1c789e710acc47f47d0cd81ea88b8d1f28e57a2826afb39383fa5bbdd550515f9acfd0815ace2ffc1938209da

  • SSDEEP

    6144:hadbLtwg4/lu0Yzsf8aiMQ7w9UZdLaYon5Jk4eROw1g:gx5wjMr797din5JF

Score
10/10
smokeloaderbackdoorcollectiondiscoveryspywarestealertrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 23 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bacf2c2d558a8f75f584c11c5780629892cbffde60b108621932954be5e983a1.exe
    "C:\Users\Admin\AppData\Local\Temp\bacf2c2d558a8f75f584c11c5780629892cbffde60b108621932954be5e983a1.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3016
  • C:\Users\Admin\AppData\Local\Temp\167.exe
    C:\Users\Admin\AppData\Local\Temp\167.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:4168
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14033
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3428
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        3⤵
          PID:3904
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
          3⤵
            PID:4412
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
            3⤵
              PID:1996
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 556
            2⤵
            • Program crash
            PID:4852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 348 -ip 348
          1⤵
            PID:4244
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:1500
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\SysWOW64\svchost.exe -k LocalService
              1⤵
                PID:3060
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\aic_file_icons_hicontrast_wob.dll",Eg8DSUgyQg==
                  2⤵
                    PID:5096

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Google\Temp\aic_file_icons_hiContrast_wob.dll
                  Filesize

                  792KB

                  MD5

                  20d9388b5cf5b1bf58b2ac50bad778ff

                  SHA1

                  6cd289a2722e65d69ef6452c4d10e36d32ec82f1

                  SHA256

                  8af5c562d92f7e141e86c76b9545c0484eca11a0e379d25508542683f4d592ee

                  SHA512

                  ac12963dab1e8c4cfe9f30079d0825d5aef2713dcb09eb0a3c21b68fe7c1b547954dc7a10d2bd66a40283cdb67540075e399728a174e211eaca4ca323a14fe59

                  Download Submit

                • C:\Program Files (x86)\Google\Temp\aic_file_icons_hiContrast_wob.dll
                  Filesize

                  792KB

                  MD5

                  20d9388b5cf5b1bf58b2ac50bad778ff

                  SHA1

                  6cd289a2722e65d69ef6452c4d10e36d32ec82f1

                  SHA256

                  8af5c562d92f7e141e86c76b9545c0484eca11a0e379d25508542683f4d592ee

                  SHA512

                  ac12963dab1e8c4cfe9f30079d0825d5aef2713dcb09eb0a3c21b68fe7c1b547954dc7a10d2bd66a40283cdb67540075e399728a174e211eaca4ca323a14fe59

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
                  Filesize

                  2KB

                  MD5

                  d2d725a3c34b3597b164a038ec06085a

                  SHA1

                  52eb2334afeccafd46b205de0d2c7306cb7b7c8d

                  SHA256

                  01bc9a89105cebd77ff81b814f794a71cbccf40f4d3e663758e63e202f5e1f00

                  SHA512

                  6f23fc81a4a5308966892ef880048ff079aec5968af5d6fcc0315c05533d597865b0572d18e0368da4ff85c9136b87a4cb9e878bc28738a18025d576b5a3f306

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\C2RManifest.osmuxmui.msi.16.en-us.xml
                  Filesize

                  10KB

                  MD5

                  220ae72aa2505c9276da2056b7e34936

                  SHA1

                  6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

                  SHA256

                  afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

                  SHA512

                  cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\DesktopSettings2013.xml
                  Filesize

                  17KB

                  MD5

                  c6b6b07071e0f8ff39f5941a3169b20c

                  SHA1

                  d77fd2513ac3cb9b8595424d1f695fce21e33d96

                  SHA256

                  f8b710777d2c0105e74ee27ee6dfc8e43ca4ff7e14b4dba390eb72dad20705bd

                  SHA512

                  167ab504d6e4c91239f8239722aba17a7f6748fb3e8ee750b2d3f3fd677e6646a8149c8b956513cb2e90722196471865591215938cea8444fdf2e5cff180fdec

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\EventStore.db
                  Filesize

                  60KB

                  MD5

                  20141c14bea9fb0aaa62db2c2fe72f46

                  SHA1

                  ba48fea9da8c80d86e1df8d1bf8170cc4adbfc34

                  SHA256

                  035e5f5e3c2293ecc83bd18fdb00a4939c635ee21c9a8506fa439193c9c166b6

                  SHA512

                  808d015172ff730a087576e5b45f3b659e53fd149a89376194eb11ab9f1e616da3757554eba9e40d82de3afc46e9f1b6251c19bee42af99bac4a7c23a9dbbb84

