smokeloader | 178fb69c394a6d86a3695acbb025bc2f3be31dea683ee6e5016af0566eef8111

General

Target

load.exe
Size

284KB
MD5

5ed271e10ba37319d01d44acd33489a7
SHA1

7130a850b50d5fccc1401f57ad95cac863a02062
SHA256

178fb69c394a6d86a3695acbb025bc2f3be31dea683ee6e5016af0566eef8111
SHA512

882d1adf9f2513d5578a72dcc50f0ef510def30c2c1ed0af5f051752e299a72be79c48660038aa852a39007c8286c6ea2ba2886cf0d8e4a859573faedf1ca27f

Score

10^/10

smokeloader backdoor discovery trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://jibw.top/

http://lakf.top/

http://yapv.top/

http://pqdb.top/

http://bpqx.top/

http://gyuw.top/

http://vafc.top/

http://qgam.top/

http://viio.top/

http://chpp.top/

http://csji.top/

http://xxql.top/

http://vtxa.top/

http://ggoz.top/

http://crpa.top/

http://vuss.top/

http://coal.top/

http://fymm.top/

http://roaf.top/

http://aeus.top/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

D8D2.exeD8D2.tmp

pid process

348 D8D2.exe
820 D8D2.tmp
Deletes itself 1 IoCs

Processes:

pid process

1260
Loads dropped DLL 3 IoCs

Processes:

load.exeD8D2.exeD8D2.tmp

pid process

1932 load.exe
348 D8D2.exe
820 D8D2.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
348	D8D2.exe
820	D8D2.tmp

pid	process
1260

Drops file in Program Files directory 64 IoCs

Processes:

D8D2.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\swscale-4.dll	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnRec.exe	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-EP3ER.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-N1JHU.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-SQNU0.tmp	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\avdevice-57.dll	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\fonts\is-5B6HQ.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-3L07K.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-08JML.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\is-1D4D8.tmp	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\libeay32MD.dll	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\ScnRec.dll	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\ffmpeg.exe	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\is-U2NCA.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-T2B2L.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-7OLFG.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-Q3T27.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-I4RLI.tmp	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\avutil-55.dll	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\is-1T038.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-L9J46.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-07NVF.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-1QQPO.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-KQL50.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-M6IHV.tmp	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\swresample-2.dll	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-CB0NK.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-06B9D.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-MM8PM.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-B3I0E.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-UKSJE.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\is-2G7H1.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-NKJHV.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-EPKUN.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-6R0SL.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-PICBK.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-DC13B.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-INDQB.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-MCGJL.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\is-FBS9I.tmp	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\avformat-57.dll	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\ssleay32MD.dll	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\is-CTA11.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-A2T9E.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-ELRAR.tmp	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\unins000.dat	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-K5RPP.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-3CF94.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-VLQ2T.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\is-POE0I.tmp	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\unins000.exe	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\unins000.dat	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-CO70O.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-L4DBM.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-R201L.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-9HJTH.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-JJO6A.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\is-P0NSS.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-FHQTV.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\ScnLib.DLLs\is-U9KGM.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-A2PNH.tmp	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\Tools\is-CQF8A.tmp	D8D2.tmp
File opened for modification	C:\Program Files (x86)\ZD Soft\Screen Recorder\htmlayout.dll	D8D2.tmp
File created	C:\Program Files (x86)\ZD Soft\Screen Recorder\images\is-S85UG.tmp	D8D2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

load.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	load.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	load.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	load.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

load.exe

pid	process
1932	load.exe
1932	load.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

load.exe

pid process

1932 load.exe
1260
1260
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1260
Token: SeShutdownPrivilege 1260
Token: SeShutdownPrivilege 1260
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

D8D2.tmp

pid process

1260
1260
1260
1260
820 D8D2.tmp
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1260
1260
1260
1260
1260
1260

