Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
23-03-2023 08:10
General
-
Target
ff616573fb637b94423e48fd46d1c38c4f42f001d10249f6a9544877a99b2296.exe
-
Size
251KB
-
MD5
4b69759e59cb6f6d1994bcbe499b9c72
-
SHA1
3f51d8a510953a1fe183c8cd88274d3d71423a28
-
SHA256
ff616573fb637b94423e48fd46d1c38c4f42f001d10249f6a9544877a99b2296
-
SHA512
6265ebac2f6d772ad6263eebd15674a07a57d182081be20b5b49faeb3d08b0c4a8540f1615f6bdb0a587c7f7edb6c1e4ff32d33d8d191e21e03b738722d8aebc
-
SSDEEP
3072:W4GXazg/9iZLcYbLlrKcPWTE6+7F8y2XuskNinCar5hX2sTUOt1:EM8YbLlmyrJfDLinCOX2s
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff616573fb637b94423e48fd46d1c38c4f42f001d10249f6a9544877a99b2296.exe"C:\Users\Admin\AppData\Local\Temp\ff616573fb637b94423e48fd46d1c38c4f42f001d10249f6a9544877a99b2296.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\88B.exeC:\Users\Admin\AppData\Local\Temp\88B.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\88B.exeFilesize
902KB
MD5d1babdc16a0dd6025463f3c048ce5bb5
SHA18474997c5516d414e727c4200992bf0b1bd21b54
SHA256efb3453dac4145a51a0cd316ada7b45a5f09d338265a256b46bfa1bb3427915d
SHA512b52140a1d798818bb9a37ff486746290956a386e65c67cc459da6fd6bbbc1e29fc4c57a6b3c86be337f3e77eff037b133826d36dfbfa70e21ff08d09b46dd939
-
C:\Users\Admin\AppData\Local\Temp\88B.exeFilesize
902KB
MD5d1babdc16a0dd6025463f3c048ce5bb5
SHA18474997c5516d414e727c4200992bf0b1bd21b54
SHA256efb3453dac4145a51a0cd316ada7b45a5f09d338265a256b46bfa1bb3427915d
SHA512b52140a1d798818bb9a37ff486746290956a386e65c67cc459da6fd6bbbc1e29fc4c57a6b3c86be337f3e77eff037b133826d36dfbfa70e21ff08d09b46dd939
-
memory/2204-122-0x0000000000880000-0x0000000000889000-memory.dmpFilesize
36KB
-
memory/2204-124-0x0000000000400000-0x0000000000702000-memory.dmpFilesize
3.0MB
-
memory/3068-146-0x00000000049E0000-0x0000000004B01000-memory.dmpFilesize
1.1MB
-
memory/3068-199-0x0000000000400000-0x0000000002C0F000-memory.dmpFilesize
40.1MB
-
memory/3068-195-0x0000000000400000-0x0000000002C0F000-memory.dmpFilesize
40.1MB
-
memory/3220-172-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-178-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-229-0x0000000001440000-0x000000000144C000-memory.dmpFilesize
48KB
-
memory/3220-203-0x0000000001380000-0x0000000001390000-memory.dmpFilesize
64KB
-
memory/3220-123-0x0000000001330000-0x0000000001346000-memory.dmpFilesize
88KB
-
memory/3220-207-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-228-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-227-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-226-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-225-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-222-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-221-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-220-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-219-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-157-0x0000000001380000-0x0000000001390000-memory.dmpFilesize
64KB
-
memory/3220-159-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-162-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-164-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-165-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-166-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-167-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-170-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-171-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-204-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-173-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-174-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-175-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-208-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-179-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-180-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-209-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-181-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-183-0x00000000031B0000-0x00000000031C0000-memory.dmpFilesize
64KB
-
memory/3220-210-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-211-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-218-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-215-0x00000000013D0000-0x00000000013E0000-memory.dmpFilesize
64KB
-
memory/3220-213-0x0000000001440000-0x0000000001450000-memory.dmpFilesize
64KB
-
memory/4060-198-0x00000000031B0000-0x00000000031C0000-memory.dmpFilesize
64KB
-
memory/4060-184-0x00000000031B0000-0x00000000031C0000-memory.dmpFilesize
64KB
-
memory/4060-182-0x00000000005C0000-0x00000000005C9000-memory.dmpFilesize
36KB
-
memory/4060-185-0x00000000005C0000-0x00000000005C9000-memory.dmpFilesize
36KB
-
memory/4108-142-0x00000000007A0000-0x00000000007AF000-memory.dmpFilesize
60KB
-
memory/4108-196-0x0000000000BF0000-0x0000000000BFB000-memory.dmpFilesize
44KB
-
memory/4108-145-0x00000000007A0000-0x00000000007AF000-memory.dmpFilesize
60KB
-
memory/4108-144-0x0000000000BF0000-0x0000000000BFB000-memory.dmpFilesize
44KB
-
memory/4160-139-0x0000000000880000-0x0000000000889000-memory.dmpFilesize
36KB
-
memory/4160-138-0x0000000000BF0000-0x0000000000BFB000-memory.dmpFilesize
44KB
-
memory/4160-140-0x0000000000BF0000-0x0000000000BFB000-memory.dmpFilesize
44KB
-
memory/4720-191-0x00000000007B0000-0x00000000007BD000-memory.dmpFilesize
52KB
-
memory/4720-190-0x0000000000580000-0x000000000058B000-memory.dmpFilesize
44KB
-
memory/4720-189-0x00000000007B0000-0x00000000007BD000-memory.dmpFilesize
52KB
-
memory/4720-201-0x0000000000580000-0x000000000058B000-memory.dmpFilesize
44KB
-
memory/4728-202-0x00000000007B0000-0x00000000007BD000-memory.dmpFilesize
52KB
-
memory/4728-194-0x00000000007E0000-0x00000000007EB000-memory.dmpFilesize
44KB
-
memory/4728-193-0x00000000007B0000-0x00000000007BD000-memory.dmpFilesize
52KB
-
memory/4728-192-0x00000000007E0000-0x00000000007EB000-memory.dmpFilesize
44KB
-
memory/4832-148-0x0000000000940000-0x0000000000949000-memory.dmpFilesize
36KB
-
memory/4832-197-0x00000000049E0000-0x0000000004B01000-memory.dmpFilesize
1.1MB
-
memory/4832-143-0x0000000000940000-0x0000000000949000-memory.dmpFilesize
36KB
-
memory/4832-147-0x00000000049E0000-0x0000000004B01000-memory.dmpFilesize
1.1MB
-
memory/4920-150-0x0000000000940000-0x0000000000949000-memory.dmpFilesize
36KB
-
memory/4920-151-0x00000000008C0000-0x00000000008CC000-memory.dmpFilesize
48KB
-
memory/4920-149-0x00000000008C0000-0x00000000008CC000-memory.dmpFilesize
48KB
-
memory/4996-154-0x00000000006E0000-0x0000000000707000-memory.dmpFilesize
156KB
-
memory/4996-153-0x00000000008C0000-0x00000000008CC000-memory.dmpFilesize
48KB
-
memory/4996-152-0x00000000006E0000-0x0000000000707000-memory.dmpFilesize
156KB
-
memory/5080-200-0x00000000005C0000-0x00000000005C9000-memory.dmpFilesize
36KB
-
memory/5080-186-0x0000000000580000-0x000000000058B000-memory.dmpFilesize
44KB
-
memory/5080-187-0x00000000005C0000-0x00000000005C9000-memory.dmpFilesize
36KB
-
memory/5080-188-0x0000000000580000-0x000000000058B000-memory.dmpFilesize
44KB