Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-04-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
рахунок № 00163-2021.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
рахунок № 00163-2021.js
Resource
win10v20210410
General
-
Target
рахунок № 00163-2021.js
-
Size
73KB
-
MD5
6faf0f67320408b8f5bfd9562f5ca6a6
-
SHA1
e67ef7d6424f45fb2f3fa6fb3a677e621f8eea05
-
SHA256
3c3dad766a284f3fc74ae1727ef048534076b06756da7fde43802a90b0efeb86
-
SHA512
0e0320d3c9429e49acd0a4cb666435325569cd637f0be6378908fb35035fdf3a3617a781b5607e4ca29219c263eec285ccfbf84f820da7570400490a1f09b9d1
Malware Config
Extracted
smokeloader
2020
http://smbproperty.ru/
http://gmbshop.ru/
http://baksproperty.gov.ug/
http://magistralpsw.ru/
http://mpmanagertzz.ru/
http://powerglasspot.ru/
http://autopartswarehouses.ru/
http://memoloves.ru/
http://alfavanilin.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 9 3892 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
495746.datpid process 3128 495746.dat -
Loads dropped DLL 1 IoCs
Processes:
495746.datpid process 3128 495746.dat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
495746.datdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 495746.dat Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 495746.dat Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 495746.dat -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
495746.datpid process 3128 495746.dat 3128 495746.dat 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 2824 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2824 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
495746.datpid process 3128 495746.dat -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2824 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 3892 wrote to memory of 3128 3892 wscript.exe 495746.dat PID 3892 wrote to memory of 3128 3892 wscript.exe 495746.dat PID 3892 wrote to memory of 3128 3892 wscript.exe 495746.dat
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\рахунок № 00163-2021.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\495746.datC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\495746.dat2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\495746.datMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\495746.datMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
\Users\Admin\AppData\Local\Temp\9419.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/2824-120-0x0000000000EF0000-0x0000000000F06000-memory.dmpFilesize
88KB
-
memory/3128-114-0x0000000000000000-mapping.dmp
-
memory/3128-118-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/3128-119-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB