Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
31/12/2022, 14:08
General
-
Target
53290d7a62ef29e1448c29184065ed50df67f7be372753706e20409804e09450.exe
-
Size
261KB
-
MD5
01b3d33e9177f7a2f1af3dcd270a654d
-
SHA1
318383633fa45e04700a17589ffde04cd5efcd9f
-
SHA256
53290d7a62ef29e1448c29184065ed50df67f7be372753706e20409804e09450
-
SHA512
fd38b87d00898680ee9ef08e2e3444bc9cb3d6a41d7a6b6c558df887adac66fb89e75859ff76501ecdfa0a5712d39b6aa67ab102f9e57697895dcdffb2a22184
-
SSDEEP
3072:Hkcgt81YA4sHL/46TG14x1RQxHUsHLgug1zJVJ7ykkKVlmqEXz27hZY:HU6vBLgB1o09nsuuVVAaYiZY
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 44 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 19 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\53290d7a62ef29e1448c29184065ed50df67f7be372753706e20409804e09450.exe"C:\Users\Admin\AppData\Local\Temp\53290d7a62ef29e1448c29184065ed50df67f7be372753706e20409804e09450.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CD57.exeC:\Users\Admin\AppData\Local\Temp\CD57.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Otfhfhweptay.exe"C:\Users\Admin\AppData\Local\Temp\Otfhfhweptay.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 4403⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 224 -ip 2241⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa964b4f50,0x7ffa964b4f60,0x7ffa964b4f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,13120549766351163054,6915382361169284011,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,13120549766351163054,6915382361169284011,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,13120549766351163054,6915382361169284011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,13120549766351163054,6915382361169284011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3532 /prefetch:82⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1528 -s 36762⤵
- Program crash
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 1528 -ip 15281⤵
-
C:\Users\Admin\AppData\Roaming\fcgftjcC:\Users\Admin\AppData\Roaming\fcgftjc1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD5b46628b510b1a2f21a0b4bb7e26a921f
SHA11be3f9c97e40c9c2f154b8eaf0db982cf22220c3
SHA256de28fe0d91d0d349047a1b4af4d7c90c37782d186458058e238d0f5db671a381
SHA5128726403b655652aa9c9d4ee9a58985f2f2a7bf1df9dd282f3d7ea9b755b63799c30bc43e069e5163ab56e7c0746eaffef0a8dacf5f0eaa7fde77a2b488a14f9b
-
Filesize
6.6MB
MD5b46628b510b1a2f21a0b4bb7e26a921f
SHA11be3f9c97e40c9c2f154b8eaf0db982cf22220c3
SHA256de28fe0d91d0d349047a1b4af4d7c90c37782d186458058e238d0f5db671a381
SHA5128726403b655652aa9c9d4ee9a58985f2f2a7bf1df9dd282f3d7ea9b755b63799c30bc43e069e5163ab56e7c0746eaffef0a8dacf5f0eaa7fde77a2b488a14f9b
-
Filesize
94KB
MD55cc804e51cce62250e82e08986b0f74c
SHA1681d9bb803b543155ca1e8743516cf6bc6a77545
SHA256375ee0fb3377c299b07667d9050c77fa2591ef117c4c06e62ec4e6ca9cc28f4c
SHA512848bf4a0ea4ef2545c6dfef476f4773b6ecd6fa69f7a58708c7d6bf76b79e46da414eb7217e0cee933a2a23b17eef3a684a433e927720210bf396f6156bb0674
-
Filesize
1.5MB
MD54be03ece98dae87458118dcac2d98528
SHA108c65c05c85ef3c0781e24a8aebe26e1426b2ac0
SHA25661cd01c9b49f419fc7735413f0bc75ce9f49472517d11a272d2de5a746d866ec
SHA512972f1c71d184e7983978f332ebfd4e4b0145e5a5fda3962bb5c1b931f2269bbab6ebf5108a7661a61717f5543a101dc0851e341a7a5e35778eb3e6f6d66b573e
-
Filesize
1.5MB
MD54be03ece98dae87458118dcac2d98528
SHA108c65c05c85ef3c0781e24a8aebe26e1426b2ac0
SHA25661cd01c9b49f419fc7735413f0bc75ce9f49472517d11a272d2de5a746d866ec
SHA512972f1c71d184e7983978f332ebfd4e4b0145e5a5fda3962bb5c1b931f2269bbab6ebf5108a7661a61717f5543a101dc0851e341a7a5e35778eb3e6f6d66b573e
-
Filesize
3.5MB
MD5e9ff74c50c5a8c95e20cd1f03c727235
SHA1435270cb5a26e92c06a79be4c10e58fbe9fe6641
SHA256917a6e23940d62c55398fe59f1d39093fbb916465b84e7588f90a12013f4b49e
SHA5126895b206a27b5988304afd392bcf3674a3812b012fb7cf5db4b30825d22d8cb5fd63bf1e7a2dafa7f17ae19484e23754254beaf7cb620f49881268dde5b2163d
-
Filesize
58KB
MD5719d297e33fa282f08cddba60f474436
SHA18fe90799cf05da29e8b5123c27f2e120af4179ca
SHA25672785a70de3b2ec9f265eccb81575c7a01d81b7d996d123709830303ab3cf7fd
SHA5125945e4665c583422bf8dd2cd4fe7185e7597598461342943bcfdef717a19727bded230f0cef7a66d7eab66ac2ff081cade381b78e350cc7ce9da4f09d054b3a6
-
Filesize
147KB
MD57c179047bc230eaa018c21e5da4858c1
SHA1af5c738e924081765171ec7b23d6f264f6e3a10f
SHA2561e35e8e0907ad88f980f3dcf49a3e02429328e4b50725860a5ea76a7ce0c0584
SHA512532e016f8cadfd885c0c1b873724e2ce1161824a39ab3e9680d11fdecee7b03392c0bfe72f9880e45006881b1a6f7b690fa4afb3764af2e6d68914007b929e8a
-
Filesize
470B
MD55126d5802fd8535e0032839d68aa7bf7
SHA12e409bde69509836d983d4946f46d4cf2ecfe338
SHA2567b75157b98e3d80b33ed1e38f7b57dad8588137af9063332a9b7f37c4fc0c816
SHA512d108d334faff1e16f7e727220288282fb5b42efe3597d3759d876faad44717bf0ff44ea3ddc34edd99d31600ca2b482afa3de39d8c602bfd33d1d7e37f91a342
-
Filesize
1KB
MD5fa4b52a52c0158ea53754b0ec1061455
SHA1f9c1ea9a96b50883cc211f678c0980a83b46a21e
SHA256e2eb3d980177fc77f5feb7dac10becffc32e0e492d8403781d4ffbecd11ea764
SHA512226c895c1613a7b39550750b87d62590a126812f0a20d08692f690f618fbf1c1a5cf666f174e06dfd87bcab96300d80cf6925fbd8b242b3cefc481ddbbfcf346
-
Filesize
426KB
MD58df35a67a3fe81e2c83f723095d5cc69
SHA1f3b903c20d84704bde055d92afec0b4f9400bdf9
SHA2568c678ff5d4a43cbb813b3074659ef6bccb0bb34f53e67c0eb0382b3f08569200
SHA51249494d66ee21de2a1e5714fb58d21dc705b03fa2711032c04741a2571dbc8987726d9a7080170bbb722edc76892d26f8fc9eb208b2631713898a20b6ddc12899
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
Filesize
697B
MD5f248ae61185ec6a116f1fa1d14e0a153
SHA1b611a493ffddcd5a7e56aebd4db99e4b06fab3f9
SHA256d97d956c8e92bafcc28ff8e4997921f04ce21f5ae5e1d9eff430dd3d4125f512
SHA5125e5f568cacc306346d9da19ee0782937a962130457c97fefb3fbf9e2c80e78650f4656cb3ecc4c99b8a2e0049c1a76cb1b491044342f0ccbb6ab507cd58cf0f6
-
Filesize
261KB
MD501b3d33e9177f7a2f1af3dcd270a654d
SHA1318383633fa45e04700a17589ffde04cd5efcd9f
SHA25653290d7a62ef29e1448c29184065ed50df67f7be372753706e20409804e09450
SHA512fd38b87d00898680ee9ef08e2e3444bc9cb3d6a41d7a6b6c558df887adac66fb89e75859ff76501ecdfa0a5712d39b6aa67ab102f9e57697895dcdffb2a22184
-
Filesize
261KB
MD501b3d33e9177f7a2f1af3dcd270a654d
SHA1318383633fa45e04700a17589ffde04cd5efcd9f
SHA25653290d7a62ef29e1448c29184065ed50df67f7be372753706e20409804e09450
SHA512fd38b87d00898680ee9ef08e2e3444bc9cb3d6a41d7a6b6c558df887adac66fb89e75859ff76501ecdfa0a5712d39b6aa67ab102f9e57697895dcdffb2a22184
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.6MB
-
Filesize
1.2MB
-
Filesize
1.6MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.3MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
11.3MB
-
Filesize
10.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
380KB
-
Filesize
64KB
-
Filesize
380KB
-
Filesize
64KB
-
Filesize
380KB
-
Filesize
36KB
-
Filesize
380KB
-
Filesize
8.8MB
-
Filesize
1.2MB
-
Filesize
6.5MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
11.3MB
-
Filesize
1.2MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
11.3MB