Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2023, 09:20
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
file.exe
-
Size
278KB
-
MD5
6ea210bfd858868cd3d16e3c0e5284d4
-
SHA1
1ed4eab42076ddbd524b701ab345b882a5c19eea
-
SHA256
189b68dca1a8e4d0ec372e03b3442d09aff6b73928155ec9d4546ef6006427c3
-
SHA512
961fd229491703fa0fb0619815b7ce80341ffa17b3994a272124d1ed85617c2b68c6de133c9827143bdc6c46db608f32479946ede83329923182dd8a389e6c3d
-
SSDEEP
3072:7XOWy2p2EapL3dMel5cDX2mgJN4/R2nEYSSMSACdmEF2xU9Q/Wl:Tzp2E4LNF0U4ZK3dzF2xU9y
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/1268-133-0x0000000003260000-0x0000000003269000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 36 4880 rundll32.exe 38 4880 rundll32.exe 122 4880 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4868 DFF5.exe -
Loads dropped DLL 1 IoCs
pid Process 4880 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4880 set thread context of 1940 4880 rundll32.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3160 4868 WerFault.exe 82 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 19 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000029569c52100054656d7000003a0009000400efbe0c5519992956a0522e0000000000000000000000000000000000000000000000000065041f00540065006d007000000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 684 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1268 file.exe 1268 file.exe 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found 684 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 684 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1268 file.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 684 Process not Found Token: SeCreatePagefilePrivilege 684 Process not Found Token: SeShutdownPrivilege 684 Process not Found Token: SeCreatePagefilePrivilege 684 Process not Found Token: SeShutdownPrivilege 684 Process not Found Token: SeCreatePagefilePrivilege 684 Process not Found Token: SeShutdownPrivilege 684 Process not Found Token: SeCreatePagefilePrivilege 684 Process not Found Token: SeShutdownPrivilege 684 Process not Found Token: SeCreatePagefilePrivilege 684 Process not Found Token: SeShutdownPrivilege 684 Process not Found Token: SeCreatePagefilePrivilege 684 Process not Found Token: SeShutdownPrivilege 684 Process not Found Token: SeCreatePagefilePrivilege 684 Process not Found Token: SeShutdownPrivilege 684 Process not Found Token: SeCreatePagefilePrivilege 684 Process not Found Token: SeShutdownPrivilege 684 Process not Found Token: SeCreatePagefilePrivilege 684 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1940 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 684 Process not Found 684 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 684 wrote to memory of 4868 684 Process not Found 82 PID 684 wrote to memory of 4868 684 Process not Found 82 PID 684 wrote to memory of 4868 684 Process not Found 82 PID 4868 wrote to memory of 4880 4868 DFF5.exe 83 PID 4868 wrote to memory of 4880 4868 DFF5.exe 83 PID 4868 wrote to memory of 4880 4868 DFF5.exe 83 PID 4880 wrote to memory of 1940 4880 rundll32.exe 91 PID 4880 wrote to memory of 1940 4880 rundll32.exe 91 PID 4880 wrote to memory of 1940 4880 rundll32.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1268
-
C:\Users\Admin\AppData\Local\Temp\DFF5.exeC:\Users\Admin\AppData\Local\Temp\DFF5.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 156053⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1940
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 5322⤵
- Program crash
PID:3160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4868 -ip 48681⤵PID:4824
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD515120b5b2109dcf3810dc75867859605
SHA1408c22d623f4f6001e1d6a0711cc8610498df428
SHA25664a7eb6bb893da24b6af8e00c58a4934b74c6941e58c4573d6e882ea9d1207c6
SHA512a0dda18d2f304b6d92f64b676acbd0ccf4000e8c29d77fb624241e0e9f9dce60718a66b6ec256d24cb19deef0ce0e6839159565b862f08f8bfe5c8ecf7201876
-
Filesize
1.0MB
MD515120b5b2109dcf3810dc75867859605
SHA1408c22d623f4f6001e1d6a0711cc8610498df428
SHA25664a7eb6bb893da24b6af8e00c58a4934b74c6941e58c4573d6e882ea9d1207c6
SHA512a0dda18d2f304b6d92f64b676acbd0ccf4000e8c29d77fb624241e0e9f9dce60718a66b6ec256d24cb19deef0ce0e6839159565b862f08f8bfe5c8ecf7201876
-
Filesize
714KB
MD59dd70d24b2657a9254b9fd536a4d06d5
SHA1348a1d210d7c4daef8ecdb692eadf3975971e8ee
SHA256d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd
SHA512dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6
-
Filesize
714KB
MD59dd70d24b2657a9254b9fd536a4d06d5
SHA1348a1d210d7c4daef8ecdb692eadf3975971e8ee
SHA256d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd
SHA512dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6