Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-01-2023 12:21
General
-
Target
file.exe
-
Size
24KB
-
MD5
4edc2181db86513f593f18793d30ebf9
-
SHA1
33a4a18759143c258703147bb5a05a19f9be65d6
-
SHA256
92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de
-
SHA512
1f74d7a3d3a956ab8c472d1977279b8cff4a3989b03c7c78d704ee18a34e98546a7678baaddcc5c22930f627f3ffde2101a613f13fa4d6306b74cdc4fbf240b5
-
SSDEEP
96:TbpKgeeUZvHZ6mkIWjT4nLkjDUPRx0UxkRbkPf4LNiRB4e3T3e3Lvn1fzNt:Y8AvQdIWfoLkjD8TOQPf4L9bnr
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C071.exeC:\Users\Admin\AppData\Local\Temp\C071.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 14682⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1772 -ip 17721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C071.exeFilesize
34KB
MD5942d4384987c409eb5c3b5609a1c5216
SHA1f705df7ca7b570357a19b19d28e5ea232c12e163
SHA25646b3863afa7d05696d16d90c4fd7fefa1f2c9cb333dbf5abaacee35e39c0feee
SHA512273620b4937d269735c4e915fa4f6c0dd48366b330fc7b2af37bdfb84a4e0813cbfa5fce78a96d2284d06ef43a2320b87a1a1fdc822aca75fbc373d12d808f88
-
C:\Users\Admin\AppData\Local\Temp\C071.exeFilesize
34KB
MD5942d4384987c409eb5c3b5609a1c5216
SHA1f705df7ca7b570357a19b19d28e5ea232c12e163
SHA25646b3863afa7d05696d16d90c4fd7fefa1f2c9cb333dbf5abaacee35e39c0feee
SHA512273620b4937d269735c4e915fa4f6c0dd48366b330fc7b2af37bdfb84a4e0813cbfa5fce78a96d2284d06ef43a2320b87a1a1fdc822aca75fbc373d12d808f88
-
memory/1344-163-0x0000000000000000-mapping.dmp
-
memory/1344-173-0x0000000000F60000-0x0000000000F69000-memory.dmpFilesize
36KB
-
memory/1344-165-0x0000000000F50000-0x0000000000F5F000-memory.dmpFilesize
60KB
-
memory/1344-164-0x0000000000F60000-0x0000000000F69000-memory.dmpFilesize
36KB
-
memory/1772-151-0x0000000000000000-mapping.dmp
-
memory/1772-154-0x00000000009E0000-0x00000000009EE000-memory.dmpFilesize
56KB
-
memory/2176-146-0x0000000000000000-mapping.dmp
-
memory/2256-159-0x00000000010E0000-0x00000000010EC000-memory.dmpFilesize
48KB
-
memory/2256-158-0x0000000000000000-mapping.dmp
-
memory/2268-136-0x0000000005F30000-0x0000000005F52000-memory.dmpFilesize
136KB
-
memory/2268-135-0x0000000005DA0000-0x0000000005E32000-memory.dmpFilesize
584KB
-
memory/2268-133-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/2268-134-0x0000000006250000-0x00000000067F4000-memory.dmpFilesize
5.6MB
-
memory/2760-160-0x0000000000000000-mapping.dmp
-
memory/2760-161-0x00000000003A0000-0x00000000003A7000-memory.dmpFilesize
28KB
-
memory/2760-162-0x0000000000390000-0x000000000039B000-memory.dmpFilesize
44KB
-
memory/2760-172-0x00000000003A0000-0x00000000003A7000-memory.dmpFilesize
28KB
-
memory/3400-142-0x0000000006470000-0x000000000648E000-memory.dmpFilesize
120KB
-
memory/3400-141-0x0000000005D30000-0x0000000005D96000-memory.dmpFilesize
408KB
-
memory/3400-137-0x0000000000000000-mapping.dmp
-
memory/3400-138-0x0000000004EB0000-0x0000000004EE6000-memory.dmpFilesize
216KB
-
memory/3400-140-0x0000000005CC0000-0x0000000005D26000-memory.dmpFilesize
408KB
-
memory/3400-139-0x0000000005620000-0x0000000005C48000-memory.dmpFilesize
6.2MB
-
memory/3400-144-0x0000000006980000-0x000000000699A000-memory.dmpFilesize
104KB
-
memory/3400-143-0x0000000007AB0000-0x000000000812A000-memory.dmpFilesize
6.5MB
-
memory/3600-155-0x0000000000000000-mapping.dmp
-
memory/3600-157-0x0000000001260000-0x00000000012CB000-memory.dmpFilesize
428KB
-
memory/3600-156-0x00000000012D0000-0x0000000001345000-memory.dmpFilesize
468KB
-
memory/3800-147-0x0000000000000000-mapping.dmp
-
memory/3800-150-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3800-148-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3800-149-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4312-145-0x0000000000000000-mapping.dmp
-
memory/4364-169-0x0000000000000000-mapping.dmp
-
memory/4364-170-0x00000000007F0000-0x00000000007F6000-memory.dmpFilesize
24KB
-
memory/4364-171-0x00000000007E0000-0x00000000007EC000-memory.dmpFilesize
48KB
-
memory/4364-175-0x00000000007F0000-0x00000000007F6000-memory.dmpFilesize
24KB
-
memory/4820-166-0x0000000000000000-mapping.dmp
-
memory/4820-167-0x00000000003D0000-0x00000000003D5000-memory.dmpFilesize
20KB
-
memory/4820-168-0x00000000003C0000-0x00000000003C9000-memory.dmpFilesize
36KB
-
memory/4820-174-0x00000000003D0000-0x00000000003D5000-memory.dmpFilesize
20KB