Overview

overview

10

Static

static

28cfc00452...fc.exe

windows7-x64

10

28cfc00452...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2023 04:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28cfc00452c4e3e6c0082fdca3c520fc.exe

  • Size

    24KB

  • MD5

    28cfc00452c4e3e6c0082fdca3c520fc

  • SHA1

    1260166c856aee0225371c7ab269f3a228cf8fb5

  • SHA256

    93b17c9c6d764b7e218d2d1669e8bd68059da3fe346936071b012d22d52fb35e

  • SHA512

    8413d173f55e5fe9d8fd415fd1f9e76358916ee1de5d1e6dbab3a1b18b0848011e76f7a2ee332f4fca64e8dcb26a8d1492c8d1ebe9ad165eba84c8dda6065af8

  • SSDEEP

    96:IEfPqlezZjTldKYgr+Doo+HzQLCmNeit3l/kSw6k7l6xiRQe3T3erAo00wGvzNt:IEfPql6VpJ/oGlL/kHH7l6Ej7e

Score
10/10
smokeloaderbackdoorcollectionpersistencespywarestealertrojan

Malware Config

Signatures

  • Detects Smokeloader packer 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28cfc00452c4e3e6c0082fdca3c520fc.exe
    "C:\Users\Admin\AppData\Local\Temp\28cfc00452c4e3e6c0082fdca3c520fc.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4240
    • C:\Users\Admin\AppData\Local\Temp\28cfc00452c4e3e6c0082fdca3c520fc.exe
      C:\Users\Admin\AppData\Local\Temp\28cfc00452c4e3e6c0082fdca3c520fc.exe
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3676
  • C:\Users\Admin\AppData\Roaming\tufuhij
    C:\Users\Admin\AppData\Roaming\tufuhij
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3968
    • C:\Users\Admin\AppData\Roaming\tufuhij
      C:\Users\Admin\AppData\Roaming\tufuhij
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:4308
  • C:\Users\Admin\AppData\Local\Temp\ACF9.exe
    C:\Users\Admin\AppData\Local\Temp\ACF9.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4400
    • C:\Users\Admin\AppData\Local\Temp\ACF9.exe
      C:\Users\Admin\AppData\Local\Temp\ACF9.exe
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:3148
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
    • Accesses Microsoft Outlook profiles
    PID:2152
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    1⤵
      PID:4348
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
        PID:4584
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:4596
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          1⤵
            PID:3044
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            1⤵
              PID:4848

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Credentials in Files

            3
            T1081

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            3
            T1082

            Peripheral Device Discovery

            1
            T1120

            Lateral Movement

            Collection

            Data from Local System

            3
            T1005

            Email Collection

            1
            T1114

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ACF9.exe.log
              Filesize

              1KB

              MD5

              3a9188331a78f1dbce606db64b841fcb

              SHA1

              8e2c99b7c477d06591a856a4ea3e1e214719eee8

              SHA256

              db4137e258a0f6159fda559a5f6dd2704be0582c3f0586f65040c7ad1eb68451

              SHA512

              d1a994610a045d89d5d306866c24ae56bf16555414b8f63f632552568e67b5586f26d5a17a1f0a55ada376730298e6d856e9161828d4eae9decfa4e015e0e90a

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              1KB

              MD5

              6195a91754effb4df74dbc72cdf4f7a6

              SHA1

              aba262f5726c6d77659fe0d3195e36a85046b427

              SHA256

              3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

              SHA512

              ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
              Filesize

              53KB

              MD5

              06ad34f9739c5159b4d92d702545bd49

              SHA1

              9152a0d4f153f3f40f7e606be75f81b582ee0c17

              SHA256

              474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

              SHA512

              c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              16KB

              MD5

              eec02d876171eeca7b839dd31f7b7756

              SHA1

              4ce8d261ce1d097a14af944f5824576214be17f7

              SHA256

              0937ee1a79f6f3372a6c9f7b09543ce5147b6025498c1f6357096d3acb34870e

              SHA512

              6e968dce59bc2efd258d40fa21f731037f521e097e635142b13bc10cf032ef9379ee8c6b2865484a83b315902fea2f14bdcad4cd3745c97612660e367e950a9b

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              15KB

              MD5

              45ca1412de0e2dae9d6a058329c986a8

              SHA1

              d70ee991d6912a0317e9283f44627e16c5c5aebc

              SHA256

              6db18c4323fc2e277815a68c0e7353b43cf33f40108da1330fe2bc10729fbe07

              SHA512

              183208361bfa66f72dda663c95464a46e350415b5b557d30d8a889016b1ecca96431c8c212f7afb7b8c0eb594f3e42540434838b282aee2020877953668f0760

