Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2023, 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    321KB

  • MD5

    63378c08c181a297c7c22843e5f9347d

  • SHA1

    40b101fe68b133df842398b9420891bde46a4793

  • SHA256

    0de7ea82be4acb882af007b3912969da1af9a4dc31b057d0e8aa549ea24ee11b

  • SHA512

    e05fa49d332182282a368e8386f59d4fe2caff810f0f1b3ba71d15d6ed311f98c68bb265dbc56e0c34e385075060de9006b1e882911969a6ebafe7324da42baf

  • SSDEEP

    6144:QkiV/ACYyy92M8TMcC/TH0eD0c+Liq0v:Q1RA+a2NXCT0e49m

Score
10/10
gozilaplassmokeloader1001backdoorbankerclipperisfbstealertrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1001

C2

https://checklist.skype.com

http://176.10.125.84

http://91.242.219.235

http://79.132.130.73

http://176.10.119.209

http://194.76.225.88

http://79.132.134.158
Attributes
  • base_path

    /microsoft/

  • build

    260255

  • exe_type

    loader

  • extension

    .acx

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Signatures

  • Detects Smokeloader packer 2 IoCs
  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2328
  • C:\Users\Admin\AppData\Local\Temp\4CE7.exe
    C:\Users\Admin\AppData\Local\Temp\4CE7.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:64
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1028
      2⤵
      • Program crash
      PID:4364
  • C:\Users\Admin\AppData\Local\Temp\4DB3.exe
    C:\Users\Admin\AppData\Local\Temp\4DB3.exe
    1⤵
    • Executes dropped EXE
    PID:3416
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3552 -ip 3552
    1⤵
      PID:4344
    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      1⤵
      • Executes dropped EXE
      PID:972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4CE7.exe
      Filesize

      378KB

      MD5

      b141bc58618c537917cc1da179cbe8ab

      SHA1

      c76d3f5eeae9493e41a272a974b5dfec5f4e4724

      SHA256

      fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

      SHA512

      5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4CE7.exe
      Filesize

      378KB

      MD5

      b141bc58618c537917cc1da179cbe8ab

      SHA1

      c76d3f5eeae9493e41a272a974b5dfec5f4e4724

      SHA256

      fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

      SHA512

      5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4DB3.exe
      Filesize

      172KB

      MD5

      185596291815d84f3894dbeef5ea54e7

      SHA1

      6ff9c5982d02187a4e9961a98ab490ba479ed8e2

      SHA256

      3d723b2eac949a522f1d0d48d060a528cb275ae14803762200a760fdf9720e11

      SHA512

      99f61314609ce59795d7dce5c17a1564a18613d8babe242d192b83911c8baf0f746067e9aee08609da5f0d5514cb761c1364859f082bc1d18c6ecc7208f28eb5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4DB3.exe
      Filesize

      172KB

      MD5

      185596291815d84f3894dbeef5ea54e7

      SHA1

      6ff9c5982d02187a4e9961a98ab490ba479ed8e2

      SHA256

      3d723b2eac949a522f1d0d48d060a528cb275ae14803762200a760fdf9720e11

      SHA512

      99f61314609ce59795d7dce5c17a1564a18613d8babe242d192b83911c8baf0f746067e9aee08609da5f0d5514cb761c1364859f082bc1d18c6ecc7208f28eb5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      Filesize

      626.9MB

      MD5

      838727d9fa09cfcfa62101f884cb318d

      SHA1

      91e809ac556d3f23689e6606f915476add72944b

      SHA256

      0632a7981536f2d98a1b6f9608f9c8149e31466003c429f7ba06972d35db208d

      SHA512

      02c74ae88a01dc5aa3d79ffec2f127772382eae4558c310a18e56adc1acffb44be9ccd4d1f0d626dda7e37733b9b0e5218cefe17c86b68d602d83999435fa811

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      Filesize

      631.8MB

      MD5

      1a2b244fe61f9d03a7152abb75dbc09a

      SHA1

      0493071e3c033c268835dea7791aae95d78e5271

      SHA256

      fc036354fdedca0b26625abec085825504f912f20ad78922aaf53f95fcd3b938

      SHA512

      28aca90e2619f2ea5fc6d8bd6089556ba37b2f32e1bc3169bafd0cd5b7d6efe1afc66d030b7a25e4ae747f4047e817361f8d432bd57f9c2dedfb3a6998e73717

      Download Submit

    • memory/972-160-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/972-161-0x00000000006F8000-0x0000000000722000-memory.dmp

      Filesize

      168KB

      Download

    • memory/972-159-0x00000000006F8000-0x0000000000722000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2328-136-0x0000000000590000-0x0000000000599000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2328-137-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2328-132-0x00000000005BD000-0x00000000005D3000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2328-135-0x00000000005BD000-0x00000000005D3000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2328-134-0x0000000000400000-0x000000000058F000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2328-133-0x0000000000590000-0x0000000000599000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3416-144-0x0000000000230000-0x0000000000241000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3416-145-0x0000000000070000-0x000000000007E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3416-148-0x0000000000260000-0x000000000026D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3416-153-0x0000000000070000-0x000000000007E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3552-146-0x0000000000729000-0x0000000000753000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3552-156-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/3552-155-0x00000000020B0000-0x00000000020F7000-memory.dmp

      Filesize

      284KB

      Download

    • memory/3552-154-0x0000000000729000-0x0000000000753000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3552-151-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/3552-147-0x00000000020B0000-0x00000000020F7000-memory.dmp

      Filesize

      284KB

      Download