Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2023 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    265KB

  • MD5

    d7752d31728c6341a41b3aa476fa3529

  • SHA1

    d243602f189bf7c5978d929ffd4a9aa321712138

  • SHA256

    08a646fa562d3e3f447b7001356424cc5d7c7296873a8d1d94be35bd52a3b58d

  • SHA512

    6040276c9c6206132e2dced287bd4452222c494e4f1d4191d51dbd43861e8d02d2abaf704ebe12462a8fb2eb59431eca684a0d20ee25f7f0fe76d5a2d38973c0

  • SSDEEP

    3072:Q7FaQEw9YltfXFZ/yxSeLjRtrgssGbuHhmPcuddu2M93fzC7G/56YEZ4:oFHP0vFZ6xSehtzFjzAvzC

Score
10/10
purelogssmokeloaderpub4backdoorstealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php
rc4.i32
rc4.i32

Signatures

  • Detect PureLogs payload 2 IoCs
  • PureLogs

    PureLogs is an infostealer written in C#.

    stealerpurelogs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4832
  • C:\Users\Admin\AppData\Local\Temp\3A74.exe
    C:\Users\Admin\AppData\Local\Temp\3A74.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      2⤵
        PID:1488
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:4780
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2044

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\3A74.exe
        Filesize

        2.8MB

        MD5

        90c99127993e7d99197eb88ea2e82806

        SHA1

        7ff88701a269f8e4eb122cbc48e0ff515764a43d

        SHA256

        c3ab62bb1d1ae51c68f9ab5bab2fb7bcf6eed8755ed543e23424375f0329f6f5

        SHA512

        f9a7f6233eb7d44bd8c470a07e224ca44290635d7e8d0cd78df0801fb510ebd09e648fb5340a73cbb57f2395ae4b92e496627a4c5b23c5845a531662f81ae825

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3A74.exe
        Filesize

        2.8MB

        MD5

        90c99127993e7d99197eb88ea2e82806

        SHA1

        7ff88701a269f8e4eb122cbc48e0ff515764a43d

        SHA256

        c3ab62bb1d1ae51c68f9ab5bab2fb7bcf6eed8755ed543e23424375f0329f6f5

        SHA512

        f9a7f6233eb7d44bd8c470a07e224ca44290635d7e8d0cd78df0801fb510ebd09e648fb5340a73cbb57f2395ae4b92e496627a4c5b23c5845a531662f81ae825

        Download Submit

      • memory/1488-109-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/1488-107-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/1488-102-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/1488-100-0x0000000000400000-0x000000000047E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/2044-74-0x000001C8B3ED0000-0x000001C8B3ED1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-94-0x000001C8B4010000-0x000001C8B4011000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-98-0x000001C8B4130000-0x000001C8B4131000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-97-0x000001C8B4020000-0x000001C8B4021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-96-0x000001C8B4020000-0x000001C8B4021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-82-0x000001C8B3E10000-0x000001C8B3E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-79-0x000001C8B3ED0000-0x000001C8B3ED1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-76-0x000001C8B3EE0000-0x000001C8B3EE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-73-0x000001C8B3EE0000-0x000001C8B3EE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-72-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-71-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-70-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-69-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-68-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-46-0x000001C8ABCA0000-0x000001C8ABCB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2044-62-0x000001C8B4290000-0x000001C8B4291000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-63-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-64-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-65-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-66-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-67-0x000001C8B42C0000-0x000001C8B42C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3240-4-0x0000000002740000-0x0000000002756000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4676-15-0x0000000000090000-0x000000000036C000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/4676-22-0x0000000005380000-0x0000000005390000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4676-19-0x0000000074BA0000-0x0000000075350000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4676-25-0x0000000005410000-0x0000000005492000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4676-24-0x0000000005390000-0x0000000005412000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4676-27-0x0000000005500000-0x0000000005568000-memory.dmp

        Filesize

        416KB

        Download

      • memory/4676-23-0x0000000005380000-0x0000000005390000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4676-28-0x0000000005240000-0x000000000528C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4676-26-0x0000000005490000-0x00000000054F8000-memory.dmp

        Filesize

        416KB

        Download

      • memory/4676-29-0x0000000000090000-0x000000000036C000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/4676-20-0x0000000005290000-0x000000000536A000-memory.dmp

        Filesize

        872KB

        Download

      • memory/4676-21-0x0000000005380000-0x0000000005390000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4676-16-0x0000000002500000-0x00000000025DA000-memory.dmp

        Filesize

        872KB

        Download

      • memory/4676-99-0x0000000005B60000-0x0000000006104000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4676-108-0x0000000074BA0000-0x0000000075350000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4832-1-0x0000000000D70000-0x0000000000E70000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4832-3-0x0000000000400000-0x0000000000B9D000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/4832-5-0x0000000000400000-0x0000000000B9D000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/4832-2-0x0000000000D50000-0x0000000000D5B000-memory.dmp

        Filesize

        44KB

        Download