Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
23-03-2023 09:31
General
-
Target
7509ea45ab058a6242b876415a9bfdc5b7457e2b9855eea7c3c363e0cb80e86f.exe
-
Size
250KB
-
MD5
27347c06e249accdd820c1ea70008c8b
-
SHA1
69800d4b0163d6d33f33198b0efd9391a39b4c64
-
SHA256
7509ea45ab058a6242b876415a9bfdc5b7457e2b9855eea7c3c363e0cb80e86f
-
SHA512
5ffa342a7cc6c5603214f9a74596779137ea3edcab513807c3bfbf5090e4c48e9e885f4c32d5d4c2bfd050559bc9d53138a19f477f5f7487930ec5db16e6f7ee
-
SSDEEP
3072:Y8Oaz0PfBrE1cYpLVr6T9abxY7w1isW754uXiRAElR0XPO5h84K49:sM4YpLVW0beQK75XiRA1Cr
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7509ea45ab058a6242b876415a9bfdc5b7457e2b9855eea7c3c363e0cb80e86f.exe"C:\Users\Admin\AppData\Local\Temp\7509ea45ab058a6242b876415a9bfdc5b7457e2b9855eea7c3c363e0cb80e86f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E7F4.exeC:\Users\Admin\AppData\Local\Temp\E7F4.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 9962⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5104 -ip 51041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\E7F4.exeFilesize
902KB
MD5d1babdc16a0dd6025463f3c048ce5bb5
SHA18474997c5516d414e727c4200992bf0b1bd21b54
SHA256efb3453dac4145a51a0cd316ada7b45a5f09d338265a256b46bfa1bb3427915d
SHA512b52140a1d798818bb9a37ff486746290956a386e65c67cc459da6fd6bbbc1e29fc4c57a6b3c86be337f3e77eff037b133826d36dfbfa70e21ff08d09b46dd939
-
C:\Users\Admin\AppData\Local\Temp\E7F4.exeFilesize
902KB
MD5d1babdc16a0dd6025463f3c048ce5bb5
SHA18474997c5516d414e727c4200992bf0b1bd21b54
SHA256efb3453dac4145a51a0cd316ada7b45a5f09d338265a256b46bfa1bb3427915d
SHA512b52140a1d798818bb9a37ff486746290956a386e65c67cc459da6fd6bbbc1e29fc4c57a6b3c86be337f3e77eff037b133826d36dfbfa70e21ff08d09b46dd939
-
memory/1396-171-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/1396-170-0x0000000000140000-0x000000000014B000-memory.dmpFilesize
44KB
-
memory/1396-172-0x0000000000140000-0x000000000014B000-memory.dmpFilesize
44KB
-
memory/1396-184-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/1708-134-0x0000000002440000-0x0000000002449000-memory.dmpFilesize
36KB
-
memory/1708-136-0x0000000000400000-0x0000000000702000-memory.dmpFilesize
3.0MB
-
memory/1876-173-0x00000000010F0000-0x00000000010FD000-memory.dmpFilesize
52KB
-
memory/1876-185-0x0000000000140000-0x000000000014B000-memory.dmpFilesize
44KB
-
memory/1876-174-0x0000000000140000-0x000000000014B000-memory.dmpFilesize
44KB
-
memory/1876-175-0x00000000010F0000-0x00000000010FD000-memory.dmpFilesize
52KB
-
memory/1944-150-0x00000000006F0000-0x00000000006FB000-memory.dmpFilesize
44KB
-
memory/1944-180-0x0000000002440000-0x0000000002449000-memory.dmpFilesize
36KB
-
memory/1944-153-0x00000000006F0000-0x00000000006FB000-memory.dmpFilesize
44KB
-
memory/1944-152-0x0000000002440000-0x0000000002449000-memory.dmpFilesize
36KB
-
memory/2476-183-0x0000000000720000-0x000000000072C000-memory.dmpFilesize
48KB
-
memory/2476-164-0x0000000000EE0000-0x0000000000F07000-memory.dmpFilesize
156KB
-
memory/2476-165-0x0000000000720000-0x000000000072C000-memory.dmpFilesize
48KB
-
memory/2476-166-0x0000000000EE0000-0x0000000000F07000-memory.dmpFilesize
156KB
-
memory/2780-135-0x0000000002C70000-0x0000000002C86000-memory.dmpFilesize
88KB
-
memory/2808-176-0x00000000006E0000-0x00000000006EB000-memory.dmpFilesize
44KB
-
memory/2808-177-0x00000000010F0000-0x00000000010FD000-memory.dmpFilesize
52KB
-
memory/2808-186-0x00000000010F0000-0x00000000010FD000-memory.dmpFilesize
52KB
-
memory/2808-178-0x00000000006E0000-0x00000000006EB000-memory.dmpFilesize
44KB
-
memory/3288-169-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/3288-167-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/3288-168-0x0000000000EE0000-0x0000000000F07000-memory.dmpFilesize
156KB
-
memory/4640-156-0x0000000004990000-0x0000000004AB1000-memory.dmpFilesize
1.1MB
-
memory/4640-155-0x0000000000FD0000-0x0000000000FDF000-memory.dmpFilesize
60KB
-
memory/4640-181-0x0000000004990000-0x0000000004AB1000-memory.dmpFilesize
1.1MB
-
memory/4640-157-0x0000000000FD0000-0x0000000000FDF000-memory.dmpFilesize
60KB
-
memory/5020-160-0x0000000000F40000-0x0000000000F49000-memory.dmpFilesize
36KB
-
memory/5020-158-0x0000000000F40000-0x0000000000F49000-memory.dmpFilesize
36KB
-
memory/5020-182-0x0000000000FD0000-0x0000000000FDF000-memory.dmpFilesize
60KB
-
memory/5020-159-0x0000000000FD0000-0x0000000000FDF000-memory.dmpFilesize
60KB
-
memory/5040-161-0x0000000000720000-0x000000000072C000-memory.dmpFilesize
48KB
-
memory/5040-162-0x0000000000F40000-0x0000000000F49000-memory.dmpFilesize
36KB
-
memory/5040-163-0x0000000000720000-0x000000000072C000-memory.dmpFilesize
48KB
-
memory/5104-179-0x0000000000400000-0x0000000002C0F000-memory.dmpFilesize
40.1MB
-
memory/5104-154-0x0000000004990000-0x0000000004AB1000-memory.dmpFilesize
1.1MB
-
memory/5104-187-0x0000000000400000-0x0000000002C0F000-memory.dmpFilesize
40.1MB
-
memory/5104-188-0x0000000000400000-0x0000000002C0F000-memory.dmpFilesize
40.1MB