Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 16:22
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe
-
Size
2.5MB
-
MD5
1c005ad11650b463fbb2a3cd2429c422
-
SHA1
283c41cdebe89bdb6c859f877fffd5448fa81c54
-
SHA256
1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcd
-
SHA512
95a59726f1c78272a010a16e701c2fb9ed30f7e3497505dc498d43ba8bb727555d9f9422a23ef2ef28fbe50b7a6679d0b7885b24c797427df640e2474c4b2ea8
-
SSDEEP
24576:BkUpFxaQT/FTwvzSI15ZlA4B6UM8Mu2RcfCrkEh91UbHZJ5GaGl6HHSc/xfvvOoI:BdcETCp5FKfFM3XHHPAXRloP
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://wirtshauspost.at/tmp/
http://msktk.ru/tmp/
http://soetegem.com/tmp/
http://gromograd.ru/tmp/
http://talesofpirates.net/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
Executes dropped EXE 1 IoCs
pid Process 4492 Update.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Wine NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\Update\\Update.exe" NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Update.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Update.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Update.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe 4492 Update.exe 4492 Update.exe 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found 2636 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2636 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4492 Update.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2636 Process not Found -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5056 wrote to memory of 4492 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe 101 PID 5056 wrote to memory of 4492 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe 101 PID 5056 wrote to memory of 4492 5056 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS1ef006bb0944d57bf596cd6aab1ddfb5da85aae577092c01b7ab3f465dbc9fcdexeexeexe_JC.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD5c36009a11d03b61f6f92a38cb67698d3
SHA135a182127e0d187c61a84f4339ea73a4d5fb4a24
SHA2564242a5519cd21cef98a32bb6f7544091fbca706130299b53d00e825d4c65c007
SHA512f6204548bc40dfe930e98e197a1b2a09480333e87508e1328b624047e44b49d9c151061df8392be44aaef17ccdde505969cef05a06f222676ae40a74f203373e
-
Filesize
238KB
MD5c36009a11d03b61f6f92a38cb67698d3
SHA135a182127e0d187c61a84f4339ea73a4d5fb4a24
SHA2564242a5519cd21cef98a32bb6f7544091fbca706130299b53d00e825d4c65c007
SHA512f6204548bc40dfe930e98e197a1b2a09480333e87508e1328b624047e44b49d9c151061df8392be44aaef17ccdde505969cef05a06f222676ae40a74f203373e
-
Filesize
238KB
MD5c36009a11d03b61f6f92a38cb67698d3
SHA135a182127e0d187c61a84f4339ea73a4d5fb4a24
SHA2564242a5519cd21cef98a32bb6f7544091fbca706130299b53d00e825d4c65c007
SHA512f6204548bc40dfe930e98e197a1b2a09480333e87508e1328b624047e44b49d9c151061df8392be44aaef17ccdde505969cef05a06f222676ae40a74f203373e