Analysis
-
max time kernel
600s -
max time network
177s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-04-2021 06:32
Static task
static1
Behavioral task
behavioral1
Sample
рахунок № 00163-2021.js
Resource
win7v20210410
General
-
Target
рахунок № 00163-2021.js
-
Size
73KB
-
MD5
6faf0f67320408b8f5bfd9562f5ca6a6
-
SHA1
e67ef7d6424f45fb2f3fa6fb3a677e621f8eea05
-
SHA256
3c3dad766a284f3fc74ae1727ef048534076b06756da7fde43802a90b0efeb86
-
SHA512
0e0320d3c9429e49acd0a4cb666435325569cd637f0be6378908fb35035fdf3a3617a781b5607e4ca29219c263eec285ccfbf84f820da7570400490a1f09b9d1
Malware Config
Extracted
smokeloader
2020
http://smbproperty.ru/
http://gmbshop.ru/
http://baksproperty.gov.ug/
http://magistralpsw.ru/
http://mpmanagertzz.ru/
http://powerglasspot.ru/
http://autopartswarehouses.ru/
http://memoloves.ru/
http://alfavanilin.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 1084 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
325822.datpid process 704 325822.dat -
Loads dropped DLL 1 IoCs
Processes:
325822.datpid process 704 325822.dat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
325822.datdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 325822.dat Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 325822.dat Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 325822.dat -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
325822.datpid process 704 325822.dat 704 325822.dat 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1288 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
325822.datpid process 704 325822.dat -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1288 Token: SeShutdownPrivilege 1288 Token: SeShutdownPrivilege 1288 -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1288 1288 1288 1288 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1288 1288 1288 1288 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 1084 wrote to memory of 704 1084 wscript.exe 325822.dat PID 1084 wrote to memory of 704 1084 wscript.exe 325822.dat PID 1084 wrote to memory of 704 1084 wscript.exe 325822.dat PID 1084 wrote to memory of 704 1084 wscript.exe 325822.dat
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\рахунок № 00163-2021.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\325822.datC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\325822.dat2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\325822.datMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\325822.datMD5
5597e91491519ec78b764fb657615529
SHA153081a84fcbcc5707881fd2f606812977770bfe1
SHA25660922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f
SHA512e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2
-
\Users\Admin\AppData\Local\Temp\9419.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/704-59-0x0000000000000000-mapping.dmp
-
memory/704-61-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/704-64-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/704-63-0x0000000000020000-0x000000000002A000-memory.dmpFilesize
40KB
-
memory/1288-65-0x0000000002A10000-0x0000000002A26000-memory.dmpFilesize
88KB