Overview

overview

10

Static

static

1

32307017.xls

windows7-x64

10

32307017.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2023 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32307017.xls

  • Size

    1.4MB

  • MD5

    ab03f70b31107892e798091706ca4f4f

  • SHA1

    6975a37ca9a7e5ed68111457e0633992bac30a53

  • SHA256

    27bd31839d54056c7868df571290b527d4940f209b66b3bb0a2cfb31f454c7d2

  • SHA512

    e2b9d7e74fc7c58ea6e59f67f8e4589c7201705bf04a5ea53a0fc60afba7b8e205b1cd4048205f5e65e7f822558b1c56c5cef6cd43ea77c80c850e1f8d644656

  • SSDEEP

    24576:wgu9VNZylw6V9OZyOw6VleHBlEzp7uNR0bgcwyA52CcP5YwVux:wguPR6V9YO6V8hOzNgjyPP5Yz

Score
10/10
guloadersmokeloaderbackdoordownloadertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cletonmy.com/

http://alpatrik.com/
rc4.i32
rc4.i32

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 12 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\32307017.xls
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1112
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Users\Admin\AppData\Local\Temp\IBM_Centosie.exe
      "C:\Users\Admin\AppData\Local\Temp\IBM_Centosie.exe"
      2⤵
      • Checks QEMU agent file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Users\Admin\AppData\Local\Temp\IBM_Centosie.exe
        "C:\Users\Admin\AppData\Local\Temp\IBM_Centosie.exe"
        3⤵
        • Checks QEMU agent file
        • Loads dropped DLL
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2712

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F55E990B.emf
    Filesize

    1.4MB

    MD5

    a01b9617553432807b9b58025b338d97

    SHA1

    439bdcc450408b9735b2428c2d53d2e6977fa58c

    SHA256

    7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce

    SHA512

    312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Centosie.exe
    Filesize

    399KB

    MD5

    bf116d38feeab4b00d4b8703776ffdf3

    SHA1

    175a33faf58fa9d8af84da39527357363ee42de4

    SHA256

    b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

    SHA512

    24590155f0aa2b7276d3779940dc1d2656b7f180187b15c55e864a90ef667bff8d12af74bd5823207857f09066fcd093c5994f31359d8625c5feb47c7204a955

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Centosie.exe
    Filesize

    399KB

    MD5

    bf116d38feeab4b00d4b8703776ffdf3

    SHA1

    175a33faf58fa9d8af84da39527357363ee42de4

    SHA256

    b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

    SHA512

    24590155f0aa2b7276d3779940dc1d2656b7f180187b15c55e864a90ef667bff8d12af74bd5823207857f09066fcd093c5994f31359d8625c5feb47c7204a955

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Centosie.exe
    Filesize

    399KB

    MD5

    bf116d38feeab4b00d4b8703776ffdf3

    SHA1

    175a33faf58fa9d8af84da39527357363ee42de4

    SHA256

    b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

    SHA512

    24590155f0aa2b7276d3779940dc1d2656b7f180187b15c55e864a90ef667bff8d12af74bd5823207857f09066fcd093c5994f31359d8625c5feb47c7204a955

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Centosie.exe
    Filesize

    399KB

    MD5

    bf116d38feeab4b00d4b8703776ffdf3

    SHA1

    175a33faf58fa9d8af84da39527357363ee42de4

    SHA256

    b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

    SHA512

    24590155f0aa2b7276d3779940dc1d2656b7f180187b15c55e864a90ef667bff8d12af74bd5823207857f09066fcd093c5994f31359d8625c5feb47c7204a955

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IBM_Centosie.exe
    Filesize

    399KB

    MD5

    bf116d38feeab4b00d4b8703776ffdf3

    SHA1

    175a33faf58fa9d8af84da39527357363ee42de4

    SHA256

    b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

    SHA512

    24590155f0aa2b7276d3779940dc1d2656b7f180187b15c55e864a90ef667bff8d12af74bd5823207857f09066fcd093c5994f31359d8625c5feb47c7204a955

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IBM_Centosie.exe
    Filesize

    399KB

    MD5

    bf116d38feeab4b00d4b8703776ffdf3

    SHA1

    175a33faf58fa9d8af84da39527357363ee42de4

    SHA256

    b7779eb7756debf18a7d37bb2a04cbac8420167ea8f746774835e73fa4458703

    SHA512

    24590155f0aa2b7276d3779940dc1d2656b7f180187b15c55e864a90ef667bff8d12af74bd5823207857f09066fcd093c5994f31359d8625c5feb47c7204a955

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsyFC1C.tmp\System.dll
    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • memory/1112-82-0x000000007405D000-0x0000000074068000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1112-114-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1112-129-0x000000007405D000-0x0000000074068000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1112-55-0x000000007405D000-0x0000000074068000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1112-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1272-98-0x0000000002B70000-0x0000000002B86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2712-96-0x0000000001470000-0x0000000003CE2000-memory.dmp

    Filesize

    40.4MB

    Download

  • memory/2712-99-0x0000000001470000-0x0000000003CE2000-memory.dmp

    Filesize

    40.4MB

    Download

  • memory/2712-90-0x0000000001470000-0x0000000003CE2000-memory.dmp

    Filesize

    40.4MB

    Download

  • memory/2712-91-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2712-92-0x0000000077C60000-0x0000000077E09000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2712-93-0x0000000001470000-0x0000000003CE2000-memory.dmp

    Filesize

    40.4MB

    Download

  • memory/2712-95-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2712-102-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2712-97-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2712-89-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2896-85-0x0000000077E50000-0x0000000077F26000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2896-87-0x0000000074260000-0x0000000074266000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2896-84-0x0000000077C60000-0x0000000077E09000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2896-83-0x00000000038D0000-0x0000000006142000-memory.dmp

    Filesize

    40.4MB

    Download

  • memory/2896-81-0x00000000038D0000-0x0000000006142000-memory.dmp

    Filesize

    40.4MB

    Download