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\ACF9.exe
              Filesize

              24KB

              MD5

              ee87d669bdaf3fe239b86f4f76bab467

              SHA1

              a3d79efbb199aebb263db11a054ee1e5692be607

              SHA256

              f305a627115059bb9d66df01e558c00c6e2e5fff6e93c33299f069699dd893ac

              SHA512

              bcff0489ff29f14c69e63a490372069c3dfc740a1df7f9b2566f3d7a74e1f8be1a3722a51c481076362c9ca18aa094905a178d08a525269e769438853d407175

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\ACF9.exe
              Filesize

              24KB

              MD5

              ee87d669bdaf3fe239b86f4f76bab467

              SHA1

              a3d79efbb199aebb263db11a054ee1e5692be607

              SHA256

              f305a627115059bb9d66df01e558c00c6e2e5fff6e93c33299f069699dd893ac

              SHA512

              bcff0489ff29f14c69e63a490372069c3dfc740a1df7f9b2566f3d7a74e1f8be1a3722a51c481076362c9ca18aa094905a178d08a525269e769438853d407175

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\ACF9.exe
              Filesize

              24KB

              MD5

              ee87d669bdaf3fe239b86f4f76bab467

              SHA1

              a3d79efbb199aebb263db11a054ee1e5692be607

              SHA256

              f305a627115059bb9d66df01e558c00c6e2e5fff6e93c33299f069699dd893ac

              SHA512

              bcff0489ff29f14c69e63a490372069c3dfc740a1df7f9b2566f3d7a74e1f8be1a3722a51c481076362c9ca18aa094905a178d08a525269e769438853d407175

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Zkevyyhtxab\Lbjfpqx.exe
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit
            • C:\Users\Admin\AppData\Roaming\tufuhij
              Filesize

              24KB

              MD5

              28cfc00452c4e3e6c0082fdca3c520fc

              SHA1

              1260166c856aee0225371c7ab269f3a228cf8fb5

              SHA256

              93b17c9c6d764b7e218d2d1669e8bd68059da3fe346936071b012d22d52fb35e

              SHA512

              8413d173f55e5fe9d8fd415fd1f9e76358916ee1de5d1e6dbab3a1b18b0848011e76f7a2ee332f4fca64e8dcb26a8d1492c8d1ebe9ad165eba84c8dda6065af8

              Download Submit
            • C:\Users\Admin\AppData\Roaming\tufuhij
              Filesize

              24KB

              MD5

              28cfc00452c4e3e6c0082fdca3c520fc

              SHA1

              1260166c856aee0225371c7ab269f3a228cf8fb5

              SHA256

              93b17c9c6d764b7e218d2d1669e8bd68059da3fe346936071b012d22d52fb35e

              SHA512

              8413d173f55e5fe9d8fd415fd1f9e76358916ee1de5d1e6dbab3a1b18b0848011e76f7a2ee332f4fca64e8dcb26a8d1492c8d1ebe9ad165eba84c8dda6065af8

              Download Submit
            • C:\Users\Admin\AppData\Roaming\tufuhij
              Filesize

              24KB

              MD5

              28cfc00452c4e3e6c0082fdca3c520fc

              SHA1

              1260166c856aee0225371c7ab269f3a228cf8fb5

              SHA256

              93b17c9c6d764b7e218d2d1669e8bd68059da3fe346936071b012d22d52fb35e

              SHA512

              8413d173f55e5fe9d8fd415fd1f9e76358916ee1de5d1e6dbab3a1b18b0848011e76f7a2ee332f4fca64e8dcb26a8d1492c8d1ebe9ad165eba84c8dda6065af8

              Download Submit
            • memory/2152-163-0x0000000000F30000-0x0000000000FA5000-memory.dmp
              Filesize

              468KB

              Download
            • memory/2152-164-0x0000000000EC0000-0x0000000000F2B000-memory.dmp
              Filesize

              428KB

              Download
            • memory/2152-167-0x0000000000EC0000-0x0000000000F2B000-memory.dmp
              Filesize

              428KB

              Download
            • memory/2152-162-0x0000000000000000-mapping.dmp
              Download
            • memory/3044-184-0x00000000004C0000-0x00000000004C5000-memory.dmp
              Filesize

              20KB

              Download
            • memory/3044-178-0x00000000004B0000-0x00000000004B9000-memory.dmp
              Filesize

              36KB

              Download
            • memory/3044-177-0x00000000004C0000-0x00000000004C5000-memory.dmp
              Filesize

