Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
08-02-2023 20:10
Static task
static1
General
-
Target
7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda.exe
-
Size
321KB
-
MD5
1e512df0f26079e52376064f1a7ec019
-
SHA1
858a5465ed0f9fda9ab35945e765c44abcc4f230
-
SHA256
7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda
-
SHA512
a2877121db47e6a3694c282d25a89a4869cd0fcc45f9dae555831baf497ed5db0ee5e24bb0965b3a1869574a936bc843d350512404269fe6f6ffeef79207c29c
-
SSDEEP
3072:oPgQ/NddxR9DMe4Cpk3gD0ooHGiylyUIx705sXos5vsWQDiuLpp9gv:orDrDMcC3RCyUIx70uXOLiqkv
Malware Config
Extracted
gozi
Extracted
gozi
1001
https://checklist.skype.com
http://176.10.125.84
http://91.242.219.235
http://79.132.130.73
http://176.10.119.209
http://194.76.225.88
http://79.132.134.158
-
base_path
/microsoft/
-
build
260255
-
exe_type
loader
-
extension
.acx
-
server_id
50
Extracted
laplas
http://45.159.189.105
-
api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/3520-146-0x00000000006B0000-0x00000000006B9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3064 Process not Found -
Executes dropped EXE 3 IoCs
pid Process 4384 33B2.exe 4376 3569.exe 5048 svcupdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3992 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3520 7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda.exe 3520 7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda.exe 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3064 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3520 7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3064 wrote to memory of 4384 3064 Process not Found 66 PID 3064 wrote to memory of 4384 3064 Process not Found 66 PID 3064 wrote to memory of 4384 3064 Process not Found 66 PID 3064 wrote to memory of 4376 3064 Process not Found 67 PID 3064 wrote to memory of 4376 3064 Process not Found 67 PID 3064 wrote to memory of 4376 3064 Process not Found 67 PID 4384 wrote to memory of 3992 4384 33B2.exe 69 PID 4384 wrote to memory of 3992 4384 33B2.exe 69 PID 4384 wrote to memory of 3992 4384 33B2.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda.exe"C:\Users\Admin\AppData\Local\Temp\7083c049037004acf270e8ce3f6bb25c502d8df38aab9e3a3cbd131444478cda.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3520
-
C:\Users\Admin\AppData\Local\Temp\33B2.exeC:\Users\Admin\AppData\Local\Temp\33B2.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Creates scheduled task(s)
PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\3569.exeC:\Users\Admin\AppData\Local\Temp\3569.exe1⤵
- Executes dropped EXE
PID:4376
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe1⤵
- Executes dropped EXE
PID:5048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD5b141bc58618c537917cc1da179cbe8ab
SHA1c76d3f5eeae9493e41a272a974b5dfec5f4e4724
SHA256fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e
SHA5125c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114
-
Filesize
378KB
MD5b141bc58618c537917cc1da179cbe8ab
SHA1c76d3f5eeae9493e41a272a974b5dfec5f4e4724
SHA256fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e
SHA5125c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114
-
Filesize
172KB
MD5185596291815d84f3894dbeef5ea54e7
SHA16ff9c5982d02187a4e9961a98ab490ba479ed8e2
SHA2563d723b2eac949a522f1d0d48d060a528cb275ae14803762200a760fdf9720e11
SHA51299f61314609ce59795d7dce5c17a1564a18613d8babe242d192b83911c8baf0f746067e9aee08609da5f0d5514cb761c1364859f082bc1d18c6ecc7208f28eb5
-
Filesize
172KB
MD5185596291815d84f3894dbeef5ea54e7
SHA16ff9c5982d02187a4e9961a98ab490ba479ed8e2
SHA2563d723b2eac949a522f1d0d48d060a528cb275ae14803762200a760fdf9720e11
SHA51299f61314609ce59795d7dce5c17a1564a18613d8babe242d192b83911c8baf0f746067e9aee08609da5f0d5514cb761c1364859f082bc1d18c6ecc7208f28eb5
-
Filesize
512.9MB
MD5a29fb3d2af39aa8317b755967529d9ba
SHA10290d865cc09d1909de2faaceb0b3574655d6ffb
SHA256be2574f3b9015aa712a9a5b5931da51b65af8db1a74d2c226f7ab331e5cc620a
SHA512fcbfde637df244d51f8aee669aa4f58e6179d77aee9b61b487cc58901d92212ac09394ad776e6a8e3510a91b5286b33aea0d1249124cd1c912c8d4a81ebfda4c
-
Filesize
509.1MB
MD5cde0e8d6f27ace752429ea33d38f499b
SHA1e2c971e682decb74fd52130320d3fc1ce2138d2e
SHA256322b595e504e66d9e19957fdd6c9672e55155762ae9397142d8ac5201aefc34c
SHA5129f0d5c0be3cc80e3de684c6436c239de11275c9cfea02f29b4ed1fb8756887011b9afb333ef61e71e67510c117fefe80a5ec714059b4bea2c61f56a7149f5ff7