description	pid	process
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260

pid	process
1260
1260
1260
1260
820	D8D2.tmp

pid	process
1260
1260
1260
1260
1260
1260

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

D8D2.exe

description	pid	process	target process
PID 1260 wrote to memory of 348	1260		D8D2.exe
PID 1260 wrote to memory of 348	1260		D8D2.exe
PID 1260 wrote to memory of 348	1260		D8D2.exe
PID 1260 wrote to memory of 348	1260		D8D2.exe
PID 1260 wrote to memory of 348	1260		D8D2.exe
PID 1260 wrote to memory of 348	1260		D8D2.exe
PID 1260 wrote to memory of 348	1260		D8D2.exe
PID 1260 wrote to memory of 1124	1260		explorer.exe
PID 1260 wrote to memory of 1124	1260		explorer.exe
PID 1260 wrote to memory of 1124	1260		explorer.exe
PID 1260 wrote to memory of 1124	1260		explorer.exe
PID 1260 wrote to memory of 1124	1260		explorer.exe
PID 348 wrote to memory of 820	348	D8D2.exe	D8D2.tmp
PID 348 wrote to memory of 820	348	D8D2.exe	D8D2.tmp
PID 348 wrote to memory of 820	348	D8D2.exe	D8D2.tmp
PID 348 wrote to memory of 820	348	D8D2.exe	D8D2.tmp
PID 348 wrote to memory of 820	348	D8D2.exe	D8D2.tmp
PID 348 wrote to memory of 820	348	D8D2.exe	D8D2.tmp
PID 348 wrote to memory of 820	348	D8D2.exe	D8D2.tmp

C:\Users\Admin\AppData\Local\Temp\load.exe
"C:\Users\Admin\AppData\Local\Temp\load.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1932

C:\Users\Admin\AppData\Local\Temp\D8D2.exe
C:\Users\Admin\AppData\Local\Temp\D8D2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348
- C:\Users\Admin\AppData\Local\Temp\is-L5LVR.tmp\D8D2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L5LVR.tmp\D8D2.tmp" /SL5="$3011A,6439171,58368,C:\Users\Admin\AppData\Local\Temp\D8D2.exe" /verysilent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:820

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ZD Soft Screen Recorder.lnk

MD5
6cb0d4cde191eb78b444e987d5b8096a

SHA1
fb59825e78e17fea15575fec93e9b89941eef5db

SHA256
1aca1709ed164e831b4c162d5380d6cd027de437a935147d7605083245b53069

SHA512
27635b72263ae09d1064a8fb82759c2265d04e7275ad8b2e6337326855e180083ccf046009801334180e39d9cd05fc1f0d33d70ca8f7f231e7801d55195bb998

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8D2.exe

MD5
549eed1aa97ce24f9aa8c146fd7908e6

SHA1
6a70b105331cd3d58e1dea49c14ecef656c5656f

SHA256
75bc9d1bcf53fcf30be16eff38359d7b78de07c3ada0c5d97e65f9d6926d398c

SHA512
33306f0daca755c7217c8685b8b47ea107e556ca244a1be20a09c3fc976b74cd91b4d3adaf4ab85996ecec18b086b316efdf20584a311ffe6be9d54cd5add2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8D2.exe

MD5
549eed1aa97ce24f9aa8c146fd7908e6

SHA1
6a70b105331cd3d58e1dea49c14ecef656c5656f

SHA256
75bc9d1bcf53fcf30be16eff38359d7b78de07c3ada0c5d97e65f9d6926d398c

SHA512
33306f0daca755c7217c8685b8b47ea107e556ca244a1be20a09c3fc976b74cd91b4d3adaf4ab85996ecec18b086b316efdf20584a311ffe6be9d54cd5add2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L5LVR.tmp\D8D2.tmp

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
\??\c:\users\admin\appdata\local\temp\is-l5lvr.tmp\d8d2.tmp

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
\Program Files (x86)\ZD Soft\Screen Recorder\ScnRec.exe

MD5
593944aef09e7d3a27423317f6f55134

SHA1
a428f9b33b8fabde1dcae53bcd83f95d980604b2

SHA256
0db8d1c9753e8dad4e6db5424ce7429240b19490891e98c133214ccefc72aa76

SHA512
e4d99f0dff720870d7c90fdeab8a5f5ee1e7c27f56b0a40da1827ea87101462c6d900848ebb29d5409919ab68e88185cfa0a92ce8614e77cbdfa51b0a8442320

Download Submit
\Users\Admin\AppData\Local\Temp\1F19.tmp

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\is-L5LVR.tmp\D8D2.tmp

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
memory/348-21-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/348-8-0x0000000000000000-mapping.dmp

Download
memory/820-15-0x0000000000000000-mapping.dmp

Download
memory/820-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1124-12-0x0000000000000000-mapping.dmp

Download
memory/1124-18-0x00000000741E1000-0x00000000741E3000-memory.dmp

Filesize
8KB

Download
memory/1124-23-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/1124-24-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1260-7-0x0000000003670000-0x0000000003686000-memory.dmp

Filesize
88KB

Download
memory/1932-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1932-2-0x0000000000B10000-0x0000000000B21000-memory.dmp

Filesize
68KB

Download
memory/1932-5-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1932-3-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads