Overview

overview

10

Static

static

3

d45feb2a78...52.exe

windows7-x64

10

d45feb2a78...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d45feb2a785ce22c4239c6b4cb0d5552.exe

  • Size

    2.7MB

  • MD5

    d45feb2a785ce22c4239c6b4cb0d5552

  • SHA1

    c208d73acfd0566f1283cda356df21aed89617e0

  • SHA256

    c962f4a4807e758a8aec58941e761019c64945046b8717ac9998993bf48c08ed

  • SHA512

    12de5052546273549a9dcfe9671a9ec41626708578d567a124c4124c3615e142cf403945fb794e69d9db6b8dffc7926275c8d88322ef043ae7b00fd1f4dcebd6

  • SSDEEP

    49152:UbA30MXyFtsKiaYcydNBWnt6jmXfM+9qQhwDPW15M6QRL4ygWS2LYdNFcfT5:UbIXyFximEWt/2YCW15MNZ4ygx2Ejuf1

Score
10/10
ffdroidersmokeloadersocelarspub2backdoordiscoveryevasionspywarestealertrojanvmprotect

Malware Config

Extracted

Family

ffdroider

C2

http://128.1.32.84

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Signatures

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 36 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:476
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Modifies registry class
        PID:1788
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:2408
      • C:\Users\Admin\AppData\Local\Temp\d45feb2a785ce22c4239c6b4cb0d5552.exe
        "C:\Users\Admin\AppData\Local\Temp\d45feb2a785ce22c4239c6b4cb0d5552.exe"
        1⤵
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
          "C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 184
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:1632
        • C:\Users\Admin\AppData\Local\Temp\Install.exe
          "C:\Users\Admin\AppData\Local\Temp\Install.exe"
          2⤵
          • Executes dropped EXE
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2068
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c taskkill /f /im chrome.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im chrome.exe
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1040
        • C:\Users\Admin\AppData\Local\Temp\pub2.exe
          "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2868
        • C:\Users\Admin\AppData\Local\Temp\Info.exe
          "C:\Users\Admin\AppData\Local\Temp\Info.exe"
          2⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Modifies system certificate store
          PID:2932
        • C:\Users\Admin\AppData\Local\Temp\Folder.exe
          "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1808
        • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
          "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1764
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • NTFS ADS
          • Suspicious use of SetWindowsHookEx
          PID:2668
      • C:\Windows\system32\rUNdlL32.eXe
        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\SysWOW64\rundll32.exe
          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
          2⤵
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:672
      • C:\Users\Admin\AppData\Local\Temp\Folder.exe
        "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
        1⤵
        • Executes dropped EXE
        PID:2780

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        04c3ba91bfef036810185f0acc19ebd5

        SHA1

        5cdb2114d0ea7de31d4cc871be0d0ddc24b7d7a0

        SHA256

        61782c4310db4e807591e2c7fbf7f7a79f57e5e1259757051dd2e5c75eb8b794

        SHA512

        f549b0714e52af2d1431aaeaa1cb606c889c272fa9207bca8745d7c4fc74b635b82da61618b1356f82ad74082075e5339194c1e4f6cc72760dedf35e7892f3f2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        4eff2b60d2a6ef2a03454fd34641f54c

        SHA1

        9ab2e17c5dfe876757c878db0521d477cbe965c6

        SHA256

        250e1a2201936e7461f52260511394a0ac21a0834f5fb7e4f1ba6467fa33dc75

        SHA512

        f0a5c98f42b0c5425d719c66851794dd44ec29efc3246977204897b7a308d21dec0347d9a9b85e2882e2c3b2c3506884549b920866e574582d151e2122a5749a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        91ca1c9a01aade81e73182554d55ee33

        SHA1

        32e96d1015b1665a1b10189b6e589103ddfdac38

        SHA256

        958ce899e0ab0b10fc36da56fc9d81492df7826ab9f11cf3ac87444efd993bcb

        SHA512

        599c6adb780958e618b2762afee246ace6457ff24d590ba063eff921821ed2084d12a9c33dba37a51fce139c62c7a2b8bff35f0036414aa0edcdd49ef5ef6d2f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        6b668a6f8eb0d88308bd64267b76c392

        SHA1

        b8423dd2360e359187c03632a0f486c45a83e1ea

        SHA256

        48a397642db5d217201db0a904abca10636c24d91e3f40c20fe3242aee4e75f1

        SHA512

        64d088e9f9500b9fa7f9ce863fc4bba42724b1c03ae53b5f6b23bfa3497eb43da2f31a5e22ad170c1a69479fdf089d675c5217798cf98c77fe49bd84fdc19e98

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        bf867642ffafbe72e0e0b66bf61c81e3

        SHA1

        5d62099024468202a1ef4a5ff89e37b26ed818bf

        SHA256

        031d45f6ff772d7ca2ed1c5f2e81d2923b402d749b1aeceaf53b77a0917a16f4

        SHA512

        142d8f4edb337d76bc13be1eee7d6bb786ba482aa941c815606d0cb227897feea161919808bbe2dbe1cd42ee4c6ca05bdc38debf7400c7c5949c6d8e6fc234d6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        a9af38f154db83a854a7474bfc8d9a15

        SHA1

        eda1f28fbdc3364a1236779fabe2dfad6aa9f7cb

        SHA256

        3e9375baca47bb6a412be38f13ac6227bf57cc36357d16172146cf1f63b4abbe

        SHA512

        35a6b30a36b89d131d442dc4680e803b1e6a5c4ff3f63fbe1275cb2e971cec8ca1eafdf85fcf8def7574ece54bffb77d6fea7bcf6f3193cbf203aa6c8f2082d3

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        49d554079da3a6d5e32d2455a7bbd48a

        SHA1

        3950b36048b668560ceeef59750b1b04ec1ad9db

        SHA256

        d3d936f1d31cea3ee3b4229e0b960212e6b31ca5fa64cfdccf03409531ff0d52

        SHA512

        df9e9ec6d26fbdc557cc07888ff5af8b371a96ebcbfb96dd977697f1f827e4d8ba1f4848d4c84027b3370e2ed990f81a9fec5ff93b4636238b8eb6af8e2c82cb

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        22959baec98d30161b86cdf12edb26d3

        SHA1

        857fbdb68475f022805160ff6fe06b0115ffd1e6

        SHA256

        5cd86b436393005100b339d48f0c828b4552ea3bc0189130692001c13c82247b

        SHA512

        22d90d20f5fb7905353f8a087f50affa0c64e1d6a5e4e2224e1feede5081ecfe9fb3bdae822f5f562d21011278b26e8e1bb84cb04728691e0e843d44ed8724d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Folder.exe
        Filesize

        92KB

        MD5

        9c00f7d3c6751d54314ff8bd19372a83

        SHA1

        eba0dd42316b5bcb22a996153548ef1aa5607063

        SHA256

        6b18805d3fff207428d8443e546a846073d199ac9e080d7493146e736cb7ea8c

        SHA512

        7c1d0f35f564031be5c59e84d805210033d7ee056d897ceddeb2daec40fd6be412d8b8fed16e210e49feff7c400a5f226bdd2326874df68b75c5e810edafb94d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
        Filesize

        117KB

        MD5

        8a451a0afa461197efcc17ffb2ce9def

        SHA1

        324fe909027ee0de58562ff5ba9d9ec716de4d70

        SHA256

        0d43ada60d3cd8a55ae3a701869b460a018b93a735a3062911f1a69d19bd5d02

        SHA512

        25f1fbdf3bf4fcc047382e88127df774b7e16d528d76cbb4a64cb9c8b22b377358313586dcdfa26d0b9a85f23f76b200c3ef2244995ed35a05e5b207836ab041

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Folder.exe
        Filesize

        94KB

        MD5

        c24b7faab0c1d7b9b8022c9fc2e5e7aa

        SHA1

        78c0f40fe4bc6c9755a0cef4d62f057b441b4f54

        SHA256

        30bfc5eeae214bb104a2b683368f72dfcaea5eb36ea322a198d0d01aa09eaeb9

        SHA512

        2714fce64583b85e94de25024c2df037075b3b064c2ae77f055b0541906e9af11522663daea8936b55b79634446a03e5d105374609d16e214016b8ed8403b4d6

        Download Submit

      • memory/672-130-0x0000000002220000-0x0000000002321000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/672-143-0x0000000000780000-0x00000000007DD000-memory.dmp

        Filesize

        372KB

        Download

      • memory/672-132-0x0000000000780000-0x00000000007DD000-memory.dmp

        Filesize

        372KB

        Download

      • memory/852-134-0x0000000000DC0000-0x0000000000E0C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/852-133-0x0000000001020000-0x0000000001091000-memory.dmp

        Filesize

        452KB

        Download

      • memory/852-243-0x0000000001020000-0x0000000001091000-memory.dmp

        Filesize

        452KB

        Download

      • memory/852-131-0x0000000000DC0000-0x0000000000E0C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1192-310-0x0000000002610000-0x0000000002625000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1764-33-0x000000001AEE0000-0x000000001AF60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1764-379-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1764-856-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1764-30-0x0000000000250000-0x000000000026E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1764-28-0x0000000000890000-0x00000000008B6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1764-29-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1788-137-0x0000000000060000-0x00000000000AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1788-1516-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1788-283-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1788-1514-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1788-929-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1788-945-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1788-1511-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1788-140-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2308-78-0x0000000003F20000-0x000000000416F000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2308-99-0x0000000003F20000-0x000000000416F000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2308-31-0x00000000033B0000-0x00000000033B2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2308-96-0x0000000003F20000-0x000000000416F000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2396-101-0x0000000000400000-0x000000000064F000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2396-102-0x0000000000400000-0x000000000064F000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2396-920-0x0000000000400000-0x000000000064F000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2868-179-0x0000000000400000-0x000000000089D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/2868-178-0x0000000000220000-0x0000000000229000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2868-177-0x0000000000980000-0x0000000000A80000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2868-311-0x0000000000400000-0x000000000089D000-memory.dmp

        Filesize

        4.6MB

        Download