smokeloader | a9db37183a4d7898d4ef820075d9fb5cdef55b47644cc5465b5e012c9a52b2fe

Resubmissions

08-07-2021 11:17

210708-5s29gx8mxn 10

08-07-2021 11:17

210708-lndt9d354a 10

Analysis

max time kernel
167s
max time network
193s
platform
windows7_x64
resource
win7v20210408
submitted
08-07-2021 11:17

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

0x00030000000130db-122.exe
Size

345KB
MD5

c6f791cdb3ec5ab080f0d84e9cb1d4eb
SHA1

d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf
SHA256

d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414
SHA512

d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30

Score

10^/10

smokeloader backdoor bootkit discovery persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

4135.exe457A.exe4135.exe

pid process

1304 4135.exe
608 457A.exe
1340 4135.exe
Deletes itself 1 IoCs

Processes:

pid process

1208
Loads dropped DLL 2 IoCs

Processes:

0x00030000000130db-122.exe4135.exe

pid process

1036 0x00030000000130db-122.exe
1304 4135.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

856 icacls.exe

pid	process
1304	4135.exe
608	457A.exe
1340	4135.exe

pid	process
1208

pid	process
856	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4135.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\71884577-c933-4cd1-96db-ae7526e5c250\\4135.exe\" --AutoStart"	4135.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 api.2ip.ua
33 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

457A.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 457A.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

4135.exe

description pid process target process

PID 1304 set thread context of 1340 1304 4135.exe 4135.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
32	api.2ip.ua
33	api.2ip.ua

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	457A.exe

description	pid	process	target process
PID 1304 set thread context of 1340	1304	4135.exe	4135.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0x00030000000130db-122.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x00030000000130db-122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x00030000000130db-122.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x00030000000130db-122.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4135.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4135.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4135.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4135.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0x00030000000130db-122.exe

pid	process
1036	0x00030000000130db-122.exe
1036	0x00030000000130db-122.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1208
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0x00030000000130db-122.exe

pid process

1036 0x00030000000130db-122.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

457A.exe

description pid process

Token: SeShutdownPrivilege 608 457A.exe
Token: SeShutdownPrivilege 1208
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1208
1208
1208
1208
1208
1208
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1208
1208
1208
1208

pid	process
1208

description	pid	process
Token: SeShutdownPrivilege	608	457A.exe
Token: SeShutdownPrivilege	1208

pid	process
1208
1208
1208
1208
1208
1208

pid	process
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

4135.exe4135.exe

description	pid	process	target process
PID 1208 wrote to memory of 1304	1208		4135.exe
PID 1208 wrote to memory of 1304	1208		4135.exe
PID 1208 wrote to memory of 1304	1208		4135.exe
PID 1208 wrote to memory of 1304	1208		4135.exe
PID 1208 wrote to memory of 608	1208		457A.exe
PID 1208 wrote to memory of 608	1208		457A.exe
PID 1208 wrote to memory of 608	1208		457A.exe
PID 1208 wrote to memory of 608	1208		457A.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1304 wrote to memory of 1340	1304	4135.exe	4135.exe
PID 1340 wrote to memory of 856	1340	4135.exe	icacls.exe
PID 1340 wrote to memory of 856	1340	4135.exe	icacls.exe
PID 1340 wrote to memory of 856	1340	4135.exe	icacls.exe
PID 1340 wrote to memory of 856	1340	4135.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\0x00030000000130db-122.exe
"C:\Users\Admin\AppData\Local\Temp\0x00030000000130db-122.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1036

C:\Users\Admin\AppData\Local\Temp\4135.exe
C:\Users\Admin\AppData\Local\Temp\4135.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\4135.exe
C:\Users\Admin\AppData\Local\Temp\4135.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\71884577-c933-4cd1-96db-ae7526e5c250" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:856

C:\Users\Admin\AppData\Local\Temp\457A.exe
C:\Users\Admin\AppData\Local\Temp\457A.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\71884577-c933-4cd1-96db-ae7526e5c250\4135.exe
MD5
f0421b2335ea520451e75323cece62b8

SHA1
7310be548b147d5d271f69656747df317c968096

SHA256
831ff9deb7879043e0d5851f8e2ddb4d0ac0a20ef70ce9945d6a3a5a3a64b014

SHA512
1a501017d06046e32609e11ebb09927550110d10e16a9796c82375356822c79fc8f725c5915c7608d1ca19d22dfc6f54e2699297914b382a9374903ced7c895b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4135.exe
MD5
f0421b2335ea520451e75323cece62b8

SHA1
7310be548b147d5d271f69656747df317c968096

SHA256
831ff9deb7879043e0d5851f8e2ddb4d0ac0a20ef70ce9945d6a3a5a3a64b014

SHA512
1a501017d06046e32609e11ebb09927550110d10e16a9796c82375356822c79fc8f725c5915c7608d1ca19d22dfc6f54e2699297914b382a9374903ced7c895b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4135.exe
MD5
f0421b2335ea520451e75323cece62b8

SHA1
7310be548b147d5d271f69656747df317c968096

SHA256
831ff9deb7879043e0d5851f8e2ddb4d0ac0a20ef70ce9945d6a3a5a3a64b014

SHA512
1a501017d06046e32609e11ebb09927550110d10e16a9796c82375356822c79fc8f725c5915c7608d1ca19d22dfc6f54e2699297914b382a9374903ced7c895b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4135.exe
MD5
f0421b2335ea520451e75323cece62b8

SHA1
7310be548b147d5d271f69656747df317c968096

SHA256
831ff9deb7879043e0d5851f8e2ddb4d0ac0a20ef70ce9945d6a3a5a3a64b014

SHA512
1a501017d06046e32609e11ebb09927550110d10e16a9796c82375356822c79fc8f725c5915c7608d1ca19d22dfc6f54e2699297914b382a9374903ced7c895b

Download Submit
C:\Users\Admin\AppData\Local\Temp\457A.exe
MD5
65759d5e6fe84a0238e13e6dedc02e14

SHA1
e07d633956a0e030e1cfe64fa5afdcdbf0ce0f3c

SHA256
b8debf7088c6d6ae353deebf48cbce445ecee4dad2860706239a924ce82d5cbf

SHA512
00187b7fa302492b3a2abc9d289ba6f8266a09d4a053538c4fb1f709628bf48176aa287993d5c28d36de6fd64dab258b238b19e60d8179ea08f3fedbacfcb79a

Download Submit
\Users\Admin\AppData\Local\Temp\4135.exe
MD5
f0421b2335ea520451e75323cece62b8

SHA1
7310be548b147d5d271f69656747df317c968096

SHA256
831ff9deb7879043e0d5851f8e2ddb4d0ac0a20ef70ce9945d6a3a5a3a64b014

SHA512
1a501017d06046e32609e11ebb09927550110d10e16a9796c82375356822c79fc8f725c5915c7608d1ca19d22dfc6f54e2699297914b382a9374903ced7c895b

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/608-66-0x0000000000000000-mapping.dmp

Download
memory/608-78-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/608-77-0x0000000000710000-0x000000000077B000-memory.dmp

Filesize
428KB

Download
memory/856-79-0x0000000000000000-mapping.dmp

Download
memory/1036-62-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/1036-59-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1036-61-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/1208-63-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

Filesize
88KB

Download
memory/1304-64-0x0000000000000000-mapping.dmp

Download
memory/1304-73-0x0000000001E00000-0x0000000001F1B000-memory.dmp

Filesize
1.1MB

Download
memory/1340-70-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1340-75-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1340-71-0x0000000000424141-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads