smokeloader | 16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7v20210410
submitted
19-04-2021 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1becb08dedbea5de2524e5ade9918de5.exe
Size

257KB
MD5

1becb08dedbea5de2524e5ade9918de5
SHA1

c01c30ec405b0889c0b2820fda05c77ac6d210c8
SHA256

16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d
SHA512

a02575212f9e247ec6f04d2c325f13d27c82ca103001ae5ab3b8eca41a0e4513cf92c0255c2cf85b9e6bdd4f6e1c2a34bb52e32d99bc670c0337bc88efbc29b2

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://smbproperty.ru/

http://gmbshop.ru/

http://baksproperty.gov.ug/

http://magistralpsw.ru/

http://mpmanagertzz.ru/

http://powerglasspot.ru/

http://autopartswarehouses.ru/

http://memoloves.ru/

http://alfavanilin.ru/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 1 IoCs

Processes:

heetigs

pid process

1052 heetigs
Deletes itself 1 IoCs

Processes:

pid process

1248
Loads dropped DLL 6 IoCs

Processes:

1becb08dedbea5de2524e5ade9918de5.exeWerFault.exe

pid process

1096 1becb08dedbea5de2524e5ade9918de5.exe
1464 WerFault.exe
1464 WerFault.exe
1464 WerFault.exe
1464 WerFault.exe
1464 WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1464 1052 WerFault.exe heetigs

pid	process
1052	heetigs

pid	process
1248

pid	pid_target	process	target process
1464	1052	WerFault.exe	heetigs

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1becb08dedbea5de2524e5ade9918de5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1becb08dedbea5de2524e5ade9918de5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1becb08dedbea5de2524e5ade9918de5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1becb08dedbea5de2524e5ade9918de5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1becb08dedbea5de2524e5ade9918de5.exe

pid	process
1096	1becb08dedbea5de2524e5ade9918de5.exe
1096	1becb08dedbea5de2524e5ade9918de5.exe
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1248
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1becb08dedbea5de2524e5ade9918de5.exe

pid process

1096 1becb08dedbea5de2524e5ade9918de5.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1464 WerFault.exe
Token: SeShutdownPrivilege 1248
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1248
1248
1248
1248
1248
1248
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1248
1248
1248
1248

pid	process
1248

description	pid	process
Token: SeDebugPrivilege	1464	WerFault.exe
Token: SeShutdownPrivilege	1248

pid	process
1248
1248
1248
1248
1248
1248

pid	process
1248
1248
1248
1248

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

taskeng.exeheetigs

description	pid	process	target process
PID 368 wrote to memory of 1052	368	taskeng.exe	heetigs
PID 368 wrote to memory of 1052	368	taskeng.exe	heetigs
PID 368 wrote to memory of 1052	368	taskeng.exe	heetigs
PID 368 wrote to memory of 1052	368	taskeng.exe	heetigs
PID 1052 wrote to memory of 1464	1052	heetigs	WerFault.exe
PID 1052 wrote to memory of 1464	1052	heetigs	WerFault.exe
PID 1052 wrote to memory of 1464	1052	heetigs	WerFault.exe
PID 1052 wrote to memory of 1464	1052	heetigs	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1becb08dedbea5de2524e5ade9918de5.exe
"C:\Users\Admin\AppData\Local\Temp\1becb08dedbea5de2524e5ade9918de5.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1096

C:\Windows\system32\taskeng.exe
taskeng.exe {AC7C60FD-1233-464E-A5FF-ABEA6076343B} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Roaming\heetigs
C:\Users\Admin\AppData\Roaming\heetigs
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 124
3⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9419.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Roaming\heetigs
MD5
1becb08dedbea5de2524e5ade9918de5

SHA1
c01c30ec405b0889c0b2820fda05c77ac6d210c8

SHA256
16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d

SHA512
a02575212f9e247ec6f04d2c325f13d27c82ca103001ae5ab3b8eca41a0e4513cf92c0255c2cf85b9e6bdd4f6e1c2a34bb52e32d99bc670c0337bc88efbc29b2

Download Submit
C:\Users\Admin\AppData\Roaming\heetigs
MD5
1becb08dedbea5de2524e5ade9918de5

SHA1
c01c30ec405b0889c0b2820fda05c77ac6d210c8

SHA256
16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d

SHA512
a02575212f9e247ec6f04d2c325f13d27c82ca103001ae5ab3b8eca41a0e4513cf92c0255c2cf85b9e6bdd4f6e1c2a34bb52e32d99bc670c0337bc88efbc29b2

Download Submit
\Users\Admin\AppData\Local\Temp\9419.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Roaming\heetigs
MD5
1becb08dedbea5de2524e5ade9918de5

SHA1
c01c30ec405b0889c0b2820fda05c77ac6d210c8

SHA256
16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d

SHA512
a02575212f9e247ec6f04d2c325f13d27c82ca103001ae5ab3b8eca41a0e4513cf92c0255c2cf85b9e6bdd4f6e1c2a34bb52e32d99bc670c0337bc88efbc29b2

Download Submit
\Users\Admin\AppData\Roaming\heetigs
MD5
1becb08dedbea5de2524e5ade9918de5

SHA1
c01c30ec405b0889c0b2820fda05c77ac6d210c8

SHA256
16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d

SHA512
a02575212f9e247ec6f04d2c325f13d27c82ca103001ae5ab3b8eca41a0e4513cf92c0255c2cf85b9e6bdd4f6e1c2a34bb52e32d99bc670c0337bc88efbc29b2

Download Submit
\Users\Admin\AppData\Roaming\heetigs
MD5
1becb08dedbea5de2524e5ade9918de5

SHA1
c01c30ec405b0889c0b2820fda05c77ac6d210c8

SHA256
16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d

SHA512
a02575212f9e247ec6f04d2c325f13d27c82ca103001ae5ab3b8eca41a0e4513cf92c0255c2cf85b9e6bdd4f6e1c2a34bb52e32d99bc670c0337bc88efbc29b2

Download Submit
\Users\Admin\AppData\Roaming\heetigs
MD5
1becb08dedbea5de2524e5ade9918de5

SHA1
c01c30ec405b0889c0b2820fda05c77ac6d210c8

SHA256
16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d

SHA512
a02575212f9e247ec6f04d2c325f13d27c82ca103001ae5ab3b8eca41a0e4513cf92c0255c2cf85b9e6bdd4f6e1c2a34bb52e32d99bc670c0337bc88efbc29b2

Download Submit
\Users\Admin\AppData\Roaming\heetigs
MD5
1becb08dedbea5de2524e5ade9918de5

SHA1
c01c30ec405b0889c0b2820fda05c77ac6d210c8

SHA256
16e3380b11358d44b7e1e4cc6ee7ce80ef204321b731a550527375388703163d

SHA512
a02575212f9e247ec6f04d2c325f13d27c82ca103001ae5ab3b8eca41a0e4513cf92c0255c2cf85b9e6bdd4f6e1c2a34bb52e32d99bc670c0337bc88efbc29b2

Download Submit
memory/1052-65-0x0000000000000000-mapping.dmp

Download
memory/1052-71-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1096-61-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1096-62-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1096-59-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1248-63-0x00000000024E0000-0x00000000024F6000-memory.dmp

Filesize
88KB

Download
memory/1464-69-0x0000000000000000-mapping.dmp

Download
memory/1464-77-0x00000000003B0000-0x000000000041D000-memory.dmp

Filesize
436KB

Download