Overview

overview

10

Static

static

1

purchase o...94.xls

windows7-x64

10

purchase o...94.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2023, 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    purchase order 3937464494.xls

  • Size

    1.4MB

  • MD5

    383d883be15a9b3f35ce3efe475bef39

  • SHA1

    0052a54d7b51e281b7aa61ab32621d05cb922166

  • SHA256

    2e059934c1f6786fa0108c8cad6e7a7aff078f99c2787aa1d2cfc16ff691d45d

  • SHA512

    b682419caae59a97d6fc99bf3615ad8e0c32f14f93102e98df7f3b2cc7f7930f3cbe76c7d28ffedd0a022aa4438b369db89322231b37bdeaedf4845cf5688572

  • SSDEEP

    24576:EMu9VNZylw6VQOZynw6VqViNhuuvvtw3oqVUbXQwNgZffsLMy5wXx:EMuPR6VQYP6VCiNhv3tcMXXNhLr5s

Score
10/10
guloadersmokeloaderbackdoordownloadertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cletonmy.com/

http://alpatrik.com/
rc4.i32
rc4.i32

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 12 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\purchase order 3937464494.xls"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2516
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
      "C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe"
      2⤵
      • Checks QEMU agent file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
        "C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe"
        3⤵
        • Checks QEMU agent file
        • Loads dropped DLL
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA9FE535.emf
    Filesize

    1.4MB

    MD5

    a01b9617553432807b9b58025b338d97

    SHA1

    439bdcc450408b9735b2428c2d53d2e6977fa58c

    SHA256

    7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce

    SHA512

    312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    249KB

    MD5

    10d7cfe140b1d9812d8eba062e608256

    SHA1

    990b9fd71b0867db5bce972e4b79bb67234122aa

    SHA256

    c862a9f00f17344698bdcab4fe7465b1206382c3c77407507d79e895629f4aea

    SHA512

    32412bffa88504119d6f8ccb3e5ca21e62e43a1c0ffe18f2e921ddac47db0996edd5590b8f57f8f8eef71817bf6a2f6e7ab942a8045500b2cf858adabcd70ba7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    249KB

    MD5

    10d7cfe140b1d9812d8eba062e608256

    SHA1

    990b9fd71b0867db5bce972e4b79bb67234122aa

    SHA256

    c862a9f00f17344698bdcab4fe7465b1206382c3c77407507d79e895629f4aea

    SHA512

    32412bffa88504119d6f8ccb3e5ca21e62e43a1c0ffe18f2e921ddac47db0996edd5590b8f57f8f8eef71817bf6a2f6e7ab942a8045500b2cf858adabcd70ba7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    249KB

    MD5

    10d7cfe140b1d9812d8eba062e608256

    SHA1

    990b9fd71b0867db5bce972e4b79bb67234122aa

    SHA256

    c862a9f00f17344698bdcab4fe7465b1206382c3c77407507d79e895629f4aea

    SHA512

    32412bffa88504119d6f8ccb3e5ca21e62e43a1c0ffe18f2e921ddac47db0996edd5590b8f57f8f8eef71817bf6a2f6e7ab942a8045500b2cf858adabcd70ba7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    249KB

    MD5

    10d7cfe140b1d9812d8eba062e608256

    SHA1

    990b9fd71b0867db5bce972e4b79bb67234122aa

    SHA256

    c862a9f00f17344698bdcab4fe7465b1206382c3c77407507d79e895629f4aea

    SHA512

    32412bffa88504119d6f8ccb3e5ca21e62e43a1c0ffe18f2e921ddac47db0996edd5590b8f57f8f8eef71817bf6a2f6e7ab942a8045500b2cf858adabcd70ba7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    249KB

    MD5

    10d7cfe140b1d9812d8eba062e608256

    SHA1

    990b9fd71b0867db5bce972e4b79bb67234122aa

    SHA256

    c862a9f00f17344698bdcab4fe7465b1206382c3c77407507d79e895629f4aea

    SHA512

    32412bffa88504119d6f8ccb3e5ca21e62e43a1c0ffe18f2e921ddac47db0996edd5590b8f57f8f8eef71817bf6a2f6e7ab942a8045500b2cf858adabcd70ba7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    249KB

    MD5

    10d7cfe140b1d9812d8eba062e608256

    SHA1

    990b9fd71b0867db5bce972e4b79bb67234122aa

    SHA256

    c862a9f00f17344698bdcab4fe7465b1206382c3c77407507d79e895629f4aea

    SHA512

    32412bffa88504119d6f8ccb3e5ca21e62e43a1c0ffe18f2e921ddac47db0996edd5590b8f57f8f8eef71817bf6a2f6e7ab942a8045500b2cf858adabcd70ba7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsd8DEF.tmp\System.dll
    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • memory/652-80-0x00000000036C0000-0x00000000049A3000-memory.dmp

    Filesize

    18.9MB

    Download

  • memory/652-82-0x00000000036C0000-0x00000000049A3000-memory.dmp

    Filesize

    18.9MB

    Download

  • memory/652-83-0x0000000077B10000-0x0000000077CB9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/652-84-0x0000000077D00000-0x0000000077DD6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/652-86-0x000000006D190000-0x000000006D196000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1292-96-0x0000000002650000-0x0000000002666000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2248-90-0x0000000077B10000-0x0000000077CB9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2248-94-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2248-89-0x0000000001470000-0x0000000002753000-memory.dmp

    Filesize

    18.9MB

    Download

  • memory/2248-100-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2248-91-0x0000000001470000-0x0000000002753000-memory.dmp

    Filesize

    18.9MB

    Download

  • memory/2248-92-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2248-93-0x0000000001470000-0x0000000002753000-memory.dmp

    Filesize

    18.9MB

    Download

  • memory/2248-88-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2248-97-0x0000000001470000-0x0000000002753000-memory.dmp

    Filesize

    18.9MB

    Download

  • memory/2516-81-0x0000000073F0D000-0x0000000073F18000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2516-54-0x0000000073F0D000-0x0000000073F18000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2516-53-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2516-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2516-125-0x0000000073F0D000-0x0000000073F18000-memory.dmp

    Filesize

    44KB

    Download