Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
15-01-2024 10:11
General
-
Target
5cd06f4bdfb8cb137f9a2aae8abd3253.exe
-
Size
273KB
-
MD5
5cd06f4bdfb8cb137f9a2aae8abd3253
-
SHA1
aedc15d5b30fd14e289f42eabf64bb0ba4815877
-
SHA256
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
-
SHA512
84ce50986e9eb5940dc09e42339c122809f698d63264bffd924fc3b9f96353ba37918c2094031a711462a5cebb5691916cf26775ab67e7c2f2d4b5539e928c2e
-
SSDEEP
6144:5f3JE8LYFX8H5vSqTZUoe1XkwncZL4xZpHFn2:lJHQX8H5NTZUoeCwaGl2
Malware Config
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
gozi
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd06f4bdfb8cb137f9a2aae8abd3253.exe"C:\Users\Admin\AppData\Local\Temp\5cd06f4bdfb8cb137f9a2aae8abd3253.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6B22.exeC:\Users\Admin\AppData\Local\Temp\6B22.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ay3c1a9mwum_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\AY3C1A~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\735D.exeC:\Users\Admin\AppData\Local\Temp\735D.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD50c819dd27a128d9234daa3d772fb8c20
SHA1d5d36492818872da8e70dc28cc85389b8e0f3819
SHA256ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2
SHA512f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7
-
Filesize
306KB
MD5546e3cf308d719d3b9e0123b8ce15ddf
SHA1fff8888ba8c66108810dd801794a3d29af838195
SHA256a4dd9bd4843865400be991d66e2434bb55b25acf4d4fb96b33a8bd0933f98c7f
SHA512259b2167eaf77e7e69bbcd4992eb5211c5e2d3cac2438ddd03cb0bd01c1da624dd2eb94cc750a0787312e737f5f9e9d450a2adb5f6c38cbcea349d3a9038976e
-
Filesize
251KB
MD578565cf936c9f8b3d3ec13a83eb919b0
SHA13a8cbd789a74d5fb50d30d58d77e506d4d229872
SHA2568d1d42f6c37d832bf53331e4f35ae807adb80fcd77273a63e5231e10185a56fb
SHA512fca45e3c620a962bfab92acb318c9737a238076f4dcad54a4f0195bf6e6bf166df20146cedb78fcf38feec1f120c5fa812deab9c211d44a111070176d34e649c
-
Filesize
329KB
MD58e4e7c2418050286f2f1bab6578c4db1
SHA102d13ac87fbfc030fd229bdb61acfba6d64e46c6
SHA2566f65e20a9494057700e763b1d56d92627632f69b139adf072b75f22cf81586dc
SHA5120bf95e612868bed3a85090c6d883f4f43e97febd77b3ae2da18010df4bf613ed398c75efdcbbb4dead6e64c40a7773113ca3bcdfb5f7ee9c3a3d106199146445
-
Filesize
162KB
MD526d67f902f1879e20c21bcad9147ed87
SHA110cb86c2c51ce930a479e47b3f042677e82757c6
SHA2561e79992150eca0753ffe4406a5220d596c19cdf74372e654952bcedf02b99726
SHA512cc203edbb52322fe461555e57a0a180091fa9c62a0a811bc19a0ffee6c972ec3efe2e791f0f6b364e2d95f3ece6cfef9257f820bba9666f490440c7f5c2180ec
-
Filesize
273KB
MD55cd06f4bdfb8cb137f9a2aae8abd3253
SHA1aedc15d5b30fd14e289f42eabf64bb0ba4815877
SHA256e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
SHA51284ce50986e9eb5940dc09e42339c122809f698d63264bffd924fc3b9f96353ba37918c2094031a711462a5cebb5691916cf26775ab67e7c2f2d4b5539e928c2e
-
Filesize
364KB
MD5d4ce6e4e2f1e47ebb80410ab40e44baf
SHA1988986ba65dbee0f4b40251e7aa0a7d5a9047338
SHA25607a5b57062f85d23048f77e81249c737e97977250a4db1fbc72add561621295b
SHA5126f7207ed4d10d94d9a4a5a24b800beabc8a6923d53cc1059f088825b6dab9c1df5fa9681af43f9d79c29fcb9818190165e3210ee05599365f4d93f72e47eb7b3
-
Filesize
486KB
MD51b53072014bdff697ba438655c5a0df7
SHA16e58c29aff15a014280078c26184a469b4663314
SHA256b82c21b70542f2ff671539a7e7485e05a2c9fe0ff3b95854099e1ee4f805060f
SHA512ba95c00de485407ae0502e0f43f8fad0f090dcad4566557261b888cc1792dadac16c8d0098c2d54a128bb51c30e2f1dc1a28fb86c19264f33af6552dff2e6a51
-
Filesize
118KB
MD5862ea4e9d2befe28f174aa236532bef4
SHA1189af5b13cbc88153d4df249e1d73fed29c19165
SHA256ca0c667098b208c70443044cd439ac2abc5377b2f11a8c97b29e98903b0340d6
SHA512680a3a891a328cec35e64323e4e91627fe9ac90963e82b4bad1842d369d6fef48bca5b03fad9285aef1ba3a32e142ed08cd948b79e6ff8dd8cb3eb8e701995bf
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
31.7MB
-
Filesize
31.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
6.8MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
404KB
-
Filesize
44KB