General

  • Target

    2021ME04LO15.doc

  • Size

    1.4MB

  • Sample

    210415-er64pm64ex

  • MD5

    a073a792ee6617735ac30bb43eb61ac7

  • SHA1

    946c5909cae581f6e8721a8c739f4277f4d03ad8

  • SHA256

    85ac76220919a37ce00b15eeaf30a0d0c040a4424b06600e53f3bd828bb76678

  • SHA512

    c5c66c684053fd15e582e71d9c8e5764d5496c5620b9693228d7f275c1ccaf73d2a27da2ca2f8b200fe8e5783e487815a0672f88796bdc03923f5832d6e9730e

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

httPs://paste.ee/r/8Ajuy

ps1.dropper

httPs://paste.ee/r/StzRu

Extracted

Family

smokeloader

Version

2018

C2

http://melonco.com/0/

rc4.i32
rc4.i32

Targets

    • Target

      2021ME04LO15.doc

    • Size

      1.4MB

    • MD5

      a073a792ee6617735ac30bb43eb61ac7

    • SHA1

      946c5909cae581f6e8721a8c739f4277f4d03ad8

    • SHA256

      85ac76220919a37ce00b15eeaf30a0d0c040a4424b06600e53f3bd828bb76678

    • SHA512

      c5c66c684053fd15e582e71d9c8e5764d5496c5620b9693228d7f275c1ccaf73d2a27da2ca2f8b200fe8e5783e487815a0672f88796bdc03923f5832d6e9730e

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks