Analysis
-
max time kernel
152s -
max time network
116s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
12-02-2023 20:08
General
-
Target
e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1.exe
-
Size
186KB
-
MD5
45bcfc437dfd82db45e754202cfcc584
-
SHA1
792d70be144185f6e783c470d8933f71f550aa9d
-
SHA256
e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1
-
SHA512
1d3315a0eceff56830c8ba015f20df514250c820c3d856fae53579b3c2ce11719f9368281bf2246b3098c66041d1f459ab420fbb131f0dad587a1a4eb64d3b50
-
SSDEEP
3072:y7tia+HuC15668TJzvokJ+/6Zq1QDoWjPwiyN:MTC0DN0kc/Eq3WVy
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
Panda Stealer payload 3 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1.exe"C:\Users\Admin\AppData\Local\Temp\e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\5CD5.exeC:\Users\Admin\AppData\Local\Temp\5CD5.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6070.exeC:\Users\Admin\AppData\Local\Temp\6070.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\cjedrvhC:\Users\Admin\AppData\Roaming\cjedrvh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5CD5.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\5CD5.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\6070.exeFilesize
1.5MB
MD5f0d0fefc0b2a3aacccbcc6901fca3530
SHA11a9206e75f2b279decb39ed98b830080d773fd01
SHA2561d3c5be08cb5e52449bc403d4ca2c5697aafb83cb5b883662475d31503442c0c
SHA5126ac9f229b8d37b34dfd42aa19cc8e9cea53a62ef4ab3d0261815b89829ba5c42d7a0566e4972cb7f7ec72a2be58615c23e9ee5b502e7a3777ab9e0caf1b9257d
-
C:\Users\Admin\AppData\Local\Temp\6070.exeFilesize
1.5MB
MD5f0d0fefc0b2a3aacccbcc6901fca3530
SHA11a9206e75f2b279decb39ed98b830080d773fd01
SHA2561d3c5be08cb5e52449bc403d4ca2c5697aafb83cb5b883662475d31503442c0c
SHA5126ac9f229b8d37b34dfd42aa19cc8e9cea53a62ef4ab3d0261815b89829ba5c42d7a0566e4972cb7f7ec72a2be58615c23e9ee5b502e7a3777ab9e0caf1b9257d
-
C:\Users\Admin\AppData\Roaming\cjedrvhFilesize
186KB
MD545bcfc437dfd82db45e754202cfcc584
SHA1792d70be144185f6e783c470d8933f71f550aa9d
SHA256e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1
SHA5121d3315a0eceff56830c8ba015f20df514250c820c3d856fae53579b3c2ce11719f9368281bf2246b3098c66041d1f459ab420fbb131f0dad587a1a4eb64d3b50
-
C:\Users\Admin\AppData\Roaming\cjedrvhFilesize
186KB
MD545bcfc437dfd82db45e754202cfcc584
SHA1792d70be144185f6e783c470d8933f71f550aa9d
SHA256e6a7ff28239ac9e90f17ee80ccb7983dd855996550fd3455ae6de207f8c1b9d1
SHA5121d3315a0eceff56830c8ba015f20df514250c820c3d856fae53579b3c2ce11719f9368281bf2246b3098c66041d1f459ab420fbb131f0dad587a1a4eb64d3b50
-
memory/1464-577-0x0000000000C60000-0x0000000000C68000-memory.dmpFilesize
32KB
-
memory/1464-570-0x0000000000C50000-0x0000000000C5B000-memory.dmpFilesize
44KB
-
memory/1464-569-0x0000000000C60000-0x0000000000C68000-memory.dmpFilesize
32KB
-
memory/1464-412-0x0000000000000000-mapping.dmp
-
memory/1504-187-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-349-0x0000000000C10000-0x0000000000C17000-memory.dmpFilesize
28KB
-
memory/1504-387-0x0000000000C00000-0x0000000000C0B000-memory.dmpFilesize
44KB
-
memory/1504-198-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-169-0x0000000000000000-mapping.dmp
-
memory/1504-190-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-194-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-184-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-182-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-170-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-178-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-176-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-174-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-171-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-172-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1504-173-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/1776-275-0x0000000000380000-0x000000000038C000-memory.dmpFilesize
48KB
-
memory/1776-270-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/1776-234-0x0000000000000000-mapping.dmp
-
memory/1776-571-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/2444-149-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-146-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-155-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-154-0x0000000000970000-0x0000000000979000-memory.dmpFilesize
36KB
-
memory/2444-152-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-151-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-156-0x0000000000400000-0x000000000078A000-memory.dmpFilesize
3.5MB
-
memory/2444-157-0x0000000000AFA000-0x0000000000B10000-memory.dmpFilesize
88KB
-
memory/2444-158-0x0000000000400000-0x000000000078A000-memory.dmpFilesize
3.5MB
-
memory/2444-150-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-120-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-133-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-134-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-121-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-148-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-122-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-123-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-135-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-147-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-131-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-124-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-145-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-144-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-143-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-142-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-125-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-141-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-140-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-139-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-126-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-153-0x0000000000AFA000-0x0000000000B10000-memory.dmpFilesize
88KB
-
memory/2444-138-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-137-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-132-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-136-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-127-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-128-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-129-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2444-130-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2804-162-0x0000000000A60000-0x0000000000A68000-memory.dmpFilesize
32KB
-
memory/2804-159-0x0000000000000000-mapping.dmp
-
memory/2968-434-0x0000000000AB0000-0x0000000000AB5000-memory.dmpFilesize
20KB
-
memory/2968-439-0x0000000000AA0000-0x0000000000AA9000-memory.dmpFilesize
36KB
-
memory/2968-207-0x0000000000000000-mapping.dmp
-
memory/2968-573-0x0000000000AB0000-0x0000000000AB5000-memory.dmpFilesize
20KB
-
memory/3468-510-0x00000000008E0000-0x0000000000902000-memory.dmpFilesize
136KB
-
memory/3468-266-0x0000000000000000-mapping.dmp
-
memory/3468-513-0x00000000008B0000-0x00000000008D7000-memory.dmpFilesize
156KB
-
memory/3468-574-0x00000000008E0000-0x0000000000902000-memory.dmpFilesize
136KB
-
memory/3916-193-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-185-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-197-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-166-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-165-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-163-0x0000000000000000-mapping.dmp
-
memory/3916-195-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-168-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-167-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-175-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-191-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-177-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3916-188-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/4060-304-0x0000000000000000-mapping.dmp
-
memory/4060-576-0x0000000000180000-0x0000000000185000-memory.dmpFilesize
20KB
-
memory/4060-546-0x0000000000180000-0x0000000000185000-memory.dmpFilesize
20KB
-
memory/4060-548-0x0000000000170000-0x0000000000179000-memory.dmpFilesize
36KB
-
memory/4164-617-0x0000000000400000-0x000000000078A000-memory.dmpFilesize
3.5MB
-
memory/4164-616-0x0000000000B7A000-0x0000000000B8F000-memory.dmpFilesize
84KB
-
memory/4164-606-0x0000000000B7A000-0x0000000000B8F000-memory.dmpFilesize
84KB
-
memory/4164-607-0x0000000000400000-0x000000000078A000-memory.dmpFilesize
3.5MB
-
memory/4296-196-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/4296-181-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4296-189-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/4296-183-0x000000000045B608-mapping.dmp
-
memory/4296-192-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/4296-186-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/4296-313-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4412-392-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/4412-572-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/4412-374-0x0000000000000000-mapping.dmp
-
memory/4412-397-0x0000000000100000-0x000000000010D000-memory.dmpFilesize
52KB
-
memory/4520-575-0x0000000000B70000-0x0000000000B76000-memory.dmpFilesize
24KB
-
memory/4520-336-0x0000000000000000-mapping.dmp
-
memory/4520-568-0x0000000000B60000-0x0000000000B6B000-memory.dmpFilesize
44KB
-
memory/4520-551-0x0000000000B70000-0x0000000000B76000-memory.dmpFilesize
24KB
-
memory/4908-180-0x0000000000000000-mapping.dmp
-
memory/4908-210-0x0000000000750000-0x000000000075F000-memory.dmpFilesize
60KB
-
memory/4908-206-0x0000000000760000-0x0000000000769000-memory.dmpFilesize
36KB
-
memory/4908-567-0x0000000000760000-0x0000000000769000-memory.dmpFilesize
36KB