Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
11-01-2024 08:30
General
-
Target
5308d1e75211592537867a6da16505c9.exe
-
Size
173KB
-
MD5
5308d1e75211592537867a6da16505c9
-
SHA1
7760cdf681fc8969bfdd9fb9b7b5b625ca31f1bd
-
SHA256
b7ca91d094b124c955a6759efb9e7b5744775269345908643d8c8f48adbde879
-
SHA512
9fb3ccf71fe4c600af9fb90aef63235121d28003dfafb79c928ba6ae55dadf527d3c833ef6201c045584ff91a8a0db45f9e23c7838094a302ee2038952d42ba3
-
SSDEEP
3072:30ywvRswzkVZj+Yfi5D0b6HwhZoWC9sI5/DuT61m:3aZswwAX0b6HwhZU9sI5/
Malware Config
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
gozi
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5308d1e75211592537867a6da16505c9.exe"C:\Users\Admin\AppData\Local\Temp\5308d1e75211592537867a6da16505c9.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\99A1.exeC:\Users\Admin\AppData\Local\Temp\99A1.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\s5o1cio17myy_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\S5O1CI~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A94B.exeC:\Users\Admin\AppData\Local\Temp\A94B.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD50c819dd27a128d9234daa3d772fb8c20
SHA1d5d36492818872da8e70dc28cc85389b8e0f3819
SHA256ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2
SHA512f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7
-
Filesize
82KB
MD5bfe3f76169a69a8062ed7c55802d7348
SHA1df7ac4c5af4702172c5d5e7ec2ed1975b942e5c3
SHA256ad3dd54da01e06aa74d69c359dfe57d45df20cf34f5af6f7a79c24b07d2318bf
SHA512c188f5b4b1e0e7faab071f3c1f8b409fd1a807c3ad7e819379d1a08100d887d1104d1634ced6959fbf3b419c3431cbc472abc29d310880719d02b6bad50c47a1
-
Filesize
52KB
MD523153a81d916ed441b8fd5f23534cef0
SHA178d6fe808e5aafa7e152413586ce4aa1960d5d00
SHA25658353d658afec49b218e05544f9c317269d190fdc0cc9eb545e620c1fe1b2423
SHA512c54eab2e63ab223b292e545b40ed65b609d16bbe4cefc93f2eed24540a8dae6bece04ada3b59752313efadeae06ff50facf997fa568e9ba37a54e3607ae1aadd
-
Filesize
288KB
MD51a14ff4f7c8c3ac01edb75d0eb35d8ae
SHA1a8b69260e32e63324e28eec8d814eced9e5a9d14
SHA25624af4eb640b9e32df71960c70b83fdf465cf15e3c53edca8de04bd8a1f61a3f9
SHA512911f867abced42f04d816d9283f0ffbe6b83094655d314174a5a60cb8f3e6c9f31ff2508f5ac2131a2abde01df2233788b2801acdb57f5c73b21572158ee982d
-
Filesize
30KB
MD5a994e2974476e7d2d6cb7ae7cc925e1f
SHA13fd6cb53f660f4f6efe1fa4a562f1a1810c7a934
SHA256a3dcc7a4a9e03d55bf1dd43a9bbabca330fc4f36e193ba3a4a0dbc91ea94707a
SHA512f2c1afaa658865dbf42e434da941453050a8af774c2dafb0a5efb444284868c63f16467d1955103662babdc64256b8889f9d8b24de473be5170e32422895ad23
-
Filesize
25KB
MD5e0bdb5f577a1e92232b8615bc45fb0a1
SHA147d60940137be2c260e87f2e324b65bae1a61bc6
SHA256301196dc1ae2d43545957faafcb1a2456f0eab511a51ab8c1bab991f66bc2231
SHA512a97e3d462a74b6abb1c5a2c971358cd8719b9728eaa5227717877c82b285a9035df38b1d9b85a7072c415b39a084e62304457b72fdebd053f4bda41e2968a852
-
Filesize
25KB
MD5c8b58306603e7c3731a77061b8df776e
SHA1eca8517296216869823991246409fd23c183e72b
SHA256188ce61421ade659cbb3abb16ace7d3678e88938d66bc7435f829d65dc89ea84
SHA512a51e7209b9f8b2de2108ee47c791d23de23752f845fa7861127f91a82984d5ae58fd840e390cbfc11369bdb365f7445872232fd1da0f83d12ab63a5ace70fb9c
-
Filesize
225KB
MD5c73b5b222ff5660fa29144fa219b971a
SHA1273f2a344f87d67c40e166da4ad4488133a5236a
SHA25628c513f1e8a395689a8c65b8eddbd527887565a6aba8ac7a805d07241398623a
SHA512813b6265a5101375f2b181865a4ad73029406302edfe47afc692e42cc54365930b38e47cd8f639a5540a06aa735ae121b0aad6e85cf0c73fa2f57cfb91367ff9
-
Filesize
40.7MB
-
Filesize
1024KB
-
Filesize
40.7MB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
6.8MB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
6.8MB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
404KB
-
Filesize
408KB