Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-04-2021 10:30
Static task
static1
Behavioral task
behavioral1
Sample
pax. ü 245-2021p..js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
pax. ü 245-2021p..js
Resource
win10v20210408
General
-
Target
pax. ü 245-2021p..js
-
Size
70KB
-
MD5
4a031ff065cfef30a2fd7026f3728533
-
SHA1
4c1ab25e9a039d62ed115f34dbbb9a56b94dd37f
-
SHA256
9bccfb1a9d5b942500eec536bb90c3857e28f49e4c9f82f055f630be04b3ebda
-
SHA512
c24831f9c6f09eadda14d8ca2252cf101ab8f6b0e30693bb08037a6e53e9c4c6ed8298c47f96d30681ac0cca5feb61f5cbb204e320da979f46dc2f214361636f
Malware Config
Extracted
smokeloader
2020
http://smbproperty.ru/
http://gmbshop.ru/
http://baksproperty.gov.ug/
http://magistralpsw.ru/
http://mpmanagertzz.ru/
http://powerglasspot.ru/
http://autopartswarehouses.ru/
http://memoloves.ru/
http://alfavanilin.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 9 908 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
795700.datpid process 3216 795700.dat -
Loads dropped DLL 1 IoCs
Processes:
795700.datpid process 3216 795700.dat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
795700.datdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 795700.dat Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 795700.dat Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 795700.dat -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
795700.datpid process 3216 795700.dat 3216 795700.dat 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 2644 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2644 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
795700.datpid process 3216 795700.dat -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2644 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 908 wrote to memory of 3216 908 wscript.exe 795700.dat PID 908 wrote to memory of 3216 908 wscript.exe 795700.dat PID 908 wrote to memory of 3216 908 wscript.exe 795700.dat
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\pax. ü 245-2021p..js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\795700.datC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\795700.dat2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\795700.datMD5
15d0c452ebee4621530ad0c834439a96
SHA17d8d83d21cc4c85382347545030eb7da5b66db6c
SHA2565f31050b511cf181abfa18b04cdc3a4152afc18c34b4ffc1087496144ac56a7c
SHA51239222091b9a87dcbc92ae477af2064838c7fde01f372145c06acc5f4b90d068db537b68d36e89e5068bdc0d2a4eee3700386adde5d2f97747c53ac62db436fdc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\795700.datMD5
15d0c452ebee4621530ad0c834439a96
SHA17d8d83d21cc4c85382347545030eb7da5b66db6c
SHA2565f31050b511cf181abfa18b04cdc3a4152afc18c34b4ffc1087496144ac56a7c
SHA51239222091b9a87dcbc92ae477af2064838c7fde01f372145c06acc5f4b90d068db537b68d36e89e5068bdc0d2a4eee3700386adde5d2f97747c53ac62db436fdc
-
\Users\Admin\AppData\Local\Temp\9419.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/2644-120-0x0000000000C10000-0x0000000000C26000-memory.dmpFilesize
88KB
-
memory/3216-114-0x0000000000000000-mapping.dmp
-
memory/3216-118-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/3216-117-0x0000000000450000-0x00000000004FE000-memory.dmpFilesize
696KB