Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
25/01/2023, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe
Resource
win10-20220812-en
General
-
Target
92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe
-
Size
24KB
-
MD5
4edc2181db86513f593f18793d30ebf9
-
SHA1
33a4a18759143c258703147bb5a05a19f9be65d6
-
SHA256
92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de
-
SHA512
1f74d7a3d3a956ab8c472d1977279b8cff4a3989b03c7c78d704ee18a34e98546a7678baaddcc5c22930f627f3ffde2101a613f13fa4d6306b74cdc4fbf240b5
-
SSDEEP
96:TbpKgeeUZvHZ6mkIWjT4nLkjDUPRx0UxkRbkPf4LNiRB4e3T3e3Lvn1fzNt:Y8AvQdIWfoLkjD8TOQPf4L9bnr
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/2204-192-0x0000000005FA0000-0x0000000006008000-memory.dmp family_purecrypter -
Detects Smokeloader packer 3 IoCs
resource yara_rule behavioral1/memory/3056-296-0x0000000000402EF0-mapping.dmp family_smokeloader behavioral1/memory/3056-327-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3056-328-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
pid Process 4088 213F.exe -
Deletes itself 1 IoCs
pid Process 2312 Process not Found -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Goyyvx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Neyachzs\\Goyyvx.exe\"" 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2204 set thread context of 3056 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 68 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4596 4088 WerFault.exe 69 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 3056 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 3056 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2312 Process not Found -
Suspicious behavior: MapViewOfSection 13 IoCs
pid Process 3056 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found 2312 Process not Found -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 4088 213F.exe Token: SeShutdownPrivilege 2312 Process not Found Token: SeCreatePagefilePrivilege 2312 Process not Found Token: SeShutdownPrivilege 2312 Process not Found Token: SeCreatePagefilePrivilege 2312 Process not Found Token: SeShutdownPrivilege 2312 Process not Found Token: SeCreatePagefilePrivilege 2312 Process not Found -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1984 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 66 PID 2204 wrote to memory of 1984 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 66 PID 2204 wrote to memory of 1984 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 66 PID 2204 wrote to memory of 3056 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 68 PID 2204 wrote to memory of 3056 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 68 PID 2204 wrote to memory of 3056 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 68 PID 2204 wrote to memory of 3056 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 68 PID 2204 wrote to memory of 3056 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 68 PID 2204 wrote to memory of 3056 2204 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe 68 PID 2312 wrote to memory of 4088 2312 Process not Found 69 PID 2312 wrote to memory of 4088 2312 Process not Found 69 PID 2312 wrote to memory of 4088 2312 Process not Found 69 PID 2312 wrote to memory of 4852 2312 Process not Found 70 PID 2312 wrote to memory of 4852 2312 Process not Found 70 PID 2312 wrote to memory of 4852 2312 Process not Found 70 PID 2312 wrote to memory of 4852 2312 Process not Found 70 PID 2312 wrote to memory of 600 2312 Process not Found 71 PID 2312 wrote to memory of 600 2312 Process not Found 71 PID 2312 wrote to memory of 600 2312 Process not Found 71 PID 2312 wrote to memory of 4104 2312 Process not Found 72 PID 2312 wrote to memory of 4104 2312 Process not Found 72 PID 2312 wrote to memory of 4104 2312 Process not Found 72 PID 2312 wrote to memory of 4104 2312 Process not Found 72 PID 2312 wrote to memory of 2064 2312 Process not Found 73 PID 2312 wrote to memory of 2064 2312 Process not Found 73 PID 2312 wrote to memory of 2064 2312 Process not Found 73 PID 2312 wrote to memory of 996 2312 Process not Found 74 PID 2312 wrote to memory of 996 2312 Process not Found 74 PID 2312 wrote to memory of 996 2312 Process not Found 74 PID 2312 wrote to memory of 996 2312 Process not Found 74 PID 2312 wrote to memory of 2416 2312 Process not Found 75 PID 2312 wrote to memory of 2416 2312 Process not Found 75 PID 2312 wrote to memory of 2416 2312 Process not Found 75 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe"C:\Users\Admin\AppData\Local\Temp\92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exeC:\Users\Admin\AppData\Local\Temp\92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\213F.exeC:\Users\Admin\AppData\Local\Temp\213F.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 13842⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4852
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:600
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4104
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2064
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:996
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5942d4384987c409eb5c3b5609a1c5216
SHA1f705df7ca7b570357a19b19d28e5ea232c12e163
SHA25646b3863afa7d05696d16d90c4fd7fefa1f2c9cb333dbf5abaacee35e39c0feee
SHA512273620b4937d269735c4e915fa4f6c0dd48366b330fc7b2af37bdfb84a4e0813cbfa5fce78a96d2284d06ef43a2320b87a1a1fdc822aca75fbc373d12d808f88
-
Filesize
34KB
MD5942d4384987c409eb5c3b5609a1c5216
SHA1f705df7ca7b570357a19b19d28e5ea232c12e163
SHA25646b3863afa7d05696d16d90c4fd7fefa1f2c9cb333dbf5abaacee35e39c0feee
SHA512273620b4937d269735c4e915fa4f6c0dd48366b330fc7b2af37bdfb84a4e0813cbfa5fce78a96d2284d06ef43a2320b87a1a1fdc822aca75fbc373d12d808f88