Analysis
-
max time kernel
300s -
max time network
291s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
25/02/2023, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
Resource
win10-20230220-en
General
-
Target
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
-
Size
552B
-
MD5
e4e334efd3ed0f23499a75127e2662aa
-
SHA1
7e460968dcbc7ddc8b8c6ede94798e54fbfc5e63
-
SHA256
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9
-
SHA512
75d26061e143542f13a05839b054aaaac2146b5ea79bcf94b587169e822f27c525a8cf30f39e3048d5249346adacbeb2695a45a68e0bee48fdd2035ed068ade8
Malware Config
Signatures
-
Detects Smokeloader packer 5 IoCs
resource yara_rule behavioral2/files/0x000800000001af4c-158.dat family_smokeloader behavioral2/files/0x000800000001af4c-164.dat family_smokeloader behavioral2/memory/3928-165-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/3928-168-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/files/0x000700000001af53-171.dat family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 1 1836 powershell.exe -
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1836 powershell.exe -
Executes dropped EXE 4 IoCs
pid Process 3928 agent.exe 1896 F15A.exe 3076 F1E7.exe 4396 F15A.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F1E7.exe" F1E7.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI agent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI agent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI agent.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1836 powershell.exe 1836 powershell.exe 1836 powershell.exe 3928 agent.exe 3928 agent.exe 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3200 Process not Found -
Suspicious behavior: MapViewOfSection 11 IoCs
pid Process 3928 agent.exe 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 1896 F15A.exe Token: SeShutdownPrivilege 3200 Process not Found Token: SeCreatePagefilePrivilege 3200 Process not Found Token: SeDebugPrivilege 4396 F15A.exe Token: SeShutdownPrivilege 3200 Process not Found Token: SeCreatePagefilePrivilege 3200 Process not Found Token: SeShutdownPrivilege 3200 Process not Found Token: SeCreatePagefilePrivilege 3200 Process not Found -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1836 wrote to memory of 3928 1836 powershell.exe 67 PID 1836 wrote to memory of 3928 1836 powershell.exe 67 PID 1836 wrote to memory of 3928 1836 powershell.exe 67 PID 3200 wrote to memory of 1896 3200 Process not Found 68 PID 3200 wrote to memory of 1896 3200 Process not Found 68 PID 3200 wrote to memory of 3076 3200 Process not Found 69 PID 3200 wrote to memory of 3076 3200 Process not Found 69 PID 3200 wrote to memory of 3076 3200 Process not Found 69 PID 3200 wrote to memory of 4436 3200 Process not Found 70 PID 3200 wrote to memory of 4436 3200 Process not Found 70 PID 3200 wrote to memory of 4436 3200 Process not Found 70 PID 3200 wrote to memory of 4436 3200 Process not Found 70 PID 3200 wrote to memory of 4124 3200 Process not Found 71 PID 3200 wrote to memory of 4124 3200 Process not Found 71 PID 3200 wrote to memory of 4124 3200 Process not Found 71 PID 3200 wrote to memory of 760 3200 Process not Found 72 PID 3200 wrote to memory of 760 3200 Process not Found 72 PID 3200 wrote to memory of 760 3200 Process not Found 72 PID 3200 wrote to memory of 760 3200 Process not Found 72 PID 3200 wrote to memory of 4816 3200 Process not Found 73 PID 3200 wrote to memory of 4816 3200 Process not Found 73 PID 3200 wrote to memory of 4816 3200 Process not Found 73 PID 3200 wrote to memory of 4816 3200 Process not Found 73 PID 3200 wrote to memory of 3992 3200 Process not Found 75 PID 3200 wrote to memory of 3992 3200 Process not Found 75 PID 3200 wrote to memory of 3992 3200 Process not Found 75 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps11⤵
- Blocklisted process makes network request
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\agent.exe"C:\Users\Admin\AppData\Local\Temp\agent.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\F15A.exeC:\Users\Admin\AppData\Local\Temp\F15A.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
C:\Users\Admin\AppData\Local\Temp\F1E7.exeC:\Users\Admin\AppData\Local\Temp\F1E7.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3076
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4436
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4124
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:760
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4816
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3992
-
C:\Users\Admin\AppData\Roaming\F15A.exeC:\Users\Admin\AppData\Roaming\F15A.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
621B
MD5431293de3fad018871bc380403c6f53c
SHA1935699de6ea2086cec2612f7716d147ced286768
SHA2561d7ced4ac3efd413157af7c0d8167ab87f1060c576dc86e5518283874df2b55f
SHA512b33b49ffb96a325da7b6d77b3c95014b2b6ff985fd6553ce80487789a8d8b56e4e24d0f819108c271146ccd188d1a7d68ba630441b065f9ddb47602297fa6c62
-
Filesize
465KB
MD5978efdcbc93c6c9ac15e01fda1054d7c
SHA123e777d93caa97b0f167f728905df31e6efaac23
SHA2561cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c
SHA512c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3
-
Filesize
465KB
MD5978efdcbc93c6c9ac15e01fda1054d7c
SHA123e777d93caa97b0f167f728905df31e6efaac23
SHA2561cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c
SHA512c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3
-
Filesize
141KB
MD54da855885a48a88b2b99abdaf7dbaddb
SHA195be38902672a4f729325f4322449fafe52791c4
SHA256e6e5fa379b321d66c93d236eadc5c81478c821b545a7ff9ac6d07e14ed5a8983
SHA5124f5855573c3d08d8a11325775230544ecf79f884009a94c30c8bd4547e2ad873224ef1d34fd15b9e91423a5cf4351f22d4aa50be7c14cc2bdc2260c009e61c93
-
Filesize
141KB
MD54da855885a48a88b2b99abdaf7dbaddb
SHA195be38902672a4f729325f4322449fafe52791c4
SHA256e6e5fa379b321d66c93d236eadc5c81478c821b545a7ff9ac6d07e14ed5a8983
SHA5124f5855573c3d08d8a11325775230544ecf79f884009a94c30c8bd4547e2ad873224ef1d34fd15b9e91423a5cf4351f22d4aa50be7c14cc2bdc2260c009e61c93
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
29KB
MD51496b98fe0530da47982105a87a69bce
SHA100719a1b168c8baa3827a161326b157713f9a07a
SHA256c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6
-
Filesize
29KB
MD51496b98fe0530da47982105a87a69bce
SHA100719a1b168c8baa3827a161326b157713f9a07a
SHA256c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6
-
Filesize
465KB
MD5978efdcbc93c6c9ac15e01fda1054d7c
SHA123e777d93caa97b0f167f728905df31e6efaac23
SHA2561cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c
SHA512c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3
-
Filesize
465KB
MD5978efdcbc93c6c9ac15e01fda1054d7c
SHA123e777d93caa97b0f167f728905df31e6efaac23
SHA2561cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c
SHA512c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3
-
Filesize
29KB
MD51496b98fe0530da47982105a87a69bce
SHA100719a1b168c8baa3827a161326b157713f9a07a
SHA256c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6