Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
29-04-2021 10:30
Static task
static1
Behavioral task
behavioral1
Sample
pax. ü 245-2021p..js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
pax. ü 245-2021p..js
Resource
win10v20210408
General
-
Target
pax. ü 245-2021p..js
-
Size
70KB
-
MD5
4a031ff065cfef30a2fd7026f3728533
-
SHA1
4c1ab25e9a039d62ed115f34dbbb9a56b94dd37f
-
SHA256
9bccfb1a9d5b942500eec536bb90c3857e28f49e4c9f82f055f630be04b3ebda
-
SHA512
c24831f9c6f09eadda14d8ca2252cf101ab8f6b0e30693bb08037a6e53e9c4c6ed8298c47f96d30681ac0cca5feb61f5cbb204e320da979f46dc2f214361636f
Malware Config
Extracted
smokeloader
2020
http://smbproperty.ru/
http://gmbshop.ru/
http://baksproperty.gov.ug/
http://magistralpsw.ru/
http://mpmanagertzz.ru/
http://powerglasspot.ru/
http://autopartswarehouses.ru/
http://memoloves.ru/
http://alfavanilin.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 452 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
606715.datpid process 1184 606715.dat -
Loads dropped DLL 1 IoCs
Processes:
606715.datpid process 1184 606715.dat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
606715.datdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 606715.dat Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 606715.dat Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 606715.dat -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
606715.datpid process 1184 606715.dat 1184 606715.dat 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 1356 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1356 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
606715.datpid process 1184 606715.dat -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1356 1356 1356 1356 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1356 1356 1356 1356 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 452 wrote to memory of 1184 452 wscript.exe 606715.dat PID 452 wrote to memory of 1184 452 wscript.exe 606715.dat PID 452 wrote to memory of 1184 452 wscript.exe 606715.dat PID 452 wrote to memory of 1184 452 wscript.exe 606715.dat
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\pax. ü 245-2021p..js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\606715.datC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\606715.dat2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\606715.datMD5
15d0c452ebee4621530ad0c834439a96
SHA17d8d83d21cc4c85382347545030eb7da5b66db6c
SHA2565f31050b511cf181abfa18b04cdc3a4152afc18c34b4ffc1087496144ac56a7c
SHA51239222091b9a87dcbc92ae477af2064838c7fde01f372145c06acc5f4b90d068db537b68d36e89e5068bdc0d2a4eee3700386adde5d2f97747c53ac62db436fdc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\606715.datMD5
15d0c452ebee4621530ad0c834439a96
SHA17d8d83d21cc4c85382347545030eb7da5b66db6c
SHA2565f31050b511cf181abfa18b04cdc3a4152afc18c34b4ffc1087496144ac56a7c
SHA51239222091b9a87dcbc92ae477af2064838c7fde01f372145c06acc5f4b90d068db537b68d36e89e5068bdc0d2a4eee3700386adde5d2f97747c53ac62db436fdc
-
\Users\Admin\AppData\Local\Temp\9419.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/1184-60-0x0000000000000000-mapping.dmp
-
memory/1184-62-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/1184-65-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1184-64-0x00000000001C0000-0x00000000001CA000-memory.dmpFilesize
40KB
-
memory/1356-66-0x0000000003CB0000-0x0000000003CC6000-memory.dmpFilesize
88KB