General

  • Target

    2021lk049443.doc

  • Size

    1.1MB

  • Sample

    210413-ytt5m49fj6

  • MD5

    67cb98b84a7db5f2f69023b0c5c08309

  • SHA1

    9f04a27bb59ac6842ea400c95af131612bfe00f9

  • SHA256

    6b2e23e38be7ad27c11af03599f5caaf69dff237e39a5ffb1904db398e613221

  • SHA512

    fd6ad0a85ae2cd37e278c5cf702e67508b606108fd2c5854d52e37574088204db47d015251cde5dd75fe60b155440ed0aa8a735fd9b0fc5d423bda58458fb512

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://u.teknik.io/28oLW.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.115.43/1/

rc4.i32
rc4.i32

Targets

    • Target

      2021lk049443.doc

    • Size

      1.1MB

    • MD5

      67cb98b84a7db5f2f69023b0c5c08309

    • SHA1

      9f04a27bb59ac6842ea400c95af131612bfe00f9

    • SHA256

      6b2e23e38be7ad27c11af03599f5caaf69dff237e39a5ffb1904db398e613221

    • SHA512

      fd6ad0a85ae2cd37e278c5cf702e67508b606108fd2c5854d52e37574088204db47d015251cde5dd75fe60b155440ed0aa8a735fd9b0fc5d423bda58458fb512

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks