Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
17-02-2023 01:09
General
-
Target
d522a2afd51e06415121bdb9086b1184203f2d102d5e11f105942384a0fe6926.exe
-
Size
252KB
-
MD5
67e18e5dba3b7af185f1f5f555727f2a
-
SHA1
d927f201c3f52341624da9414f4efdec1dbe191c
-
SHA256
d522a2afd51e06415121bdb9086b1184203f2d102d5e11f105942384a0fe6926
-
SHA512
ba03f854cf2753200d950a40b1b7af800efccf2fa28e7cb68b4913053095273ba73902b3bddd89aca3ba496b52e1fa9f921b75a6209d03911d185bbfef32eec6
-
SSDEEP
3072:CbQnrBNL1pE1GBhboo4g0xg4nCmoiTq+G90xHHPV0v:0YrjLUGJv0tnCmRTW4HHK
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d522a2afd51e06415121bdb9086b1184203f2d102d5e11f105942384a0fe6926.exe"C:\Users\Admin\AppData\Local\Temp\d522a2afd51e06415121bdb9086b1184203f2d102d5e11f105942384a0fe6926.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\civbsbbC:\Users\Admin\AppData\Roaming\civbsbb1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\180C.exeC:\Users\Admin\AppData\Local\Temp\180C.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2D2B.exeC:\Users\Admin\AppData\Local\Temp\2D2B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 2122⤵
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3552 -ip 35521⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
1.2MB
MD5dc27ef8aa9c5c53103d8fb56bbde1b29
SHA1e38af16c0e9246bccce5b5dff0fd11a4f3c49f28
SHA25667b26a8d7f192326203f250d49ba5ed085107cad937fa71aeae923969e6b27a7
SHA5123ce6972af50a8e32a7327fc52e51a46593dcef017351b24777511b9d4fb2a748b0755978fd809a9788ba6af1dc4c7a8fb0580bf785326e9de0eed370281de1eb
-
Filesize
1.2MB
MD5dc27ef8aa9c5c53103d8fb56bbde1b29
SHA1e38af16c0e9246bccce5b5dff0fd11a4f3c49f28
SHA25667b26a8d7f192326203f250d49ba5ed085107cad937fa71aeae923969e6b27a7
SHA5123ce6972af50a8e32a7327fc52e51a46593dcef017351b24777511b9d4fb2a748b0755978fd809a9788ba6af1dc4c7a8fb0580bf785326e9de0eed370281de1eb
-
Filesize
252KB
MD567e18e5dba3b7af185f1f5f555727f2a
SHA1d927f201c3f52341624da9414f4efdec1dbe191c
SHA256d522a2afd51e06415121bdb9086b1184203f2d102d5e11f105942384a0fe6926
SHA512ba03f854cf2753200d950a40b1b7af800efccf2fa28e7cb68b4913053095273ba73902b3bddd89aca3ba496b52e1fa9f921b75a6209d03911d185bbfef32eec6
-
Filesize
252KB
MD567e18e5dba3b7af185f1f5f555727f2a
SHA1d927f201c3f52341624da9414f4efdec1dbe191c
SHA256d522a2afd51e06415121bdb9086b1184203f2d102d5e11f105942384a0fe6926
SHA512ba03f854cf2753200d950a40b1b7af800efccf2fa28e7cb68b4913053095273ba73902b3bddd89aca3ba496b52e1fa9f921b75a6209d03911d185bbfef32eec6
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
-
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
28KB
-
-
Filesize
44KB
-
Filesize
28KB
-
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
32KB
-
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
472KB
-
Filesize
272KB
-
Filesize
320KB
-
Filesize
120KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
136KB
-
Filesize
156KB
-
-
Filesize
136KB
-
-
Filesize
1.2MB
-
Filesize
88KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
20KB
-
Filesize
36KB
-
-
Filesize
20KB
-
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
84KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
36KB