Analysis
-
max time kernel
153s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
20-02-2023 16:00
General
-
Target
26ebf4b16a7b59e42a4bb77818d6fd31.exe
-
Size
196KB
-
MD5
26ebf4b16a7b59e42a4bb77818d6fd31
-
SHA1
3b76faa23a88fa0937eab421e4c8f2c4a8d070f0
-
SHA256
b06b1b4d5a9dddb0d067a38fdf2b3b872d974ce1379c4101ab13aa1a6f143b13
-
SHA512
14675781ec3b69d01aafc6fa18d3184b29b3b8c68f90b002f2fe7bfe39f5fdb4fdae7a1fe87c12d10f53c166ea077cb533e997c8d069b67ecb966eda1c97df6a
-
SSDEEP
3072:dpnVxDLhdvd+kfHkJbWU5TszWKsQ0U99qpz0kDB1sh02qR9wBA:3nVxDLl+Dpf5TYWKsQzbqKkzshALu
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
Panda Stealer payload 4 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\26ebf4b16a7b59e42a4bb77818d6fd31.exe"C:\Users\Admin\AppData\Local\Temp\26ebf4b16a7b59e42a4bb77818d6fd31.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A587.exeC:\Users\Admin\AppData\Local\Temp\A587.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\A931.exeC:\Users\Admin\AppData\Local\Temp\A931.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\AE24.exeC:\Users\Admin\AppData\Local\Temp\AE24.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
1.0MB
MD5a47863a63a1fc5ed2ff15ec362212778
SHA16e28be0dc0a3fc248ce4d04856705fce9c23b977
SHA256f25844c12c72e3f984cc6afef123e01d7b2ab1d1955f1408fd86f8403a79c570
SHA5129f056168558cf37ac10d5fea9e86dd9bc09ae7ce3f158c7f66f5f6c63b461b88f10a5917d99cfad3b0d6f98e8b4657a558f2e28240a70d7e19bfd94d3244ae22
-
Filesize
1.0MB
MD5a47863a63a1fc5ed2ff15ec362212778
SHA16e28be0dc0a3fc248ce4d04856705fce9c23b977
SHA256f25844c12c72e3f984cc6afef123e01d7b2ab1d1955f1408fd86f8403a79c570
SHA5129f056168558cf37ac10d5fea9e86dd9bc09ae7ce3f158c7f66f5f6c63b461b88f10a5917d99cfad3b0d6f98e8b4657a558f2e28240a70d7e19bfd94d3244ae22
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
1.4MB
-
Filesize
36KB
-
Filesize
1.4MB
-
Filesize
84KB