Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
08/02/2023, 13:34
General
-
Target
file.exe
-
Size
314KB
-
MD5
5cff4c33cbc6e1ccf53952ac54aef16c
-
SHA1
ec660378cc11724e3914b9f8faec488fc228573b
-
SHA256
f4b9bed143b714df0405531aa041fe29bfdecc5e10cfe97002687217fd95cc11
-
SHA512
4ed147624483079a6c9276603f8ea662bb89e34dbdaacce451c86090241862ac46e38f3be7dc883d6574484b28062c0d13f387051d1cd42afe78f122c0557a9a
-
SSDEEP
3072:Lwz0dZZ+B7uOuRpm8fOCbKyEWIcXqjyYFYaTmRLStKRxhUwEbj:Lu0byubph2qErcQHmgtKBEX
Malware Config
Extracted
gozi
Extracted
gozi
1001
https://checklist.skype.com
http://176.10.125.84
http://91.242.219.235
http://79.132.130.73
http://176.10.119.209
http://194.76.225.88
http://79.132.134.158
-
base_path
/microsoft/
-
build
260255
-
exe_type
loader
-
extension
.acx
-
server_id
50
Extracted
laplas
http://45.159.189.105
-
api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd
Signatures
-
Detects Smokeloader packer 1 IoCs
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C7E8.exeC:\Users\Admin\AppData\Local\Temp\C7E8.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 10282⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\C8C4.exeC:\Users\Admin\AppData\Local\Temp\C8C4.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3924 -ip 39241⤵
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD5b141bc58618c537917cc1da179cbe8ab
SHA1c76d3f5eeae9493e41a272a974b5dfec5f4e4724
SHA256fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e
SHA5125c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114
-
Filesize
378KB
MD5b141bc58618c537917cc1da179cbe8ab
SHA1c76d3f5eeae9493e41a272a974b5dfec5f4e4724
SHA256fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e
SHA5125c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114
-
Filesize
172KB
MD5185596291815d84f3894dbeef5ea54e7
SHA16ff9c5982d02187a4e9961a98ab490ba479ed8e2
SHA2563d723b2eac949a522f1d0d48d060a528cb275ae14803762200a760fdf9720e11
SHA51299f61314609ce59795d7dce5c17a1564a18613d8babe242d192b83911c8baf0f746067e9aee08609da5f0d5514cb761c1364859f082bc1d18c6ecc7208f28eb5
-
Filesize
172KB
MD5185596291815d84f3894dbeef5ea54e7
SHA16ff9c5982d02187a4e9961a98ab490ba479ed8e2
SHA2563d723b2eac949a522f1d0d48d060a528cb275ae14803762200a760fdf9720e11
SHA51299f61314609ce59795d7dce5c17a1564a18613d8babe242d192b83911c8baf0f746067e9aee08609da5f0d5514cb761c1364859f082bc1d18c6ecc7208f28eb5
-
Filesize
747.4MB
MD506d290c306dd0d78e93a2ce9c3428a50
SHA1016e0546266eb88c519e7674235e4727e2369099
SHA256e3b1b5df5a6ff64043e8d7d3bf33a89f2725bc8173f5ece656a195e941c4bb23
SHA51234f50d6957f4dffbda007889cd8ab4efbe716fb934c3d8da3e3c26af8bc65d49a51b06c0ec8f1a12d4098b8ba9f7c8a3ff274d3c356d697e2796a53c8daa6665
-
Filesize
747.4MB
MD506d290c306dd0d78e93a2ce9c3428a50
SHA1016e0546266eb88c519e7674235e4727e2369099
SHA256e3b1b5df5a6ff64043e8d7d3bf33a89f2725bc8173f5ece656a195e941c4bb23
SHA51234f50d6957f4dffbda007889cd8ab4efbe716fb934c3d8da3e3c26af8bc65d49a51b06c0ec8f1a12d4098b8ba9f7c8a3ff274d3c356d697e2796a53c8daa6665
-
Filesize
168KB
-
Filesize
488KB
-
Filesize
168KB
-
Filesize
52KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
168KB
-
Filesize
488KB
-
Filesize
168KB
-
Filesize
488KB
-
Filesize
284KB
-
Filesize
84KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
36KB