              20KB

              Download
            • memory/3044-176-0x0000000000000000-mapping.dmp
              Download
            • memory/3148-190-0x0000000005840000-0x0000000005DE4000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/3148-191-0x0000000006C70000-0x0000000006D02000-memory.dmp
              Filesize

              584KB

              Download
            • memory/3148-192-0x0000000006E90000-0x0000000006E9A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/3148-193-0x0000000006EF0000-0x0000000006F40000-memory.dmp
              Filesize

              320KB

              Download
            • memory/3148-194-0x0000000007110000-0x00000000072D2000-memory.dmp
              Filesize

              1.8MB

              Download
            • memory/3148-187-0x0000000000400000-0x0000000000430000-memory.dmp
              Filesize

              192KB

              Download
            • memory/3148-186-0x0000000000000000-mapping.dmp
              Download
            • memory/3676-144-0x0000000000400000-0x0000000000409000-memory.dmp
              Filesize

              36KB

              Download
            • memory/3676-143-0x0000000000400000-0x0000000000409000-memory.dmp
              Filesize

              36KB

              Download
            • memory/3676-142-0x0000000000000000-mapping.dmp
              Download
            • memory/3676-145-0x0000000000400000-0x0000000000409000-memory.dmp
              Filesize

              36KB

              Download
            • memory/3968-148-0x0000000000000000-mapping.dmp
              Download
            • memory/4188-133-0x0000000006B80000-0x0000000006BA2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4188-132-0x0000000000B60000-0x0000000000B6C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/4240-136-0x0000000005560000-0x0000000005B88000-memory.dmp
              Filesize

              6.2MB

              Download
            • memory/4240-135-0x0000000004E20000-0x0000000004E56000-memory.dmp
              Filesize

              216KB

              Download
            • memory/4240-138-0x0000000005D70000-0x0000000005DD6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4240-137-0x0000000005D00000-0x0000000005D66000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4240-140-0x0000000007C20000-0x000000000829A000-memory.dmp
              Filesize

              6.5MB

              Download
            • memory/4240-134-0x0000000000000000-mapping.dmp
              Download
            • memory/4240-139-0x00000000063E0000-0x00000000063FE000-memory.dmp
              Filesize

              120KB

              Download
            • memory/4240-141-0x00000000068D0000-0x00000000068EA000-memory.dmp
              Filesize

              104KB

              Download
            • memory/4308-156-0x0000000000400000-0x0000000000409000-memory.dmp
              Filesize

              36KB

              Download
            • memory/4308-153-0x0000000000000000-mapping.dmp
              Download
            • memory/4308-157-0x0000000000400000-0x0000000000409000-memory.dmp
              Filesize

              36KB

              Download
            • memory/4348-166-0x0000000000510000-0x000000000051C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/4348-165-0x0000000000000000-mapping.dmp
              Download
            • memory/4400-171-0x0000000000000000-mapping.dmp
              Download
            • memory/4520-158-0x0000000000000000-mapping.dmp
              Download
            • memory/4520-161-0x0000000000EF0000-0x0000000000EFC000-memory.dmp
              Filesize

              48KB

              Download
            • memory/4584-170-0x00000000005D0000-0x00000000005DB000-memory.dmp
              Filesize

              44KB

              Download
            • memory/4584-182-0x00000000005E0000-0x00000000005E7000-memory.dmp
              Filesize

              28KB

              Download
            • memory/4584-169-0x00000000005E0000-0x00000000005E7000-memory.dmp
              Filesize

              28KB

              Download
            • memory/4584-168-0x0000000000000000-mapping.dmp
              Download
            • memory/4596-183-0x00000000003F0000-0x00000000003F9000-memory.dmp
              Filesize

              36KB

              Download
            • memory/4596-175-0x00000000003E0000-0x00000000003EF000-memory.dmp
              Filesize

              60KB

              Download
            • memory/4596-174-0x00000000003F0000-0x00000000003F9000-memory.dmp
              Filesize

              36KB

              Download
            • memory/4596-172-0x0000000000000000-mapping.dmp
              Download
            • memory/4848-185-0x0000000000680000-0x0000000000686000-memory.dmp
              Filesize

              24KB

              Download
            • memory/4848-181-0x00000000003F0000-0x00000000003FC000-memory.dmp
              Filesize

              48KB

              Download
            • memory/4848-180-0x0000000000680000-0x0000000000686000-memory.dmp
              Filesize

              24KB

              Download
            • memory/4848-179-0x0000000000000000-mapping.dmp
              Download