Analysis
-
max time kernel
45s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
30/12/2023, 15:26
General
-
Target
c99bfa2bf903c9f9681fac9d6a3122d4.exe
-
Size
37KB
-
MD5
c99bfa2bf903c9f9681fac9d6a3122d4
-
SHA1
289fe6bebb1bc5b2555b8b61161b948d8d18310d
-
SHA256
e1f48f331e2554def3e7d7e386503219ff8d15d5b99d1682570235fcf15da315
-
SHA512
04345647f67ec502ff6e6023d2190ff05cbb416da98584488da3e0a9a34de9487ec7342f0b8d28b5b57c560334502f240c441fc68e4f8ddd4f4b3eb73ea5d1dd
-
SSDEEP
768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
smokeloader
up3
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c99bfa2bf903c9f9681fac9d6a3122d4.exe"C:\Users\Admin\AppData\Local\Temp\c99bfa2bf903c9f9681fac9d6a3122d4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BC4F.exeC:\Users\Admin\AppData\Local\Temp\BC4F.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\etopt.exe"C:\Users\Admin\AppData\Local\Temp\etopt.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tuc4.exe"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\nsjCF44.tmp.exeC:\Users\Admin\AppData\Local\Temp\nsjCF44.tmp.exe3⤵
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231230152654.log C:\Windows\Logs\CBS\CbsPersist_20231230152654.cab1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-5V862.tmp\tuc4.tmp"C:\Users\Admin\AppData\Local\Temp\is-5V862.tmp\tuc4.tmp" /SL5="$4016E,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"1⤵
-
C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i2⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 232⤵
-
-
C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 231⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\DCBB.exeC:\Users\Admin\AppData\Local\Temp\DCBB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\2198.exeC:\Users\Admin\AppData\Local\Temp\2198.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\284D.exeC:\Users\Admin\AppData\Local\Temp\284D.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD514e180bf8d6378bbbbd44c0b45d2e503
SHA17960f649344e99c758fd37613c8cd67a5eca09c9
SHA25682a4dbbd2269378d365656787c83855aa4d2f38787b127b3e8f355de5fd56299
SHA51289fe924d71e25b235da5e71244ce9f0f49df17c5b38f5a34385b93f05c6259810eb3623589a4d92a77a4abb9f88c2595558972372d5004ae439c39aae8414c52
-
Filesize
997KB
MD5cc326870a16d9ca7543afc6389c3d137
SHA1f9c45fc2a3bc4875f743f76c118469c247136bf0
SHA25616fd2be20c8400f30d9199c19a8edb23381808b00ef31f4253d79bd23c3f2e69
SHA512a418b94ff946279e45d9a0fc064ddcf3ea49ba0e3366c3b912ef53ae9c6977244b91d97cd676172bfb4d8a8c078289472dc76a6a6ee584a27368a76423397ab0
-
Filesize
16KB
MD51ca7d171bfedeec87ca0d8f7e9ca1b8b
SHA198a1c68aff895b99292723276a583b9b244197ad
SHA256c80e520adfe619c255830ef705638f0d37b5cd1895232b407cdad81327cd13a6
SHA5129b146edea394538a996651f08ef868ee2a9c5732c84de1b510171ea1f13c851e93a2951d560e8f7193664472386c98a9919b9aeb48c8c4470f181bab764016a7
-
Filesize
1.9MB
MD59a6f67b247e2f2d2ab5d588b8aadf02b
SHA123f54cb6bef877f5d0942b9f977f3ec0a8fcf821
SHA256d983d9ad29a51cde552ee68bd78d4c0943518e5bfce731f53dd4a848b1632c01
SHA5121173bc3d5110a9c39564781cd2614bc902431f020882ef0f1cd4294a996aa510e01424a965bb9082935331352cbb458f3c16cfebca1c817c5820c3d0854a3760
-
Filesize
283KB
MD52d24e3baa2a16e47bee10e91381e6391
SHA1013b59b2cd69e93694196dfb34fddc8684cfd619
SHA256ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4
SHA512be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7
-
Filesize
64KB
MD57d98defb571f425fbb505a540f5fd11a
SHA151bf64a4c6b8aeece1b7619280422223ba32890b
SHA256989b9db29c0787b87faefc4f60087b2c96eaf55b7eb21eee33210a90ad1b33bf
SHA512ffca3b686df8b61de032ff70df93f1593ff6a3adeb83c7eb7a1fe2fc3b95e0d8894b2988528dbf622ba8500ddddac1f3c3206d081dc7dc3f7aee6f4d013cad07
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
720KB
-
Filesize
6.9MB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
4KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
232KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
12.2MB
-
Filesize
4KB
-
Filesize
5.4MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
8.9MB
-
Filesize
1024KB
-
Filesize
4.3MB
-
Filesize
1024KB
-
Filesize
4.3MB
-
Filesize
112KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
18.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB