smokeloader | 310966da92c632e2cb4b22c9efc1bcbffe71c54be89cdb4b2b2119611be25fd0

Reason

Machine shutdown

General

Target

SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
Size

154KB
MD5

c15de5bd771cbdadc7870814debee5e6
SHA1

89dc5b908e99a6270864e2df0c72cc31fb7b05ff
SHA256

310966da92c632e2cb4b22c9efc1bcbffe71c54be89cdb4b2b2119611be25fd0
SHA512

299cac00651dfe3b73cc1554d8e8e23ff8286b17c95f46be6e59f10e4932cdcbc28790e2e8c00d43b002d8e7e251f0a9a4ce7f2cd84f186d6cdb81991f820556

Score

10^/10

smokeloader backdoor bootkit persistence trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://vtdilet.com/upload/

http://netvxi.com/upload/

http://tinnys.monster/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 3 IoCs

Processes:

99B5.exe9C85.exeA502.exe

pid process

2920 99B5.exe
2252 9C85.exe
208 A502.exe

pid	process
2920	99B5.exe
2252	9C85.exe
208	A502.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\99B5.exe	upx
C:\Users\Admin\AppData\Local\Temp\99B5.exe	upx
C:\Users\Admin\AppData\Local\Temp\9C85.exe	upx
C:\Users\Admin\AppData\Local\Temp\9C85.exe	upx
C:\Users\Admin\AppData\Local\Temp\A502.exe	upx
C:\Users\Admin\AppData\Local\Temp\A502.exe	upx

Deletes itself 1 IoCs

Processes:

pid process

3024
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe

pid process

500 SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

9C85.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 9C85.exe

pid	process
3024

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	9C85.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe

Suspicious behavior: EnumeratesProcesses 432 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe

pid	process
500	SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
500	SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe

pid process

500 SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9C85.exe

description pid process

Token: SeShutdownPrivilege 2252 9C85.exe

description	pid	process
Token: SeShutdownPrivilege	2252	9C85.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

description	pid	target process
PID 3024 wrote to memory of 2920	3024	99B5.exe
PID 3024 wrote to memory of 2920	3024	99B5.exe
PID 3024 wrote to memory of 2920	3024	99B5.exe
PID 3024 wrote to memory of 2252	3024	9C85.exe
PID 3024 wrote to memory of 2252	3024	9C85.exe
PID 3024 wrote to memory of 2252	3024	9C85.exe
PID 3024 wrote to memory of 208	3024	A502.exe
PID 3024 wrote to memory of 208	3024	A502.exe
PID 3024 wrote to memory of 208	3024	A502.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:500

C:\Users\Admin\AppData\Local\Temp\99B5.exe
C:\Users\Admin\AppData\Local\Temp\99B5.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Users\Admin\AppData\Local\Temp\9C85.exe
C:\Users\Admin\AppData\Local\Temp\9C85.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Users\Admin\AppData\Local\Temp\A502.exe
C:\Users\Admin\AppData\Local\Temp\A502.exe
1⤵
- Executes dropped EXE
PID:208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99B5.exe
MD5
57a9c6d1f80eec2792d26d5903a9228b

SHA1
15455de7cb21d125651d9cf88b23af2953bfa96f

SHA256
b33cc87f7974c98429bcf0396527bb81c97bb11eb143257e9e1196d685949120

SHA512
0f1b1e42bba286c6b5d08571c97d770c287eff5249acef52809640a0e55a67711331e5adaaa6dae89ea16e817f29fd59da2bf0ff66864f53279cb834f112a280

Download Submit
C:\Users\Admin\AppData\Local\Temp\99B5.exe
MD5
57a9c6d1f80eec2792d26d5903a9228b

SHA1
15455de7cb21d125651d9cf88b23af2953bfa96f

SHA256
b33cc87f7974c98429bcf0396527bb81c97bb11eb143257e9e1196d685949120

SHA512
0f1b1e42bba286c6b5d08571c97d770c287eff5249acef52809640a0e55a67711331e5adaaa6dae89ea16e817f29fd59da2bf0ff66864f53279cb834f112a280

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C85.exe
MD5
aff43b3464d6aea75d486c1618112476

SHA1
ad4e1033d4967b1d0adcae003e8f920f4114893f

SHA256
c86df483c8fe3b4ba65b3bc4d8c355a075b4264f62f952847cf6a2c6ddcdc311

SHA512
804631caf878cccf2c8a8987134b13074c5e70c5cea8516c11cbdf156029b9c4aa9e9c76f55f3a7a86e49fd0186fdcb702012bc09002d6c66158aca95e2585e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C85.exe
MD5
aff43b3464d6aea75d486c1618112476

SHA1
ad4e1033d4967b1d0adcae003e8f920f4114893f

SHA256
c86df483c8fe3b4ba65b3bc4d8c355a075b4264f62f952847cf6a2c6ddcdc311

SHA512
804631caf878cccf2c8a8987134b13074c5e70c5cea8516c11cbdf156029b9c4aa9e9c76f55f3a7a86e49fd0186fdcb702012bc09002d6c66158aca95e2585e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A502.exe
MD5
f5231eea86abc6f1b83a7df7b1768bfd

SHA1
f5472cebe3176794d8dc57b6a138649ca2068c32

SHA256
9f72c6acbee23bf4f813dc6afaf9abf4aac384ad64685846e6f0162291e7dc07

SHA512
0d415e132a33485adfd6c55466115e1ccba0ac08c3b408ab642190044146564c036fb5aa8cd75b5be621327c916d6b3653c5ba97aedf68e8a74b3a4d8d35ac0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A502.exe
MD5
f5231eea86abc6f1b83a7df7b1768bfd

SHA1
f5472cebe3176794d8dc57b6a138649ca2068c32

SHA256
9f72c6acbee23bf4f813dc6afaf9abf4aac384ad64685846e6f0162291e7dc07

SHA512
0d415e132a33485adfd6c55466115e1ccba0ac08c3b408ab642190044146564c036fb5aa8cd75b5be621327c916d6b3653c5ba97aedf68e8a74b3a4d8d35ac0b

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/208-20-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/208-19-0x0000000004E96000-0x0000000004E97000-memory.dmp

Filesize
4KB

Download
memory/208-16-0x0000000000000000-mapping.dmp

Download
memory/500-2-0x0000000004DD6000-0x0000000004DD7000-memory.dmp

Filesize
4KB

Download
memory/500-3-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/2252-11-0x0000000000000000-mapping.dmp

Download
memory/2252-14-0x0000000004FE5000-0x0000000004FE6000-memory.dmp

Filesize
4KB

Download
memory/2252-15-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2920-6-0x0000000000000000-mapping.dmp

Download
memory/2920-10-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/2920-9-0x0000000004F06000-0x0000000004F07000-memory.dmp

Filesize
4KB

Download
memory/3024-5-0x0000000001030000-0x0000000001046000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads