Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
15-01-2024 14:43
General
-
Target
5d58da25064cdf94191aa28b925cc807.exe
-
Size
272KB
-
MD5
5d58da25064cdf94191aa28b925cc807
-
SHA1
a9b88bac9c6205a722a191fd36a4789e8b74d646
-
SHA256
3cf5e573757ea3f76cc15ca0efb4b9bdd6e089d7448288cfc1f18435c4939ba0
-
SHA512
a92e204958c3f6af0ebd7d6ee98c7ac9d3f09c998796ec82915888cbe11c517adbc118ca3f737eec782b8d6d0c4ca22a44d8adb44f69aa3979130614dca15682
-
SSDEEP
6144:PYb49G5rSyann0uxxPpVzK3m72P01ESTovddXg8U6mq:yp5rSXndxxPpVymbNovw9T
Malware Config
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
gozi
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5d58da25064cdf94191aa28b925cc807.exe"C:\Users\Admin\AppData\Local\Temp\5d58da25064cdf94191aa28b925cc807.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\9859.exeC:\Users\Admin\AppData\Local\Temp\9859.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\53a1q751a171wwe_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\53A1Q7~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A0D2.exeC:\Users\Admin\AppData\Local\Temp\A0D2.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD50c819dd27a128d9234daa3d772fb8c20
SHA1d5d36492818872da8e70dc28cc85389b8e0f3819
SHA256ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2
SHA512f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7
-
Filesize
960KB
MD54c3e2359c5218af84c492d081fd130d2
SHA1dfd9958791375869349455fab7c47a685832eb6e
SHA25647bcc85fe56c4fc2620c3766514b7dc353bda2ad9342d153e553969403898a1d
SHA51243f20346a591559a410162da2f4699d5c9d9d74e236fabbbcfa1d2b77f6ccb7171911d9a8ffcfd6c12f023853f11bc99ee7da5eeb5a3705ea4daa2c372a43dd6
-
Filesize
3.8MB
MD57a1a513730fe8fbf18fdab76dc199138
SHA14345071a917169a099d2b182a910bf47ca6c3d13
SHA2565a787c3f6e520397b174ffb96111d126119371621ab449f578579e947528b281
SHA512a47339430fdf1e953cee76465324c0ad72f0b6417892a786d79f4a50d8e95aaa9a619d89cf1ae600ab751f40b6d2a7cd352ecf1ed0623ba17c2151158ccf5cde
-
Filesize
272KB
MD55d58da25064cdf94191aa28b925cc807
SHA1a9b88bac9c6205a722a191fd36a4789e8b74d646
SHA2563cf5e573757ea3f76cc15ca0efb4b9bdd6e089d7448288cfc1f18435c4939ba0
SHA512a92e204958c3f6af0ebd7d6ee98c7ac9d3f09c998796ec82915888cbe11c517adbc118ca3f737eec782b8d6d0c4ca22a44d8adb44f69aa3979130614dca15682
-
Filesize
768KB
MD5c9e909187330b42fbe88fcadf7546711
SHA1d59e3ebaf2cba6c3e78fb04836103f1e733a4f23
SHA256b17b704c7cafbc569154b32caf8ac6500c044b26046afc1d55bfe54fd45eb33a
SHA5121343c6b711804aaad4a478870d2b7ebae1dbb515f3a28cdc5969aafa664cf8cef20ae42e8b60a1924d89281edc5dd5c7b5052e135bdaea9774d9e6c482446fcb
-
Filesize
1024KB
MD58375fc0085b5fd2c5bd373561847619f
SHA138ecc325c74c0c7b8825c620a305c992cac8835b
SHA25631681a257f12d6f498411e3440884a95255c2e41641e121e5d9df8a6d852651c
SHA512fc191721915bf7feb061b1bcce6e8afd552ff3d4c7fd5e574955f1d2250e7d1e85587b799f273528bf04b2c9ced928eb0d9dfd64a0a100a31a68a07b9a5df16a
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.8MB
-
Filesize
84KB
-
Filesize
31.7MB
-
Filesize
31.7MB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
404KB
-
Filesize
408KB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB