smokeloader

Target

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
Size

206KB
Sample

221119-q4ed4adg34
MD5

3c6bdf4c6b61e2d4603eafad076aa092
SHA1

4ac90d351b8b8a135331be1ae059ebb823347fe1
SHA256

2a6299dfcbcf3186ded295395c7028d651ff178df40d587b531b6bc25f2e3d3f
SHA512

ddaac427bfbf4b1236b1f3d10ab6437eb88d63ec1a44326275eba56d455362e910334931d31b389ef27b51b9e4dde7ab2496ed2ceb5cdff894a86f103351bb37
SSDEEP

6144:uFr8GBofok1bHyX1heFZU1EwFXGHPEuL+ahZ:uLCfoOTyXGQbFMPEib

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

- Target
  
  db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
- Size
  
  307KB
- MD5
  
  0abe50c1509136bf62d2184ab439e7a5
- SHA1
  
  722a7e2a0dd66f506ba93d24946b8bf504b100c0
- SHA256
  
  db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
- SHA512
  
  0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
- SSDEEP
  
  6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv
Score

10^/10

smokeloader wannacry backdoor collection discovery evasion persistence ransomware spyware stealer trojan worm
- Detects Smokeloader packer
- Modifies system executable filetype association
  persistence
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Registers COM server for autorun
  persistence
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1