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp
                  Filesize

                  3.5MB

                  MD5

                  60e17093ea264250a8320f940d49ac4c

                  SHA1

                  3c27782fa195bf54e0ed55e0ff25f138fceaeb66

                  SHA256

                  313217d3e396aea742f3a27d5f0bd5d786cb153c4d5c61edc28cc8025964d887

                  SHA512

                  ca8e7fc888ee0e2fb0aa84cd8398a3ab3490ac77f4e07f3c3a5ebb75ca2190fb80466cbce8a4da52d52faea15e0509e0d805358c277b225e262a8dc64d80fc55

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
                  Filesize

                  820B

                  MD5

                  09eb72768015735e81d549d7a5087631

                  SHA1

                  0dc0de9d9f1f94a73b760e13dbfb033d58b2962c

                  SHA256

                  803200facef08eb731bceb63813c1c873628a271ada9661dda6bb4b638ccb5f8

                  SHA512

                  240680b7e01215938623781f3431fb5ae8a2630590285a824f7e41e63e8e06f6fa79e641f4ace6d9dcb96f0c3fe3e928f5ac0eb2992158bda8cb83e95c7e916a

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe.xml
                  Filesize

                  6KB

                  MD5

                  d218cf550fbd777e789242cafb804d10

                  SHA1

                  05175dd84f05a7989944e48db6a811c297fa47e3

                  SHA256

                  8143763940b906ea93cd7288a08f251203d9f21da5282a6c20201ea7530df8c4

                  SHA512

                  9134ace4de9b6bae58b161af4ede7ca9b24bd396c6b1e24ec8301ecb90278bc8b61d7600be7248b2f35acc49b83fcd627045f18c61ee57a2da0e19d61330261d

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe.xml
                  Filesize

                  1KB

                  MD5

                  c1e304a57b77d96dbac8ca07849f9b86

                  SHA1

                  76a2051cdd63b97419d076ee3e0972c7b11ee10c

                  SHA256

                  28bf7f3525db4ecacb36705ff7d30bee209ff200a15178bae8a2f0f27f7058b8

                  SHA512

                  86b48ef3207a257799b9d9c0e23859391dd3c5984e30d4fa761bc8853bbcc8b37193ab4bdb95b7dd36906ebdd8ad83f29811d9c76675f93f261d9d0cf7a26662

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xml
                  Filesize

                  15KB

                  MD5

                  2f71d0396b93381c1fd86bf822612868

                  SHA1

                  d0801700dd00a51276f32c6ed19f5b713b5db825

                  SHA256

                  0543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026

                  SHA512

                  67022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\osver.txt
                  Filesize

                  10B

                  MD5

                  bea59a2f25178d677087edde21c60be7

                  SHA1

                  56844a00adee7f8d2c161808de19ce6fd191fb61

                  SHA256

                  4906553c99e9225413bacd029603f2549fe8d972bf389770063f3e932b623d80

                  SHA512

                  008622e6bf66c3cc4bdfc9cda7dc10376e310b560321ee0d7040f7c6da7673cd04799ee04b9e22bb45de378fa0791dc0b6bbf43efed1366d0520c26d803d7400

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\print_pref.ico
                  Filesize

                  56KB

                  MD5

                  a52a082f2b18811deaf3138d27c57af8

                  SHA1

                  317bf685e50de705818bff26f032e7f593830509

                  SHA256

                  6b4b668a30271d7853257b5752dc429b39c7b264e77ff3533196e6fd03fbeb88

                  SHA512

                  0d6f4bbb993b4e9a0069ddd0503ceb45d8a1cc6f6453cc2faf91cb137fa49e15eeaa3d77cb9954cc07701153932da51977d467c54b1e0fcfe74b6670cac47d99

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\print_property.ico
                  Filesize

                  58KB

                  MD5

                  30d7062e069bc0a9b34f4034090c1aae

                  SHA1

                  e5fcedd8e4cc0463c0bc6912b1791f2876e28a61

                  SHA256

                  24e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000

                  SHA512

                  85dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6

                  Download Submit

                • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\stream.x64.x-none.hash
                  Filesize

                  128B

                  MD5

                  2b4d6d3b95916f9810449019372fbbde

                  SHA1

                  2c9f59c51fc6b290f758aed25a899dba37459fc6

                  SHA256

                  cea19b915390806a9677165794194c66b19e3198a342d51e5a880e7b55768ac7

                  SHA512

                  5cbb012b89989d53a7814dcb9f0391a761ebea6a7c9d1dcaae0efb476e61b30ce678387c4ff6fcebea0643f96d2f3bf126cff9511a75c1780ec89b51ba79c8db

