smokeloader | cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681

Analysis

max time kernel
67s
max time network
72s
platform
windows10_x64
resource
win10v20201028
submitted
25-11-2020 10:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

0x000300000001ac99-126.exe
Size

300KB
MD5

ca58d4cf4a5e0725f844c8eae3f8ae67
SHA1

fbce92619ce23f4594846f2f789e513dab9f3239
SHA256

0e3774d65577253a820f1ee272d7a0c96e4c6a869ef8f749fe7f83d2fc49f054
SHA512

32bdfc2e72fff79c075d5f9ead8268f1e9e0648635fd977f6d8db62358c48d5451b64e639b1853bd87220a1157e74754e1109b3f1797f98ef02d5151fb09f4a9

Score

10^/10

smokeloader backdoor bootkit persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 3 IoCs

Processes:

E881.exeF19A.exeF8FE.exe

pid process

4208 E881.exe
3860 F19A.exe
1736 F8FE.exe
Deletes itself 1 IoCs

Processes:

pid process

2300
Loads dropped DLL 1 IoCs

Processes:

0x000300000001ac99-126.exe

pid process

4692 0x000300000001ac99-126.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

E881.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 E881.exe

pid	process
4208	E881.exe
3860	F19A.exe
1736	F8FE.exe

pid	process
2300

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	E881.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0x000300000001ac99-126.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000300000001ac99-126.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000300000001ac99-126.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000300000001ac99-126.exe

Suspicious behavior: EnumeratesProcesses 782 IoCs

Processes:

0x000300000001ac99-126.exe

pid	process
4692	0x000300000001ac99-126.exe
4692	0x000300000001ac99-126.exe
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300
2300

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0x000300000001ac99-126.exe

pid process

4692 0x000300000001ac99-126.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

E881.exe

description pid process

Token: SeShutdownPrivilege 4208 E881.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2300

description	pid	process
Token: SeShutdownPrivilege	4208	E881.exe

pid	process
2300

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

description	pid	target process
PID 2300 wrote to memory of 4208	2300	E881.exe
PID 2300 wrote to memory of 4208	2300	E881.exe
PID 2300 wrote to memory of 4208	2300	E881.exe
PID 2300 wrote to memory of 3860	2300	F19A.exe
PID 2300 wrote to memory of 3860	2300	F19A.exe
PID 2300 wrote to memory of 3860	2300	F19A.exe
PID 2300 wrote to memory of 1736	2300	F8FE.exe
PID 2300 wrote to memory of 1736	2300	F8FE.exe
PID 2300 wrote to memory of 1736	2300	F8FE.exe

C:\Users\Admin\AppData\Local\Temp\0x000300000001ac99-126.exe
"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac99-126.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4692

C:\Users\Admin\AppData\Local\Temp\E881.exe
C:\Users\Admin\AppData\Local\Temp\E881.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Users\Admin\AppData\Local\Temp\F19A.exe
C:\Users\Admin\AppData\Local\Temp\F19A.exe
1⤵
- Executes dropped EXE
PID:3860

C:\Users\Admin\AppData\Local\Temp\F8FE.exe
C:\Users\Admin\AppData\Local\Temp\F8FE.exe
1⤵
- Executes dropped EXE
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E881.exe
MD5
dd82df483ab0a2875831209f12c4e978

SHA1
42b7715d00487578f228ae391c72edada07767d9

SHA256
5882c641289a6ea69516167a057dc7099d7dc17a00b78c0afaee9b2133e30d9f

SHA512
b66c288c073e85072adbcaac0b284ce4f2b307ca8729aef3c1b8a94c2c28b900018cddc5a6971f89a5ae70caa4d146369d7dbc41f89157be356a8f900b6eeacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E881.exe
MD5
dd82df483ab0a2875831209f12c4e978

SHA1
42b7715d00487578f228ae391c72edada07767d9

SHA256
5882c641289a6ea69516167a057dc7099d7dc17a00b78c0afaee9b2133e30d9f

SHA512
b66c288c073e85072adbcaac0b284ce4f2b307ca8729aef3c1b8a94c2c28b900018cddc5a6971f89a5ae70caa4d146369d7dbc41f89157be356a8f900b6eeacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\F19A.exe
MD5
801a4e85faeb41919a0da6fa174ada04

SHA1
cf6a3be6cf3130a0d2a92ac9eec392e43029a06c

SHA256
23a96527c86ed75232f146343a612a96b8a6e70433cbdf39c9a611aeb3191ddd

SHA512
319b835e51c98e710a9bea852b79796f1516a5f38b092a2319e65cf21ca63be25621a8a89bd33fe32bc75fde5e115597d141fb68897738daccf476e9576dd54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F19A.exe
MD5
801a4e85faeb41919a0da6fa174ada04

SHA1
cf6a3be6cf3130a0d2a92ac9eec392e43029a06c

SHA256
23a96527c86ed75232f146343a612a96b8a6e70433cbdf39c9a611aeb3191ddd

SHA512
319b835e51c98e710a9bea852b79796f1516a5f38b092a2319e65cf21ca63be25621a8a89bd33fe32bc75fde5e115597d141fb68897738daccf476e9576dd54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8FE.exe
MD5
7f1c0fe70e588f3bead08b64910b455e

SHA1
b0d78d67ee8a703e2c5dff5f50b34c504a91cfee

SHA256
4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4

SHA512
e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8FE.exe
MD5
7f1c0fe70e588f3bead08b64910b455e

SHA1
b0d78d67ee8a703e2c5dff5f50b34c504a91cfee

SHA256
4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4

SHA512
e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/1736-9-0x0000000000000000-mapping.dmp

Download
memory/2300-2-0x0000000000890000-0x00000000008A6000-memory.dmp

Filesize
88KB

Download
memory/3860-6-0x0000000000000000-mapping.dmp

Download
memory/3860-13-0x0000000006440000-0x0000000006441000-memory.dmp

Filesize
4KB

Download
memory/4208-3-0x0000000000000000-mapping.dmp

Download
memory/4208-12-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/4692-0-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads