smokeloader | 3c3dad766a284f3fc74ae1727ef048534076b06756da7fde43802a90b0efeb86

Resubmissions

19-04-2021 06:32

210419-pzc59b8zd2 10

19-04-2021 06:21

210419-8mj9kyhtqe 10

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
19-04-2021 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

рахунок № 00163-2021.js
Size

73KB
MD5

6faf0f67320408b8f5bfd9562f5ca6a6
SHA1

e67ef7d6424f45fb2f3fa6fb3a677e621f8eea05
SHA256

3c3dad766a284f3fc74ae1727ef048534076b06756da7fde43802a90b0efeb86
SHA512

0e0320d3c9429e49acd0a4cb666435325569cd637f0be6378908fb35035fdf3a3617a781b5607e4ca29219c263eec285ccfbf84f820da7570400490a1f09b9d1

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://smbproperty.ru/

http://gmbshop.ru/

http://baksproperty.gov.ug/

http://magistralpsw.ru/

http://mpmanagertzz.ru/

http://powerglasspot.ru/

http://autopartswarehouses.ru/

http://memoloves.ru/

http://alfavanilin.ru/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

9 3892 wscript.exe
Executes dropped EXE 1 IoCs

Processes:

495746.dat

pid process

3128 495746.dat
Loads dropped DLL 1 IoCs

Processes:

495746.dat

pid process

3128 495746.dat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
9	3892	wscript.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

495746.dat

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	495746.dat
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	495746.dat
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	495746.dat

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

495746.dat

pid	process
3128	495746.dat
3128	495746.dat
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824
2824

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2824
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

495746.dat

pid process

3128 495746.dat
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2824

pid	process
2824

pid	process
2824

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 3892 wrote to memory of 3128	3892	wscript.exe	495746.dat
PID 3892 wrote to memory of 3128	3892	wscript.exe	495746.dat
PID 3892 wrote to memory of 3128	3892	wscript.exe	495746.dat

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\рахунок № 00163-2021.js"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\495746.dat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\495746.dat
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\495746.dat
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\495746.dat
MD5
5597e91491519ec78b764fb657615529

SHA1
53081a84fcbcc5707881fd2f606812977770bfe1

SHA256
60922af94a3c7adf6d040dc1bd4d465983a38bd2410c050bef27deda8ce2002f

SHA512
e0d6e9ac7971b4282c7583624538da1f884bd9e9a826d88af10af57e4245569b1d32a0753adbed961d969acba8361c6a5713a3f6a0dba0681898eb8c48a31ee2

Download Submit
\Users\Admin\AppData\Local\Temp\9419.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/2824-120-0x0000000000EF0000-0x0000000000F06000-memory.dmp

Filesize
88KB

Download
memory/3128-114-0x0000000000000000-mapping.dmp

Download
memory/3128-118-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3128-119-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download