Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
15-02-2023 17:01
General
-
Target
04b1711beba9284f46e355b5d22eed54.exe
-
Size
189KB
-
MD5
04b1711beba9284f46e355b5d22eed54
-
SHA1
a81642aec480505036852d22d5b8ee2bd76e604f
-
SHA256
928b339a13c0dcfbaae8b9fc1d0489de4795a0f6c21b6d94832b30c31bf10907
-
SHA512
d9c09a5761fa8637853c705e3bb5489f43bea5a36092712e7021e701bd2ca10edb9531653c8c58e5014afef243231d17ded7dac820e3225886ea57c1be8a90f9
-
SSDEEP
3072:d/ipHQ6o8/MXs3pTtKSKg4XTZLNJjgn1ZiYqRr7xW:JoHU8/MXs3pBqT9zjmWRr
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
Panda Stealer payload 4 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b1711beba9284f46e355b5d22eed54.exe"C:\Users\Admin\AppData\Local\Temp\04b1711beba9284f46e355b5d22eed54.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\91EF.exeC:\Users\Admin\AppData\Local\Temp\91EF.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9859.exeC:\Users\Admin\AppData\Local\Temp\9859.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A24D.exeC:\Users\Admin\AppData\Local\Temp\A24D.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 12242⤵
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5060 -ip 50601⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
3.1MB
MD59be366e3eead805c905977cf03900368
SHA12b54c4b41e4cf54beb888bad6b795d9bc0179554
SHA2561ab08663f123eceac52565a05cf46d5eacabf57c02ac401cbfb6258f6b099847
SHA512d8adccf92392248f5674cc1b69c9533add0913b0307194d41ba78d81b533f57ec4b39e225bd0656441f70214a01cf0a9d64adcf307e06548f0b2f138bc68871f
-
Filesize
3.1MB
MD59be366e3eead805c905977cf03900368
SHA12b54c4b41e4cf54beb888bad6b795d9bc0179554
SHA2561ab08663f123eceac52565a05cf46d5eacabf57c02ac401cbfb6258f6b099847
SHA512d8adccf92392248f5674cc1b69c9533add0913b0307194d41ba78d81b533f57ec4b39e225bd0656441f70214a01cf0a9d64adcf307e06548f0b2f138bc68871f
-
Filesize
299KB
MD54044277808862af81c94098f33ef040d
SHA1d249a425325fb6cf3ff431450492e5e8467cfe07
SHA25600f8d989336d2e4e3a4544f8bdb5ae97500f16e3d0dc262a78d7e75f9abe3288
SHA512cc88af60599447479d49b0ffe2ef78a211a4b597d7171ab8105595f4809c0e363e5dba66b5f0cf3b2957fc5df1b9589e730d10235af0dff5bdbd957686435039
-
Filesize
299KB
MD54044277808862af81c94098f33ef040d
SHA1d249a425325fb6cf3ff431450492e5e8467cfe07
SHA25600f8d989336d2e4e3a4544f8bdb5ae97500f16e3d0dc262a78d7e75f9abe3288
SHA512cc88af60599447479d49b0ffe2ef78a211a4b597d7171ab8105595f4809c0e363e5dba66b5f0cf3b2957fc5df1b9589e730d10235af0dff5bdbd957686435039
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
36KB
-
Filesize
76KB
-
Filesize
1.5MB
-
Filesize
6.1MB
-
Filesize
120KB
-
Filesize
1.8MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
180KB
-
Filesize
1.5MB
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
392KB
-
Filesize
408KB
-
Filesize
5.2MB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
44KB