smokeloader | 1f617db02129529020fcb97ddceab04c9234ba4339f1d27e24679e0ea708aa2d

General

Target

dab5cb3a_extracted.exe
Size

13KB
MD5

d32944081c256e418c96f098cf3ba2a1
SHA1

1b9ca30b52daefe9a289ca2fdf4ec6eeca4c4053
SHA256

1f617db02129529020fcb97ddceab04c9234ba4339f1d27e24679e0ea708aa2d
SHA512

9b37fd264633116e1f9dfd665d58c7fe218c5bcd68ecbd6604ccaaef206ef2b3b0b84b4aee7f66c2b9b8f6c18899aeda627798f244fee2922025c3b72ef1243a

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2017

C2

http://dogewareservice.ru/

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

1576 explorer.exe

pid	process
1576	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\cgasstic\\wdevftfh.exe"	explorer.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dab5cb3a_extracted.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	dab5cb3a_extracted.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	dab5cb3a_extracted.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dab5cb3a_extracted.exe

pid	process
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe
3008	dab5cb3a_extracted.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

dab5cb3a_extracted.exe

pid process

3008 dab5cb3a_extracted.exe
3008 dab5cb3a_extracted.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dab5cb3a_extracted.exe

description	pid	process	target process
PID 3008 wrote to memory of 1576	3008	dab5cb3a_extracted.exe	explorer.exe
PID 3008 wrote to memory of 1576	3008	dab5cb3a_extracted.exe	explorer.exe
PID 3008 wrote to memory of 1576	3008	dab5cb3a_extracted.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\dab5cb3a_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\dab5cb3a_extracted.exe"
1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
- Deletes itself
- Adds Run key to start application
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1576-3-0x0000000000000000-mapping.dmp

Download
memory/1576-5-0x0000000002DC0000-0x0000000002DCA000-memory.dmp

Filesize
40KB

Download
memory/1576-4-0x0000000000810000-0x0000000000C4F000-memory.dmp

Filesize
4.2MB

Download
memory/3008-2-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads