Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
12/04/2023, 15:59
General
-
Target
463d23b4fce2dfd141bfc32a35881908124438f4cdb7a7a961fd4ff29984c3e5.exe
-
Size
352KB
-
MD5
e1e421742bde53f727046137d82d1561
-
SHA1
d81989d3752707d607539c079c6de8166646646b
-
SHA256
463d23b4fce2dfd141bfc32a35881908124438f4cdb7a7a961fd4ff29984c3e5
-
SHA512
a52176b0badc3bdb47407461b5a410e0a83a86f875e8b7da295047d4a032771e114ef923fe3df2c800a1d929bfcf4b49b6bc8f39b62dbe3ab9e56ec3e2b4f339
-
SSDEEP
6144:8YYnWalHspNFdYIxh+25ti9gMtDnYlZ0PdxCpCV+E:8YnalQbdYILLfyDYbgMpCVr
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
loaderbot
http://gerag2pe.beget.tech/cmd.php
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
LoaderBot executable 1 IoCs
-
XMRig Miner payload 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\463d23b4fce2dfd141bfc32a35881908124438f4cdb7a7a961fd4ff29984c3e5.exe"C:\Users\Admin\AppData\Local\Temp\463d23b4fce2dfd141bfc32a35881908124438f4cdb7a7a961fd4ff29984c3e5.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C529.exeC:\Users\Admin\AppData\Local\Temp\C529.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\84001096745926896843.exe"C:\ProgramData\84001096745926896843.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\84001096745926896843.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵
-
-
-
-
C:\ProgramData\49949421692652515089.exe"C:\ProgramData\49949421692652515089.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C529.exe" & exit2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 21002⤵
- Program crash
-
-
C:\Users\Admin\AppData\Roaming\rjfaghfC:\Users\Admin\AppData\Roaming\rjfaghf1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E12E.exeC:\Users\Admin\AppData\Local\Temp\E12E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 43vDzCah59pa7NjPUPS2ow6tp1drE7MUU188sTbUJ1wzNyfnvRyDdtic8C4kPMambW1PcRMbkBgvbM157NBNjs3tRWxYy83 -p x -k -v=0 --donate-level=0 -t 23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2280 -s 7604⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 43vDzCah59pa7NjPUPS2ow6tp1drE7MUU188sTbUJ1wzNyfnvRyDdtic8C4kPMambW1PcRMbkBgvbM157NBNjs3tRWxYy83 -p x -k -v=0 --donate-level=0 -t 23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3352 -s 8524⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 43vDzCah59pa7NjPUPS2ow6tp1drE7MUU188sTbUJ1wzNyfnvRyDdtic8C4kPMambW1PcRMbkBgvbM157NBNjs3tRWxYy83 -p x -k -v=0 --donate-level=0 -t 23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 2280 -ip 22801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1444 -ip 14441⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 196 -p 3352 -ip 33521⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
472KB
MD576ef680c0ebbc1fe0512aad0b218f2cc
SHA17098a0f3f2498d9ed86f9b841f2c254afc333662
SHA256c1821cde377bf360d0ee0552a1e4ad4f37cbf5a71c6de027e13c2eadea696505
SHA512c75ba34a9914cbd108b2f230b8f254e09a6768034f53b023c3b831c888278b5710ad55d155c8c034f9696d941b17eb5608729e13a3d9ad0e50d2f00470151cc2
-
Filesize
472KB
MD576ef680c0ebbc1fe0512aad0b218f2cc
SHA17098a0f3f2498d9ed86f9b841f2c254afc333662
SHA256c1821cde377bf360d0ee0552a1e4ad4f37cbf5a71c6de027e13c2eadea696505
SHA512c75ba34a9914cbd108b2f230b8f254e09a6768034f53b023c3b831c888278b5710ad55d155c8c034f9696d941b17eb5608729e13a3d9ad0e50d2f00470151cc2
-
Filesize
5.0MB
MD58f36b3fba4e5d51d40026e16fbc7742e
SHA100162dcf53957e496540b1c3fbc0ca2b02e7620b
SHA256f4e4abc185d26f1bbb6f7c50245aace36bccf338a2f4e77ce358b36872079605
SHA5122e67daea2946e8de5bb2fb9b91fac886569f4f9aeb9e39798c95466a326498bd41da9c09ba9cfe7f367f604eb51bc3f6b27becccf2b533d1d9e0318de6ba6be5
-
Filesize
5.0MB
MD58f36b3fba4e5d51d40026e16fbc7742e
SHA100162dcf53957e496540b1c3fbc0ca2b02e7620b
SHA256f4e4abc185d26f1bbb6f7c50245aace36bccf338a2f4e77ce358b36872079605
SHA5122e67daea2946e8de5bb2fb9b91fac886569f4f9aeb9e39798c95466a326498bd41da9c09ba9cfe7f367f604eb51bc3f6b27becccf2b533d1d9e0318de6ba6be5
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
352KB
MD5e1e421742bde53f727046137d82d1561
SHA1d81989d3752707d607539c079c6de8166646646b
SHA256463d23b4fce2dfd141bfc32a35881908124438f4cdb7a7a961fd4ff29984c3e5
SHA512a52176b0badc3bdb47407461b5a410e0a83a86f875e8b7da295047d4a032771e114ef923fe3df2c800a1d929bfcf4b49b6bc8f39b62dbe3ab9e56ec3e2b4f339
-
Filesize
352KB
MD5e1e421742bde53f727046137d82d1561
SHA1d81989d3752707d607539c079c6de8166646646b
SHA256463d23b4fce2dfd141bfc32a35881908124438f4cdb7a7a961fd4ff29984c3e5
SHA512a52176b0badc3bdb47407461b5a410e0a83a86f875e8b7da295047d4a032771e114ef923fe3df2c800a1d929bfcf4b49b6bc8f39b62dbe3ab9e56ec3e2b4f339
-
Filesize
497.1MB
MD5ce02b9fbd6a67943ffb2695197b70002
SHA15b15a80bd0f46917da56d5f7c559c9354e276234
SHA25605a73291a8f779865e9c74e0cb3444b986d7c6a097167468c3f6dea62284d965
SHA51296bc7e8b2e0562303b9127d4143baa378e77fc9a24cae37554c2678630d92b6a88ea911fa5cbd3bccdd33ccae092906e3aca742720afeca22a4ed78e89c88fdd
-
Filesize
517.8MB
MD5227c580e983feb5b2c97d2a2f3e3a82c
SHA1ae165b4b42877393fb3738b3eb24d6065b599c0a
SHA2566cda54fa6d032a22b6fd099539d7165dcb310b081985f150cd88ee32e0efe066
SHA512402b036ed40a38561b46ba3b2a023128258983c106aaa40fa31592ec7c3d0c21fc99b314da1dd31e43f0fc34926ed67fa6ddf250176181ca2d9245851f3d8398
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
4.0MB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
14.4MB
-
Filesize
14.4MB
-
Filesize
348KB
-
Filesize
972KB
-
Filesize
4.1MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
408KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
11.5MB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4.0MB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB