Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
14/07/2023, 06:48
Static task
static1
Behavioral task
behavioral1
Sample
Pedido- 1253-360.xls
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Pedido- 1253-360.xls
Resource
win10v2004-20230703-en
General
-
Target
Pedido- 1253-360.xls
-
Size
1.4MB
-
MD5
3aaea611bbf04af88f795927bca16b9d
-
SHA1
74084df258e08f86c5c8d62abc51b14649fd8660
-
SHA256
ebd76ed616fef2f1a27deb6f252ffe2d62ab99bc90189d72e99f95fbf737200d
-
SHA512
584b38eb5ef6572569c20b6d99f50ddc4d4aa8f07e03ab9b4e73e0467d336875b06b74b00af3066d32caf411405534de2dc71581ee4058468cb5b1123f4ddafe
-
SSDEEP
24576:Mu9VTtZyxw6V4OZyCw6VxeHBlEzp7uTeRbgcwFA5DATMHYwV6x:MubXh6V4Y+6VIhOzJgjF9TSYz
Malware Config
Extracted
smokeloader
2022
http://cletonmy.com/
http://alpatrik.com/
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1960 EQNEDT32.EXE -
Downloads MZ/PE file
-
Checks QEMU agent file 2 TTPs 4 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe IBM_Cent.EXE File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe IBM_Cent.EXE File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe uetiudg File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe uetiudg -
Executes dropped EXE 2 IoCs
pid Process 2988 IBM_Cent.EXE 932 uetiudg -
Loads dropped DLL 6 IoCs
pid Process 1960 EQNEDT32.EXE 2988 IBM_Cent.EXE 2988 IBM_Cent.EXE 2756 IBM_Cent.EXE 932 uetiudg 2780 uetiudg -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2756 IBM_Cent.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2988 IBM_Cent.EXE 2756 IBM_Cent.EXE 932 uetiudg -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2988 set thread context of 2756 2988 IBM_Cent.EXE 34 PID 932 set thread context of 2780 932 uetiudg 38 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\sansningerne.Unc IBM_Cent.EXE File opened for modification C:\Program Files (x86)\Common Files\sansningerne.Unc uetiudg -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\Katje\falsebenet\Bike\Angivende.ini IBM_Cent.EXE File opened for modification C:\Windows\resources\0409\Hovedgaarde.For IBM_Cent.EXE File opened for modification C:\Windows\resources\0409\Katje\falsebenet\Bike\Angivende.ini uetiudg File opened for modification C:\Windows\resources\0409\Hovedgaarde.For uetiudg -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 18 IoCs
resource yara_rule behavioral1/files/0x0006000000016c43-67.dat nsis_installer_1 behavioral1/files/0x0006000000016c43-67.dat nsis_installer_2 behavioral1/files/0x0006000000016c43-71.dat nsis_installer_1 behavioral1/files/0x0006000000016c43-71.dat nsis_installer_2 behavioral1/files/0x0006000000016c43-68.dat nsis_installer_1 behavioral1/files/0x0006000000016c43-68.dat nsis_installer_2 behavioral1/files/0x0006000000016c43-72.dat nsis_installer_1 behavioral1/files/0x0006000000016c43-72.dat nsis_installer_2 behavioral1/files/0x0006000000016c43-87.dat nsis_installer_1 behavioral1/files/0x0006000000016c43-87.dat nsis_installer_2 behavioral1/files/0x0006000000016c43-89.dat nsis_installer_1 behavioral1/files/0x0006000000016c43-89.dat nsis_installer_2 behavioral1/files/0x000400000000f6fa-131.dat nsis_installer_1 behavioral1/files/0x000400000000f6fa-131.dat nsis_installer_2 behavioral1/files/0x000400000000f6fa-132.dat nsis_installer_1 behavioral1/files/0x000400000000f6fa-132.dat nsis_installer_2 behavioral1/files/0x000400000000f6fa-150.dat nsis_installer_1 behavioral1/files/0x000400000000f6fa-150.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI IBM_Cent.EXE Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI IBM_Cent.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI IBM_Cent.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1960 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 492 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 IBM_Cent.EXE 2756 IBM_Cent.EXE 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found 1340 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1340 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2988 IBM_Cent.EXE 2756 IBM_Cent.EXE 932 uetiudg -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1340 Process not Found Token: SeShutdownPrivilege 1340 Process not Found Token: SeShutdownPrivilege 1340 Process not Found Token: SeShutdownPrivilege 1340 Process not Found -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 492 EXCEL.EXE 492 EXCEL.EXE 492 EXCEL.EXE 492 EXCEL.EXE 492 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2988 1960 EQNEDT32.EXE 32 PID 1960 wrote to memory of 2988 1960 EQNEDT32.EXE 32 PID 1960 wrote to memory of 2988 1960 EQNEDT32.EXE 32 PID 1960 wrote to memory of 2988 1960 EQNEDT32.EXE 32 PID 2988 wrote to memory of 2756 2988 IBM_Cent.EXE 34 PID 2988 wrote to memory of 2756 2988 IBM_Cent.EXE 34 PID 2988 wrote to memory of 2756 2988 IBM_Cent.EXE 34 PID 2988 wrote to memory of 2756 2988 IBM_Cent.EXE 34 PID 2988 wrote to memory of 2756 2988 IBM_Cent.EXE 34 PID 2028 wrote to memory of 932 2028 taskeng.exe 37 PID 2028 wrote to memory of 932 2028 taskeng.exe 37 PID 2028 wrote to memory of 932 2028 taskeng.exe 37 PID 2028 wrote to memory of 932 2028 taskeng.exe 37 PID 932 wrote to memory of 2780 932 uetiudg 38 PID 932 wrote to memory of 2780 932 uetiudg 38 PID 932 wrote to memory of 2780 932 uetiudg 38 PID 932 wrote to memory of 2780 932 uetiudg 38 PID 932 wrote to memory of 2780 932 uetiudg 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Pedido- 1253-360.xls"1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:492
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\IBM_Cent.EXE"C:\Users\Admin\AppData\Local\Temp\IBM_Cent.EXE"2⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\IBM_Cent.EXE"C:\Users\Admin\AppData\Local\Temp\IBM_Cent.EXE"3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2756
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6A1EF188-2D9F-454D-802B-E8520E0E5FC9} S-1-5-21-1014134971-2480516131-292343513-1000:NYBYVYTJ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Roaming\uetiudgC:\Users\Admin\AppData\Roaming\uetiudg2⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Roaming\uetiudgC:\Users\Admin\AppData\Roaming\uetiudg3⤵
- Checks QEMU agent file
- Loads dropped DLL
PID:2780
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a01b9617553432807b9b58025b338d97
SHA1439bdcc450408b9735b2428c2d53d2e6977fa58c
SHA2567a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce
SHA512312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
11KB
MD5375e8a08471dc6f85f3828488b1147b3
SHA11941484ac710fc301a7d31d6f1345e32a21546af
SHA2564c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
SHA5125ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
11KB
MD5375e8a08471dc6f85f3828488b1147b3
SHA11941484ac710fc301a7d31d6f1345e32a21546af
SHA2564c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
SHA5125ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8
-
Filesize
11KB
MD5375e8a08471dc6f85f3828488b1147b3
SHA11941484ac710fc301a7d31d6f1345e32a21546af
SHA2564c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
SHA5125ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8