Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
15-02-2023 17:50
General
-
Target
2665361cf05b16f5e4a06e0854b242bf8af84443a9a58fdf20781a56a0be4aea.exe
-
Size
190KB
-
MD5
0f4366fc1e39b87214e8a8a8cf306410
-
SHA1
0762fb2cda9320ccfefadc7ad269c4a65d24d8e5
-
SHA256
2665361cf05b16f5e4a06e0854b242bf8af84443a9a58fdf20781a56a0be4aea
-
SHA512
60e0c53acaa754458e29f35c492e728b4fdb464d9d522ea05acb07c69f728991ba7486019829417c0bef90fee3eb7f5b5686c5cd1a14f480a029287fc425e8d7
-
SSDEEP
3072:AmNzQBbee3rl9gEI3SF8xyiuVusp77d/lpBL3dHW8GW:AgzQ8e3roEIiFCvvg77Ld28
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
Panda Stealer payload 4 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2665361cf05b16f5e4a06e0854b242bf8af84443a9a58fdf20781a56a0be4aea.exe"C:\Users\Admin\AppData\Local\Temp\2665361cf05b16f5e4a06e0854b242bf8af84443a9a58fdf20781a56a0be4aea.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\413F.exeC:\Users\Admin\AppData\Local\Temp\413F.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\46DD.exeC:\Users\Admin\AppData\Local\Temp\46DD.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\4D57.exeC:\Users\Admin\AppData\Local\Temp\4D57.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 12202⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 456 -ip 4561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\413F.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\413F.exeFilesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
C:\Users\Admin\AppData\Local\Temp\46DD.exeFilesize
3.1MB
MD59be366e3eead805c905977cf03900368
SHA12b54c4b41e4cf54beb888bad6b795d9bc0179554
SHA2561ab08663f123eceac52565a05cf46d5eacabf57c02ac401cbfb6258f6b099847
SHA512d8adccf92392248f5674cc1b69c9533add0913b0307194d41ba78d81b533f57ec4b39e225bd0656441f70214a01cf0a9d64adcf307e06548f0b2f138bc68871f
-
C:\Users\Admin\AppData\Local\Temp\46DD.exeFilesize
3.1MB
MD59be366e3eead805c905977cf03900368
SHA12b54c4b41e4cf54beb888bad6b795d9bc0179554
SHA2561ab08663f123eceac52565a05cf46d5eacabf57c02ac401cbfb6258f6b099847
SHA512d8adccf92392248f5674cc1b69c9533add0913b0307194d41ba78d81b533f57ec4b39e225bd0656441f70214a01cf0a9d64adcf307e06548f0b2f138bc68871f
-
C:\Users\Admin\AppData\Local\Temp\4D57.exeFilesize
299KB
MD54044277808862af81c94098f33ef040d
SHA1d249a425325fb6cf3ff431450492e5e8467cfe07
SHA25600f8d989336d2e4e3a4544f8bdb5ae97500f16e3d0dc262a78d7e75f9abe3288
SHA512cc88af60599447479d49b0ffe2ef78a211a4b597d7171ab8105595f4809c0e363e5dba66b5f0cf3b2957fc5df1b9589e730d10235af0dff5bdbd957686435039
-
C:\Users\Admin\AppData\Local\Temp\4D57.exeFilesize
299KB
MD54044277808862af81c94098f33ef040d
SHA1d249a425325fb6cf3ff431450492e5e8467cfe07
SHA25600f8d989336d2e4e3a4544f8bdb5ae97500f16e3d0dc262a78d7e75f9abe3288
SHA512cc88af60599447479d49b0ffe2ef78a211a4b597d7171ab8105595f4809c0e363e5dba66b5f0cf3b2957fc5df1b9589e730d10235af0dff5bdbd957686435039
-
memory/456-166-0x00000000021D0000-0x0000000002232000-memory.dmpFilesize
392KB
-
memory/456-162-0x0000000004E90000-0x0000000005434000-memory.dmpFilesize
5.6MB
-
memory/456-181-0x00000000065E0000-0x0000000006672000-memory.dmpFilesize
584KB
-
memory/456-178-0x0000000005DD0000-0x0000000005E36000-memory.dmpFilesize
408KB
-
memory/456-188-0x0000000006690000-0x0000000006706000-memory.dmpFilesize
472KB
-
memory/456-170-0x0000000004DB0000-0x0000000004DC2000-memory.dmpFilesize
72KB
-
memory/456-189-0x0000000006750000-0x000000000676E000-memory.dmpFilesize
120KB
-
memory/456-190-0x0000000006910000-0x0000000006AD2000-memory.dmpFilesize
1.8MB
-
memory/456-191-0x0000000006AE0000-0x000000000700C000-memory.dmpFilesize
5.2MB
-
memory/456-169-0x0000000005440000-0x0000000005A58000-memory.dmpFilesize
6.1MB
-
memory/456-168-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/456-149-0x0000000000000000-mapping.dmp
-
memory/456-193-0x0000000000648000-0x0000000000675000-memory.dmpFilesize
180KB
-
memory/456-171-0x0000000005A60000-0x0000000005B6A000-memory.dmpFilesize
1.0MB
-
memory/456-165-0x0000000000648000-0x0000000000675000-memory.dmpFilesize
180KB
-
memory/456-194-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB
-
memory/456-172-0x0000000004DD0000-0x0000000004E0C000-memory.dmpFilesize
240KB
-
memory/1404-202-0x00000000012C0000-0x00000000012C8000-memory.dmpFilesize
32KB
-
memory/1404-185-0x0000000000000000-mapping.dmp
-
memory/1404-186-0x00000000012C0000-0x00000000012C8000-memory.dmpFilesize
32KB
-
memory/1404-187-0x00000000012B0000-0x00000000012BB000-memory.dmpFilesize
44KB
-
memory/1632-141-0x0000000000000000-mapping.dmp
-
memory/2736-180-0x0000000000F20000-0x0000000000F2B000-memory.dmpFilesize
44KB
-
memory/2736-179-0x0000000000F30000-0x0000000000F36000-memory.dmpFilesize
24KB
-
memory/2736-177-0x0000000000000000-mapping.dmp
-
memory/2736-200-0x0000000000F30000-0x0000000000F36000-memory.dmpFilesize
24KB
-
memory/3952-192-0x0000000000BD0000-0x0000000000BD7000-memory.dmpFilesize
28KB
-
memory/3952-153-0x0000000000BD0000-0x0000000000BD7000-memory.dmpFilesize
28KB
-
memory/3952-152-0x0000000000000000-mapping.dmp
-
memory/3952-154-0x0000000000BC0000-0x0000000000BCB000-memory.dmpFilesize
44KB
-
memory/4152-139-0x0000000000C20000-0x0000000000C28000-memory.dmpFilesize
32KB
-
memory/4152-140-0x00007FFAB6A30000-0x00007FFAB74F1000-memory.dmpFilesize
10.8MB
-
memory/4152-136-0x0000000000000000-mapping.dmp
-
memory/4344-196-0x0000000000AC0000-0x0000000000AC5000-memory.dmpFilesize
20KB
-
memory/4344-160-0x0000000000670000-0x0000000000679000-memory.dmpFilesize
36KB
-
memory/4344-158-0x0000000000000000-mapping.dmp
-
memory/4344-159-0x0000000000AC0000-0x0000000000AC5000-memory.dmpFilesize
20KB
-
memory/4604-198-0x0000000000E00000-0x0000000000E22000-memory.dmpFilesize
136KB
-
memory/4604-175-0x0000000000BC0000-0x0000000000BE7000-memory.dmpFilesize
156KB
-
memory/4604-174-0x0000000000E00000-0x0000000000E22000-memory.dmpFilesize
136KB
-
memory/4604-167-0x0000000000000000-mapping.dmp
-
memory/4684-147-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4684-144-0x0000000000000000-mapping.dmp
-
memory/4684-146-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4684-145-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4684-148-0x0000000000400000-0x00000000004A3000-memory.dmpFilesize
652KB
-
memory/4692-155-0x0000000000000000-mapping.dmp
-
memory/4692-195-0x0000000000C10000-0x0000000000C19000-memory.dmpFilesize
36KB
-
memory/4692-157-0x0000000000C00000-0x0000000000C0F000-memory.dmpFilesize
60KB
-
memory/4692-156-0x0000000000C10000-0x0000000000C19000-memory.dmpFilesize
36KB
-
memory/4700-199-0x00000000001E0000-0x00000000001E5000-memory.dmpFilesize
20KB
-
memory/4700-176-0x00000000001D0000-0x00000000001D9000-memory.dmpFilesize
36KB
-
memory/4700-173-0x0000000000000000-mapping.dmp
-
memory/4848-197-0x0000000000310000-0x0000000000316000-memory.dmpFilesize
24KB
-
memory/4848-164-0x0000000000300000-0x000000000030C000-memory.dmpFilesize
48KB
-
memory/4848-161-0x0000000000000000-mapping.dmp
-
memory/4848-163-0x0000000000310000-0x0000000000316000-memory.dmpFilesize
24KB
-
memory/5004-184-0x0000000000AA0000-0x0000000000AAD000-memory.dmpFilesize
52KB
-
memory/5004-182-0x0000000000000000-mapping.dmp
-
memory/5004-183-0x0000000000AB0000-0x0000000000AB7000-memory.dmpFilesize
28KB
-
memory/5004-201-0x0000000000AB0000-0x0000000000AB7000-memory.dmpFilesize
28KB
-
memory/5060-135-0x0000000000400000-0x0000000000561000-memory.dmpFilesize
1.4MB
-
memory/5060-132-0x000000000076F000-0x0000000000782000-memory.dmpFilesize
76KB
-
memory/5060-133-0x0000000000700000-0x0000000000709000-memory.dmpFilesize
36KB
-
memory/5060-134-0x0000000000400000-0x0000000000561000-memory.dmpFilesize
1.4MB