smokeloader | 9266b7e06934a2c37355df644d5fb7cbc94d013059ce03e8beeeb961bb529720

General

Target

2021ME04LO14.doc
Size

1.2MB
MD5

a7efdf6b05f75d87da78ebac5d8ec871
SHA1

8e15570191d6a989809d77f5759d4196c5675f57
SHA256

9266b7e06934a2c37355df644d5fb7cbc94d013059ce03e8beeeb961bb529720
SHA512

c973d523fed53fe50a25a46a5eba077db21cea853b955ddf6d5e8240bbc5ffea41322bdcd3f2c5ff9153edc2f437022e638ce4ce80dbfa84a01e3c6acb384f4e

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://melonco.com/0/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1308 EQNEDT32.EXE
8 1308 EQNEDT32.EXE
10 1308 EQNEDT32.EXE
Executes dropped EXE 1 IoCs

Processes:

69577.exe

pid process

1216 69577.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1308 EQNEDT32.EXE
1308 EQNEDT32.EXE

flow	pid	process
6	1308	EQNEDT32.EXE
8	1308	EQNEDT32.EXE
10	1308	EQNEDT32.EXE

pid	process
1216	69577.exe

pid	process
1308	EQNEDT32.EXE
1308	EQNEDT32.EXE

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

69577.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	69577.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	69577.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1308 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1308	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1776 WINWORD.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

69577.exe

pid process

1216 69577.exe
1216 69577.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1776 WINWORD.EXE
1776 WINWORD.EXE

pid	process
1776	WINWORD.EXE

pid	process
1216	69577.exe
1216	69577.exe

pid	process
1776	WINWORD.EXE
1776	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE

description	pid	process	target process
PID 1776 wrote to memory of 1976	1776	WINWORD.EXE	splwow64.exe
PID 1776 wrote to memory of 1976	1776	WINWORD.EXE	splwow64.exe
PID 1776 wrote to memory of 1976	1776	WINWORD.EXE	splwow64.exe
PID 1776 wrote to memory of 1976	1776	WINWORD.EXE	splwow64.exe
PID 1308 wrote to memory of 1216	1308	EQNEDT32.EXE	69577.exe
PID 1308 wrote to memory of 1216	1308	EQNEDT32.EXE	69577.exe
PID 1308 wrote to memory of 1216	1308	EQNEDT32.EXE	69577.exe
PID 1308 wrote to memory of 1216	1308	EQNEDT32.EXE	69577.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2021ME04LO14.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1976

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Public\69577.exe
"C:\Users\Public\69577.exe"
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\69577.exe
MD5
7baa6cea4b9b1b0f66ffb2b9d93d53a4

SHA1
102d149736c11dc870886dc7e2c815478f5edb53

SHA256
8d27b92f0d5ee664cc8801c64cb090034fc42cdede43f96a638420e183ffc73a

SHA512
bbdfae542dbd5cda2e31fb3e9bcdc9705935a93efa1d4b133fd72430d042da2a216ff328865366dbebc5873d2ec46d8e1187b6644bcc5ac277ab6f34bba33c21

Download Submit
\Users\Public\69577.exe
MD5
7baa6cea4b9b1b0f66ffb2b9d93d53a4

SHA1
102d149736c11dc870886dc7e2c815478f5edb53

SHA256
8d27b92f0d5ee664cc8801c64cb090034fc42cdede43f96a638420e183ffc73a

SHA512
bbdfae542dbd5cda2e31fb3e9bcdc9705935a93efa1d4b133fd72430d042da2a216ff328865366dbebc5873d2ec46d8e1187b6644bcc5ac277ab6f34bba33c21

Download Submit
\Users\Public\69577.exe
MD5
7baa6cea4b9b1b0f66ffb2b9d93d53a4

SHA1
102d149736c11dc870886dc7e2c815478f5edb53

SHA256
8d27b92f0d5ee664cc8801c64cb090034fc42cdede43f96a638420e183ffc73a

SHA512
bbdfae542dbd5cda2e31fb3e9bcdc9705935a93efa1d4b133fd72430d042da2a216ff328865366dbebc5873d2ec46d8e1187b6644bcc5ac277ab6f34bba33c21

Download Submit
memory/1204-71-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1204-72-0x0000000002AA0000-0x0000000002AB5000-memory.dmp

Filesize
84KB

Download
memory/1216-68-0x0000000000000000-mapping.dmp

Download
memory/1308-65-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1776-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1776-60-0x0000000072491000-0x0000000072494000-memory.dmp

Filesize
12KB

Download
memory/1776-61-0x000000006FF11000-0x000000006FF13000-memory.dmp

Filesize
8KB

Download
memory/1776-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1976-63-0x0000000000000000-mapping.dmp

Download
memory/1976-64-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads