General

  • Target

    TT-2021ME04LO15.doc

  • Size

    1.4MB

  • Sample

    210415-zsrxvvkn2n

  • MD5

    ebf1f2545f4d56934b70ee736283a82a

  • SHA1

    0015da9c77c451f9bcae368b40310173b40833fd

  • SHA256

    4a3edbea57e335f6b08ad17812f1c4746d4b6741546f1c497a3b809774f81d1d

  • SHA512

    e36b6ef2273e0effe7aac818b11e49ceaadce554bf8b3f2407c12eddbad720c1a3bb5c00567fdd2492d674e3035cc8d50e1d30787f9b452a6bfc3977c46c2f2d

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://u.teknik.io/9AudS.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://melonco.com/0/

rc4.i32
rc4.i32

Targets

    • Target

      TT-2021ME04LO15.doc

    • Size

      1.4MB

    • MD5

      ebf1f2545f4d56934b70ee736283a82a

    • SHA1

      0015da9c77c451f9bcae368b40310173b40833fd

    • SHA256

      4a3edbea57e335f6b08ad17812f1c4746d4b6741546f1c497a3b809774f81d1d

    • SHA512

      e36b6ef2273e0effe7aac818b11e49ceaadce554bf8b3f2407c12eddbad720c1a3bb5c00567fdd2492d674e3035cc8d50e1d30787f9b452a6bfc3977c46c2f2d

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks