Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 16:22

General

  • Target

    NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe

  • Size

    2.5MB

  • MD5

    1c005ad11650b463fbb2a3cd2429c422

  • SHA1

    283c41cdebe89bdb6c859f877fffd5448fa81c54

  • SHA256

    1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcd

  • SHA512

    95a59726f1c78272a010a16e701c2fb9ed30f7e3497505dc498d43ba8bb727555d9f9422a23ef2ef28fbe50b7a6679d0b7885b24c797427df640e2474c4b2ea8

  • SSDEEP

    24576:BkUpFxaQT/FTwvzSI15ZlA4B6UM8Mu2RcfCrkEh91UbHZJ5GaGl6HHSc/xfvvOoI:BdcETCp5FKfFM3XHHPAXRloP

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://wirtshauspost.at/tmp/

http://msktk.ru/tmp/

http://soetegem.com/tmp/

http://gromograd.ru/tmp/

http://talesofpirates.net/tmp/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:5056
    • C:\Users\Admin\AppData\Local\Temp\Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Update.exe"
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4492

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Update.exe

          Filesize

          238KB

          MD5

          c36009a11d03b61f6f92a38cb67698d3

          SHA1

          35a182127e0d187c61a84f4339ea73a4d5fb4a24

          SHA256

          4242a5519cd21cef98a32bb6f7544091fbca706130299b53d00e825d4c65c007

          SHA512

          f6204548bc40dfe930e98e197a1b2a09480333e87508e1328b624047e44b49d9c151061df8392be44aaef17ccdde505969cef05a06f222676ae40a74f203373e

        • C:\Users\Admin\AppData\Local\Temp\Update.exe

          Filesize

          238KB

          MD5

          c36009a11d03b61f6f92a38cb67698d3

          SHA1

          35a182127e0d187c61a84f4339ea73a4d5fb4a24

          SHA256

          4242a5519cd21cef98a32bb6f7544091fbca706130299b53d00e825d4c65c007

          SHA512

          f6204548bc40dfe930e98e197a1b2a09480333e87508e1328b624047e44b49d9c151061df8392be44aaef17ccdde505969cef05a06f222676ae40a74f203373e

        • C:\Users\Admin\AppData\Local\Temp\Update.exe

          Filesize

          238KB

          MD5

          c36009a11d03b61f6f92a38cb67698d3

          SHA1

          35a182127e0d187c61a84f4339ea73a4d5fb4a24

          SHA256

          4242a5519cd21cef98a32bb6f7544091fbca706130299b53d00e825d4c65c007

          SHA512

          f6204548bc40dfe930e98e197a1b2a09480333e87508e1328b624047e44b49d9c151061df8392be44aaef17ccdde505969cef05a06f222676ae40a74f203373e

        • memory/2636-28-0x0000000003200000-0x0000000003216000-memory.dmp

          Filesize

          88KB

        • memory/4492-27-0x0000000000400000-0x00000000005B3000-memory.dmp

          Filesize

          1.7MB

        • memory/4492-25-0x00000000007B0000-0x00000000008B0000-memory.dmp

          Filesize

          1024KB

        • memory/4492-29-0x0000000000400000-0x00000000005B3000-memory.dmp

          Filesize

          1.7MB

        • memory/4492-26-0x0000000000710000-0x000000000071B000-memory.dmp

          Filesize

          44KB

        • memory/5056-9-0x0000000074210000-0x00000000747C1000-memory.dmp

          Filesize

          5.7MB

        • memory/5056-10-0x0000000004840000-0x0000000004850000-memory.dmp

          Filesize

          64KB

        • memory/5056-4-0x0000000074210000-0x00000000747C1000-memory.dmp

          Filesize

          5.7MB

        • memory/5056-3-0x0000000004840000-0x0000000004850000-memory.dmp

          Filesize

          64KB

        • memory/5056-2-0x0000000074210000-0x00000000747C1000-memory.dmp

          Filesize

          5.7MB

        • memory/5056-5-0x0000000074210000-0x00000000747C1000-memory.dmp

          Filesize

          5.7MB

        • memory/5056-8-0x0000000000300000-0x000000000058C000-memory.dmp

          Filesize

          2.5MB

        • memory/5056-0-0x0000000000300000-0x000000000058C000-memory.dmp

          Filesize

          2.5MB

        • memory/5056-1-0x0000000000300000-0x000000000058C000-memory.dmp

          Filesize

          2.5MB

        • memory/5056-6-0x0000000000300000-0x000000000058C000-memory.dmp

          Filesize

          2.5MB

        • memory/5056-35-0x0000000004840000-0x0000000004850000-memory.dmp

          Filesize

          64KB

        • memory/5056-37-0x0000000004840000-0x0000000004850000-memory.dmp

          Filesize

          64KB