smokeloader | 3c3dad766a284f3fc74ae1727ef048534076b06756da7fde43802a90b0efeb86

Resubmissions

19-04-2021 06:32

210419-pzc59b8zd2 10

19-04-2021 06:21

210419-8mj9kyhtqe 10

Analysis

max time kernel
151s
max time network
119s
platform
windows7_x64
resource
win7v20210408
submitted
19-04-2021 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

рахунок № 00163-2021.js
Size

73KB
MD5

6faf0f67320408b8f5bfd9562f5ca6a6
SHA1

e67ef7d6424f45fb2f3fa6fb3a677e621f8eea05
SHA256

3c3dad766a284f3fc74ae1727ef048534076b06756da7fde43802a90b0efeb86
SHA512

0e0320d3c9429e49acd0a4cb666435325569cd637f0be6378908fb35035fdf3a3617a781b5607e4ca29219c263eec285ccfbf84f820da7570400490a1f09b9d1

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://smbproperty.ru/

http://gmbshop.ru/

http://baksproperty.gov.ug/

http://magistralpsw.ru/

http://mpmanagertzz.ru/

http://powerglasspot.ru/

http://autopartswarehouses.ru/

http://memoloves.ru/

http://alfavanilin.ru/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

6 484 wscript.exe
Executes dropped EXE 2 IoCs

Processes:

716956.datwejhtbv

pid process

532 716956.dat
288 wejhtbv
Loads dropped DLL 6 IoCs

Processes:

716956.datWerFault.exe

pid process

532 716956.dat
1552 WerFault.exe
1552 WerFault.exe
1552 WerFault.exe
1552 WerFault.exe
1552 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1552 288 WerFault.exe wejhtbv

flow	pid	process
6	484	wscript.exe

pid	pid_target	process	target process
1552	288	WerFault.exe	wejhtbv

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

716956.dat

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	716956.dat
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	716956.dat
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	716956.dat

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

716956.dat

pid	process
532	716956.dat
532	716956.dat
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1196
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

716956.dat

pid process

532 716956.dat
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1552 WerFault.exe
Token: SeShutdownPrivilege 1196
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1196
1196
1196
1196
1196
1196
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1196
1196
1196
1196

pid	process
1196

description	pid	process
Token: SeDebugPrivilege	1552	WerFault.exe
Token: SeShutdownPrivilege	1196

pid	process
1196
1196
1196
1196
1196
1196

pid	process
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

wscript.exetaskeng.exewejhtbv

description	pid	process	target process
PID 484 wrote to memory of 532	484	wscript.exe	716956.dat
PID 484 wrote to memory of 532	484	wscript.exe	716956.dat
PID 484 wrote to memory of 532	484	wscript.exe	716956.dat
PID 484 wrote to memory of 532	484	wscript.exe	716956.dat
PID 624 wrote to memory of 288	624	taskeng.exe	wejhtbv
PID 624 wrote to memory of 288	624	taskeng.exe	wejhtbv
PID 624 wrote to memory of 288	624	taskeng.exe	wejhtbv
PID 624 wrote to memory of 288	624	taskeng.exe	wejhtbv
PID 288 wrote to memory of 1552	288	wejhtbv	WerFault.exe
PID 288 wrote to memory of 1552	288	wejhtbv	WerFault.exe
PID 288 wrote to memory of 1552	288	wejhtbv	WerFault.exe
PID 288 wrote to memory of 1552	288	wejhtbv	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\рахунок № 00163-2021.js"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\716956.dat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\716956.dat
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:532

C:\Windows\system32\taskeng.exe
taskeng.exe {80AF527B-1CFD-4CBA-989F-DFA5EF30941F} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Roaming\wejhtbv
C:\Users\Admin\AppData\Roaming\wejhtbv
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 124
3⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9419.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\716956.dat
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\716956.dat
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
C:\Users\Admin\AppData\Roaming\wejhtbv
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
C:\Users\Admin\AppData\Roaming\wejhtbv
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
\Users\Admin\AppData\Local\Temp\9419.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Roaming\wejhtbv
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
\Users\Admin\AppData\Roaming\wejhtbv
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
\Users\Admin\AppData\Roaming\wejhtbv
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
\Users\Admin\AppData\Roaming\wejhtbv
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
\Users\Admin\AppData\Roaming\wejhtbv
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
memory/288-69-0x0000000000000000-mapping.dmp

Download
memory/288-74-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/532-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/532-64-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/532-62-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/532-60-0x0000000000000000-mapping.dmp

Download
memory/1196-66-0x0000000003BE0000-0x0000000003BF6000-memory.dmp

Filesize
88KB

Download
memory/1552-75-0x0000000000000000-mapping.dmp

Download
memory/1552-81-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download