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\167.exe
                  Filesize

                  1021KB

                  MD5

                  845a580949bdb9341e5cedea3c1c7f11

                  SHA1

                  d966b359dd0988e1d339780bad48f231253badf6

                  SHA256

                  38d2d32039e1b88fa6e1f0b13226446586432d7b8f9927bd023d76097b39d94c

                  SHA512

                  4af8e7dfcc966f508cedff879ac2d65c256a554eb4f616f28fd988605434f9064befe12b1cb85bf0f03d06a8a5cd9e57aa67544759b5e82473e455283867883d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\167.exe
                  Filesize

                  1021KB

                  MD5

                  845a580949bdb9341e5cedea3c1c7f11

                  SHA1

                  d966b359dd0988e1d339780bad48f231253badf6

                  SHA256

                  38d2d32039e1b88fa6e1f0b13226446586432d7b8f9927bd023d76097b39d94c

                  SHA512

                  4af8e7dfcc966f508cedff879ac2d65c256a554eb4f616f28fd988605434f9064befe12b1cb85bf0f03d06a8a5cd9e57aa67544759b5e82473e455283867883d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp
                  Filesize

                  792KB

                  MD5

                  822d3ead416a1a85cb96e65f65cd5ae2

                  SHA1

                  af32b69e2835d1cacdadb97ae6dfafccc32d1837

                  SHA256

                  72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

                  SHA512

                  48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp
                  Filesize

                  792KB

                  MD5

                  822d3ead416a1a85cb96e65f65cd5ae2

                  SHA1

                  af32b69e2835d1cacdadb97ae6dfafccc32d1837

                  SHA256

                  72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

                  SHA512

                  48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

                  Download Submit

                • \??\c:\program files (x86)\google\temp\aic_file_icons_hicontrast_wob.dll
                  Filesize

                  792KB

                  MD5

                  20d9388b5cf5b1bf58b2ac50bad778ff

                  SHA1

                  6cd289a2722e65d69ef6452c4d10e36d32ec82f1

                  SHA256

                  8af5c562d92f7e141e86c76b9545c0484eca11a0e379d25508542683f4d592ee

                  SHA512

                  ac12963dab1e8c4cfe9f30079d0825d5aef2713dcb09eb0a3c21b68fe7c1b547954dc7a10d2bd66a40283cdb67540075e399728a174e211eaca4ca323a14fe59

                  Download Submit

                • memory/348-141-0x0000000002390000-0x00000000024A1000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/348-143-0x0000000000400000-0x0000000000523000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/348-140-0x00000000021DB000-0x00000000022B1000-memory.dmp

                  Filesize

                  856KB

                  Download

                • memory/3016-134-0x0000000000400000-0x0000000000450000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/3016-133-0x00000000005A0000-0x00000000005A9000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3016-132-0x000000000068F000-0x00000000006A5000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/3016-135-0x0000000000400000-0x0000000000450000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/3060-164-0x00000000041A0000-0x0000000004CFD000-memory.dmp

                  Filesize

                  11.4MB

                  Download

                • memory/3060-163-0x00000000041A0000-0x0000000004CFD000-memory.dmp

                  Filesize

                  11.4MB

                  Download

                • memory/3428-156-0x000001CF5E450000-0x000001CF5E6FE000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3428-155-0x0000000000080000-0x000000000031C000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/3428-153-0x000001CF5FEA0000-0x000001CF5FFE0000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/3428-154-0x000001CF5FEA0000-0x000001CF5FFE0000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4168-147-0x0000000004680000-0x00000000047C0000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4168-150-0x0000000004680000-0x00000000047C0000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4168-146-0x0000000004680000-0x00000000047C0000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4168-158-0x0000000004B70000-0x00000000056CD000-memory.dmp

                  Filesize

                  11.4MB

                  Download

                • memory/4168-148-0x0000000006DF0000-0x0000000006F30000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4168-149-0x0000000004680000-0x00000000047C0000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4168-145-0x0000000004B70000-0x00000000056CD000-memory.dmp

                  Filesize

                  11.4MB

                  Download

                • memory/4168-151-0x0000000004680000-0x00000000047C0000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/5096-181-0x0000000005050000-0x0000000005BAD000-memory.dmp

                  Filesize

                  11.4MB

                  Download

                • memory/5096-180-0x0000000005050000-0x0000000005BAD000-memory.dmp

                  Filesize

                  11.4MB

                  Download

                • memory/5096-182-0x0000000005050000-0x0000000005BAD000-memory.dmp

                  Filesize

                  11.4MB

                  Download