Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
06-02-2023 18:45
General
-
Target
b47bd96dd25ff8e56c09f5fc5ec2d26817b48296ab30e571d9b0922bb663085f.exe
-
Size
298KB
-
MD5
884d6935e1ef87466fd551de778aa18b
-
SHA1
3ac31c9b85974ef65996ca22b866a0b8f3410803
-
SHA256
b47bd96dd25ff8e56c09f5fc5ec2d26817b48296ab30e571d9b0922bb663085f
-
SHA512
3182555dd4fe760ddf1e4048e3217cfc7689276de9d05deaf188bcd372f9ae861758336f830cfaec013bbda4cb3887db7a118726e72403f3a7c70b1fd2bc16f7
-
SSDEEP
6144:C/ENOLm5KY3uuSyaj7XbK62awYuQj94a:C8QiUY3uuSyo7fJljS
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b47bd96dd25ff8e56c09f5fc5ec2d26817b48296ab30e571d9b0922bb663085f.exe"C:\Users\Admin\AppData\Local\Temp\b47bd96dd25ff8e56c09f5fc5ec2d26817b48296ab30e571d9b0922bb663085f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F486.exeC:\Users\Admin\AppData\Local\Temp\F486.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll,start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 240193⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 4802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4820 -ip 48201⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F486.exeFilesize
3.7MB
MD5247300a29ab85ce508146a1fe855aa41
SHA1822b06c6b1bfdd98ce758c6b8c4c203c4a702e3d
SHA256d394bb9b02f0b72a853d152a90ae62f21ec3bfd4a5455f2670ca59745748c4c5
SHA5121008043bfc542e8fa0cbf4c5214a8a10ed41a9574bbddeee15dc45430f23111d8387a2508615d726ff3e19b2732ce8ed6a60ebbf8344677d96f5f81bb45e96c0
-
C:\Users\Admin\AppData\Local\Temp\F486.exeFilesize
3.7MB
MD5247300a29ab85ce508146a1fe855aa41
SHA1822b06c6b1bfdd98ce758c6b8c4c203c4a702e3d
SHA256d394bb9b02f0b72a853d152a90ae62f21ec3bfd4a5455f2670ca59745748c4c5
SHA5121008043bfc542e8fa0cbf4c5214a8a10ed41a9574bbddeee15dc45430f23111d8387a2508615d726ff3e19b2732ce8ed6a60ebbf8344677d96f5f81bb45e96c0
-
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dllFilesize
4.2MB
MD551c25e70b552baf3de1cb19ab8136057
SHA1fe798c19f70ff497b3ec84c7735ae8fd3e573d64
SHA25607f4a861c3be024580ae17d8c91f6352f34369babde3b8513ce940bdcf52dd03
SHA5129e196eec89f313c5c0e90a7a790e948fa34849dde68f0395d33004c2adfe10935e284a0405fa262d13ab96ed8617b7d7dc3d504693e1ffa8cc93b5f92779aee6
-
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dllFilesize
4.2MB
MD551c25e70b552baf3de1cb19ab8136057
SHA1fe798c19f70ff497b3ec84c7735ae8fd3e573d64
SHA25607f4a861c3be024580ae17d8c91f6352f34369babde3b8513ce940bdcf52dd03
SHA5129e196eec89f313c5c0e90a7a790e948fa34849dde68f0395d33004c2adfe10935e284a0405fa262d13ab96ed8617b7d7dc3d504693e1ffa8cc93b5f92779aee6
-
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dllFilesize
4.2MB
MD551c25e70b552baf3de1cb19ab8136057
SHA1fe798c19f70ff497b3ec84c7735ae8fd3e573d64
SHA25607f4a861c3be024580ae17d8c91f6352f34369babde3b8513ce940bdcf52dd03
SHA5129e196eec89f313c5c0e90a7a790e948fa34849dde68f0395d33004c2adfe10935e284a0405fa262d13ab96ed8617b7d7dc3d504693e1ffa8cc93b5f92779aee6
-
memory/1616-133-0x00000000005F0000-0x00000000005F9000-memory.dmpFilesize
36KB
-
memory/1616-134-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1616-135-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1616-132-0x000000000081E000-0x0000000000833000-memory.dmpFilesize
84KB
-
memory/2120-148-0x00000000038F0000-0x000000000443E000-memory.dmpFilesize
11.3MB
-
memory/2120-154-0x0000000004500000-0x0000000004640000-memory.dmpFilesize
1.2MB
-
memory/2120-145-0x0000000002430000-0x000000000286C000-memory.dmpFilesize
4.2MB
-
memory/2120-139-0x0000000000000000-mapping.dmp
-
memory/2120-163-0x00000000038F0000-0x000000000443E000-memory.dmpFilesize
11.3MB
-
memory/2120-147-0x00000000038F0000-0x000000000443E000-memory.dmpFilesize
11.3MB
-
memory/2120-156-0x0000000004500000-0x0000000004640000-memory.dmpFilesize
1.2MB
-
memory/2120-149-0x00000000038F0000-0x000000000443E000-memory.dmpFilesize
11.3MB
-
memory/2120-150-0x0000000004500000-0x0000000004640000-memory.dmpFilesize
1.2MB
-
memory/2120-151-0x0000000004500000-0x0000000004640000-memory.dmpFilesize
1.2MB
-
memory/2120-155-0x0000000004500000-0x0000000004640000-memory.dmpFilesize
1.2MB
-
memory/2120-153-0x0000000004500000-0x0000000004640000-memory.dmpFilesize
1.2MB
-
memory/2628-162-0x0000000000000000-mapping.dmp
-
memory/2680-157-0x00007FF647D36890-mapping.dmp
-
memory/2680-158-0x0000016289330000-0x0000016289470000-memory.dmpFilesize
1.2MB
-
memory/2680-159-0x0000016289330000-0x0000016289470000-memory.dmpFilesize
1.2MB
-
memory/2680-160-0x00000000005D0000-0x0000000000861000-memory.dmpFilesize
2.6MB
-
memory/2680-161-0x0000016287A70000-0x0000016287D13000-memory.dmpFilesize
2.6MB
-
memory/3560-152-0x0000000000000000-mapping.dmp
-
memory/4820-136-0x0000000000000000-mapping.dmp
-
memory/4820-141-0x0000000002970000-0x0000000002E46000-memory.dmpFilesize
4.8MB
-
memory/4820-140-0x00000000025F2000-0x000000000296A000-memory.dmpFilesize
3.5MB
-
memory/4820-146-0x0000000000400000-0x00000000008E2000-memory.dmpFilesize
4.9MB