Analysis
-
max time kernel
0s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
30-12-2023 10:31
General
-
Target
15fd29325e11aa1777bdde1e09829784.exe
-
Size
3.2MB
-
MD5
15fd29325e11aa1777bdde1e09829784
-
SHA1
276c234a544054072593fb3b87e2a37f81e4f3c5
-
SHA256
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
-
SHA512
53a1d60c2e6b679b89effb81da0cc0bce4d26644d5ce190258ce6d9821802bb8aa1f349a61567d4806f19acbcdb34e6a3cb66d72a4a8169223165c7396eda02d
-
SSDEEP
98304:UbvDpNv9xyFximcWtxL4iZ1XxDLv6BFe6:UoxHcCLn3pLiBFe6
Malware Config
Extracted
ffdroider
http://101.36.107.74
Extracted
smokeloader
pub2
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
FFDroider
Stealer targeting social media platform users first seen in April 2022.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\15fd29325e11aa1777bdde1e09829784.exe"C:\Users\Admin\AppData\Local\Temp\15fd29325e11aa1777bdde1e09829784.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1763⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:22⤵
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:734214 /prefetch:22⤵
-
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a1⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"1⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe1⤵
- Kills process with taskkill
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5acbc324f271a5dbbedb0db736aedc1e3
SHA1c60de09b67e293a94f8640d6331f359744ed1a06
SHA2561541fab233526350f11f6b33104e22943b71d345e9d513b7f6696e0c3c3d4e29
SHA512e8c9d2fa746f6ecf0eafffb243f69d58126b8361d35c5c6bb15ce042807086be8724409e84e6e420109103267212d73504e7899c8b4aaa818294f7a53da9d8ca
-
Filesize
685KB
MD519f074f48ece071572117ad39abfdd0e
SHA180e9cef55ad3fdba8eb8620794592679d4fa9426
SHA2566b7dc5c636e83b8c49b5c0f3fb189511ba1d17d774d8cf309cc2d805a987655b
SHA5127e719e5dd3db9b346b85f33e626ba353243080a8b23265781108b093f1666dec8294dd142a9fc1337dc78323f685c527dc81cb917c891e7aa77cdaa610f3cd28
-
Filesize
846KB
MD509e9036e720556b90849d55a19e5c7dd
SHA1862b2f14e945e4bf24f19ad3f1eb8f7e290a8d89
SHA2565ec2d9b70fc901925c7bb7aed5af4e760732b5f56df34b9dafba5655c68b4ce5
SHA512ba6abbbc1157b3b699369acf91e2e42e1afbe0e82073f654831eeb38938c1b772eb095dd31c0e9c81bd717b8d6027e0bfa8771b172ad4ea9a8ad48e752c56cda
-
Filesize
8KB
-
Filesize
1.9MB
-
Filesize
304KB
-
Filesize
452KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
452KB
-
Filesize
84KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
304KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
152KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
200KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
8KB