smokeloader | a7a2a4f56a6eda5df0d82dc1cf60eee82d3a8d16f2d746df037cdeaafaebcd5d

Reason

Machine shutdown

General

Target

E4B1.exe
Size

167KB
MD5

47838511727aae396e6269f03eca0166
SHA1

cd9f435fa188377177f892de5b97f37149878009
SHA256

a7a2a4f56a6eda5df0d82dc1cf60eee82d3a8d16f2d746df037cdeaafaebcd5d
SHA512

463462a1972f5f4d9c1ba25ce5ef75f15ebaec2fc4b314d58bb155207899519caf3c5b49122ae1eca67d89a08b7a29d16ce17df2d64a6ed8539d416344ed18a5

Score

10^/10

smokeloader tofsee backdoor bootkit persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 4 IoCs

Processes:

F670.exe197.exeDB9.exeedrthefx.exe

pid process

396 F670.exe
528 197.exe
1504 DB9.exe
616 edrthefx.exe
Deletes itself 1 IoCs

Processes:

pid process

1388
Loads dropped DLL 2 IoCs

Processes:

E4B1.exe197.exe

pid process

1968 E4B1.exe
528 197.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

F670.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 F670.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
396	F670.exe
528	197.exe
1504	DB9.exe
616	edrthefx.exe

pid	process
1388

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	F670.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

E4B1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E4B1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E4B1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E4B1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

E4B1.exe

pid	process
1968	E4B1.exe
1968	E4B1.exe
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

E4B1.exe

pid process

1968 E4B1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

F670.exe

description pid process

Token: SeShutdownPrivilege 396 F670.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1388
1388
1388
1388
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1388
1388
1388
1388

description	pid	process
Token: SeShutdownPrivilege	396	F670.exe

pid	process
1388
1388
1388
1388

pid	process
1388
1388
1388
1388

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

197.exe

description	pid	process	target process
PID 1388 wrote to memory of 396	1388		F670.exe
PID 1388 wrote to memory of 396	1388		F670.exe
PID 1388 wrote to memory of 396	1388		F670.exe
PID 1388 wrote to memory of 396	1388		F670.exe
PID 1388 wrote to memory of 528	1388		197.exe
PID 1388 wrote to memory of 528	1388		197.exe
PID 1388 wrote to memory of 528	1388		197.exe
PID 1388 wrote to memory of 528	1388		197.exe
PID 528 wrote to memory of 548	528	197.exe	cmd.exe
PID 528 wrote to memory of 548	528	197.exe	cmd.exe
PID 528 wrote to memory of 548	528	197.exe	cmd.exe
PID 528 wrote to memory of 548	528	197.exe	cmd.exe
PID 1388 wrote to memory of 1504	1388		DB9.exe
PID 1388 wrote to memory of 1504	1388		DB9.exe
PID 1388 wrote to memory of 1504	1388		DB9.exe
PID 1388 wrote to memory of 1504	1388		DB9.exe
PID 528 wrote to memory of 1240	528	197.exe	cmd.exe
PID 528 wrote to memory of 1240	528	197.exe	cmd.exe
PID 528 wrote to memory of 1240	528	197.exe	cmd.exe
PID 528 wrote to memory of 1240	528	197.exe	cmd.exe
PID 528 wrote to memory of 1076	528	197.exe	sc.exe
PID 528 wrote to memory of 1076	528	197.exe	sc.exe
PID 528 wrote to memory of 1076	528	197.exe	sc.exe
PID 528 wrote to memory of 1076	528	197.exe	sc.exe
PID 528 wrote to memory of 1164	528	197.exe	sc.exe
PID 528 wrote to memory of 1164	528	197.exe	sc.exe
PID 528 wrote to memory of 1164	528	197.exe	sc.exe
PID 528 wrote to memory of 1164	528	197.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\E4B1.exe
"C:\Users\Admin\AppData\Local\Temp\E4B1.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1968

C:\Users\Admin\AppData\Local\Temp\F670.exe
C:\Users\Admin\AppData\Local\Temp\F670.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Users\Admin\AppData\Local\Temp\197.exe
C:\Users\Admin\AppData\Local\Temp\197.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ryvrfltl\
2⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xrritctv.exe" C:\Windows\SysWOW64\ryvrfltl\
2⤵
PID:1240

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ryvrfltl binPath= "C:\Windows\SysWOW64\ryvrfltl\xrritctv.exe /d\"C:\Users\Admin\AppData\Local\Temp\197.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1076

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ryvrfltl "wifi internet conection"
2⤵
PID:1164

C:\Users\Admin\edrthefx.exe
"C:\Users\Admin\edrthefx.exe" /d"C:\Users\Admin\AppData\Local\Temp\197.exe" /e5503011400000005
2⤵
- Executes dropped EXE
PID:616

C:\Users\Admin\AppData\Local\Temp\DB9.exe
C:\Users\Admin\AppData\Local\Temp\DB9.exe
1⤵
- Executes dropped EXE
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1

T1050

Bootkit

1

T1067

Privilege Escalation

New Service

1

T1050

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\197.exe
MD5
777dbe0332fc35cd603eb43396066647

SHA1
8b84fa49f64406730c28bcfc0129b458e7971f81

SHA256
270ffd86c1968afba9c8c7054fbf2ef2e41e3c957152e791a1055223e36d92f5

SHA512
736b7e89247f1ca73c4f5ed2fb33a0033299916188aed674feee0ace7d0b232e642b0aa717cc52644b0b541f76a126e89e38d1040f3dec036a87962b39a40df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\197.exe
MD5
777dbe0332fc35cd603eb43396066647

SHA1
8b84fa49f64406730c28bcfc0129b458e7971f81

SHA256
270ffd86c1968afba9c8c7054fbf2ef2e41e3c957152e791a1055223e36d92f5

SHA512
736b7e89247f1ca73c4f5ed2fb33a0033299916188aed674feee0ace7d0b232e642b0aa717cc52644b0b541f76a126e89e38d1040f3dec036a87962b39a40df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB9.exe
MD5
648f0d37b65ec97fd1754d53d78a6a24

SHA1
ba9c8a94d83f66f93523345aa7fe266cf9769a0e

SHA256
894efce31cc70924a097c89b02eb544cb1303268b569f39ccbfba492d6c2b166

SHA512
e222e2ef11a00605575bc8431587f9e89dbd6c3579f43cd36c97527385c85e837f831a583ede7a4c3413f6c0c8ff2139c4b1e4821224c6e4f57eb5cd18fe8410

Download Submit
C:\Users\Admin\AppData\Local\Temp\F670.exe
MD5
4650e2d8019f6c388d2fc1b33964d423

SHA1
caad0ab0d25dc7b3b7cb815121a7f679e7e8fce4

SHA256
3697481365c7ab3f789488f443f27ddd8e63f605c3f8e202638665dfb583cda0

SHA512
bfd1ef24e073eeabe830a723797a2829effd54ab44dbfb39b493433fdeaed7c9a2a6191ba14c7cb4569c047588aa8e3049db641be0eab71f732d42f20388f44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrritctv.exe
MD5
346312f759cb0e00fe1b1f52f6b990cc

SHA1
d8d305766c2b0a41cd9733efe6c9c5f4bcc667e3

SHA256
033639ecdceacd63af792b9555b175911df4134b506e19b5a9a128a0006a2b8e

SHA512
42f5502a4d81696450190a2cf94666e87a70f8093cd284cae79b818f9405e0145f614f2628914fd55397c3c0f4a84ab8f648e1213e630589b1aaaa540a5f7dba

Download Submit
C:\Users\Admin\edrthefx.exe
MD5
cdb19afe5d93a453b017fd341d32b049

SHA1
ba861fcb7626c378c665db066d2b951215a3be6f

SHA256
2ff380c1dbdf4678ffa007f2c89db83cf429796c2c47b7ab14515e416bcd21ec

SHA512
147cc0ffb7fc264faf9b7d692b438f8bae7b7f31165ae71898c73decacf09f602b573ce1b5f65aaf2b89c0cf512c086d403563d3792db294cf1e7478a037a17c

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\edrthefx.exe
MD5
92dabe07dabe3e993164ca5edea34a96

SHA1
1f3e994bb2f4019624561dbe55ab474724e697a7

SHA256
c4bdd4973113f4ecb5e18191434a74c54777379293c0b61cc94c7f873383773a

SHA512
c8b9797078a04906649ca493bda21b11f4d363228aa8601d54618928a4634a84f47a8637856979da6f678415a61037d6998494041c1caf08cfb2ff7d5c0d7c42

Download Submit
memory/396-8-0x0000000000000000-mapping.dmp

Download
memory/396-10-0x0000000002D30000-0x0000000002D41000-memory.dmp

Filesize
68KB

Download
memory/396-13-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/396-12-0x0000000002C00000-0x0000000002C6B000-memory.dmp

Filesize
428KB

Download
memory/528-14-0x0000000000000000-mapping.dmp

Download
memory/528-16-0x0000000003100000-0x0000000003111000-memory.dmp

Filesize
68KB

Download
memory/528-23-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/528-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/548-19-0x0000000000000000-mapping.dmp

Download
memory/1076-26-0x0000000000000000-mapping.dmp

Download
memory/1164-31-0x0000000000000000-mapping.dmp

Download
memory/1240-22-0x0000000000000000-mapping.dmp

Download
memory/1388-7-0x00000000026E0000-0x00000000026F6000-memory.dmp

Filesize
88KB

Download
memory/1504-20-0x0000000000000000-mapping.dmp

Download
memory/1504-27-0x0000000000C20000-0x0000000000C31000-memory.dmp

Filesize
68KB

Download
memory/1504-29-0x0000000000AA0000-0x0000000000BBA000-memory.dmp

Filesize
1.1MB

Download
memory/1504-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1968-3-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1968-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1968-5-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1968-2-0x0000000002E60000-0x0000000002E71000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads