Analysis
-
max time kernel
152s -
max time network
116s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
12-02-2023 20:08
General
-
Target
e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1.exe
-
Size
186KB
-
MD5
45bcfc437dfd82db45e754202cfcc584
-
SHA1
792d70be144185f6e783c470d8933f71f550aa9d
-
SHA256
e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1
-
SHA512
1d3315a0eceff56830c8ba015f20df514250c820c3d856fae53579b3c2ce11719f9368281bf2246b3098c66041d1f459ab420fbb131f0dad587a1a4eb64d3b50
-
SSDEEP
3072:y7tia+HuC15668TJzvokJ+/6Zq1QDoWjPwiyN:MTC0DN0kc/Eq3WVy
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
Panda Stealer payload 3 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1.exe"C:\Users\Admin\AppData\Local\Temp\e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\5CD5.exeC:\Users\Admin\AppData\Local\Temp\5CD5.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6070.exeC:\Users\Admin\AppData\Local\Temp\6070.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\cjedrvhC:\Users\Admin\AppData\Roaming\cjedrvh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
1.5MB
MD5f0d0fefc0b2a3aacccbcc6901fca3530
SHA11a9206e75f2b279decb39ed98b830080d773fd01
SHA2561d3c5be08cb5e52449bc403d4ca2c5697aafb83cb5b883662475d31503442c0c
SHA5126ac9f229b8d37b34dfd42aa19cc8e9cea53a62ef4ab3d0261815b89829ba5c42d7a0566e4972cb7f7ec72a2be58615c23e9ee5b502e7a3777ab9e0caf1b9257d
-
Filesize
1.5MB
MD5f0d0fefc0b2a3aacccbcc6901fca3530
SHA11a9206e75f2b279decb39ed98b830080d773fd01
SHA2561d3c5be08cb5e52449bc403d4ca2c5697aafb83cb5b883662475d31503442c0c
SHA5126ac9f229b8d37b34dfd42aa19cc8e9cea53a62ef4ab3d0261815b89829ba5c42d7a0566e4972cb7f7ec72a2be58615c23e9ee5b502e7a3777ab9e0caf1b9257d
-
Filesize
186KB
MD545bcfc437dfd82db45e754202cfcc584
SHA1792d70be144185f6e783c470d8933f71f550aa9d
SHA256e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1
SHA5121d3315a0eceff56830c8ba015f20df514250c820c3d856fae53579b3c2ce11719f9368281bf2246b3098c66041d1f459ab420fbb131f0dad587a1a4eb64d3b50
-
Filesize
186KB
MD545bcfc437dfd82db45e754202cfcc584
SHA1792d70be144185f6e783c470d8933f71f550aa9d
SHA256e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1
SHA5121d3315a0eceff56830c8ba015f20df514250c820c3d856fae53579b3c2ce11719f9368281bf2246b3098c66041d1f459ab420fbb131f0dad587a1a4eb64d3b50
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
-
Filesize
1.6MB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
1.6MB
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
48KB
-
Filesize
24KB
-
-
Filesize
24KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
3.5MB
-
Filesize
88KB
-
Filesize
3.5MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
88KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
32KB
-
-
Filesize
20KB
-
Filesize
36KB
-
-
Filesize
20KB
-
Filesize
136KB
-
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
3.5MB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
3.5MB
-
Filesize
1.6MB
-
Filesize
652KB
-
Filesize
1.6MB
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
652KB
-
Filesize
28KB
-
Filesize
28KB
-
-
Filesize
52KB
-
Filesize
24KB
-
-
Filesize
44KB
-
Filesize
24KB
-
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB