Analysis
-
max time kernel
151s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
19-04-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
рахунок № 00163-2021.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
рахунок № 00163-2021.js
Resource
win10v20210410
General
-
Target
рахунок № 00163-2021.js
-
Size
73KB
-
MD5
6faf0f67320408b8f5bfd9562f5ca6a6
-
SHA1
e67ef7d6424f45fb2f3fa6fb3a677e621f8eea05
-
SHA256
3c3dad766a284f3fc74ae1727ef048534076b06756da7fde43802a90b0efeb86
-
SHA512
0e0320d3c9429e49acd0a4cb666435325569cd637f0be6378908fb35035fdf3a3617a781b5607e4ca29219c263eec285ccfbf84f820da7570400490a1f09b9d1
Malware Config
Extracted
smokeloader
2020
http://smbproperty.ru/
http://gmbshop.ru/
http://baksproperty.gov.ug/
http://magistralpsw.ru/
http://mpmanagertzz.ru/
http://powerglasspot.ru/
http://autopartswarehouses.ru/
http://memoloves.ru/
http://alfavanilin.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 484 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
716956.datwejhtbvpid process 532 716956.dat 288 wejhtbv -
Loads dropped DLL 6 IoCs
Processes:
716956.datWerFault.exepid process 532 716956.dat 1552 WerFault.exe 1552 WerFault.exe 1552 WerFault.exe 1552 WerFault.exe 1552 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1552 288 WerFault.exe wejhtbv -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
716956.datdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 716956.dat Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 716956.dat Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 716956.dat -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
716956.datpid process 532 716956.dat 532 716956.dat 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1196 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
716956.datpid process 532 716956.dat -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1552 WerFault.exe Token: SeShutdownPrivilege 1196 -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
pid process 1196 1196 1196 1196 1196 1196 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1196 1196 1196 1196 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
wscript.exetaskeng.exewejhtbvdescription pid process target process PID 484 wrote to memory of 532 484 wscript.exe 716956.dat PID 484 wrote to memory of 532 484 wscript.exe 716956.dat PID 484 wrote to memory of 532 484 wscript.exe 716956.dat PID 484 wrote to memory of 532 484 wscript.exe 716956.dat PID 624 wrote to memory of 288 624 taskeng.exe wejhtbv PID 624 wrote to memory of 288 624 taskeng.exe wejhtbv PID 624 wrote to memory of 288 624 taskeng.exe wejhtbv PID 624 wrote to memory of 288 624 taskeng.exe wejhtbv PID 288 wrote to memory of 1552 288 wejhtbv WerFault.exe PID 288 wrote to memory of 1552 288 wejhtbv WerFault.exe PID 288 wrote to memory of 1552 288 wejhtbv WerFault.exe PID 288 wrote to memory of 1552 288 wejhtbv WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\рахунок № 00163-2021.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\716956.datC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\716956.dat2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {80AF527B-1CFD-4CBA-989F-DFA5EF30941F} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wejhtbvC:\Users\Admin\AppData\Roaming\wejhtbv2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 1243⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9419.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\716956.datMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\716956.datMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
C:\Users\Admin\AppData\Roaming\wejhtbvMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
C:\Users\Admin\AppData\Roaming\wejhtbvMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
\Users\Admin\AppData\Local\Temp\9419.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Roaming\wejhtbvMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
\Users\Admin\AppData\Roaming\wejhtbvMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
\Users\Admin\AppData\Roaming\wejhtbvMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
\Users\Admin\AppData\Roaming\wejhtbvMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
\Users\Admin\AppData\Roaming\wejhtbvMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
memory/288-69-0x0000000000000000-mapping.dmp
-
memory/288-74-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/532-65-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/532-64-0x0000000000020000-0x000000000002A000-memory.dmpFilesize
40KB
-
memory/532-62-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/532-60-0x0000000000000000-mapping.dmp
-
memory/1196-66-0x0000000003BE0000-0x0000000003BF6000-memory.dmpFilesize
88KB
-
memory/1552-75-0x0000000000000000-mapping.dmp
-
memory/1552-81-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB