Overview

overview

10

Static

static

New Order.doc

windows7_x64

10

New Order.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Order.doc

  • Size

    2.1MB

  • Sample

    210305-zt2l2alltn

  • MD5

    1520f6a4a26f78c2e48798177d9eeb98

  • SHA1

    551262272bc63fe224d4f9bb50abbc70e7028ac5

  • SHA256

    ce5fdea4f80dbef6108295b6216ef43769683c384a4779e9042da6c1ddf4638c

  • SHA512

    7da17e9bfd098ea1f75dfd1ec791f64ab09c0290aa3069c308e0db566b3fefe39f3734903f5c8b0f20cac5a020949ef1e9f700f322c1b93c000735a5d784542f

Score
10/10
smokeloaderbackdoortrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://u.teknik.io/co0r5.txt

Extracted

Family

smokeloader

Version

2018

C2

http://cmcare.ca/1/

rc4.i32
rc4.i32

Targets

    • Target

      New Order.doc

    • Size

      2.1MB

    • MD5

      1520f6a4a26f78c2e48798177d9eeb98

    • SHA1

      551262272bc63fe224d4f9bb50abbc70e7028ac5

    • SHA256

      ce5fdea4f80dbef6108295b6216ef43769683c384a4779e9042da6c1ddf4638c

    • SHA512

      7da17e9bfd098ea1f75dfd1ec791f64ab09c0290aa3069c308e0db566b3fefe39f3734903f5c8b0f20cac5a020949ef1e9f700f322c1b93c000735a5d784542f

    Score
    10/10
    smokeloaderbackdoortrojanupx

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks