smokeloader | a9db37183a4d7898d4ef820075d9fb5cdef55b47644cc5465b5e012c9a52b2fe

Resubmissions

08-07-2021 11:17

210708-5s29gx8mxn 10

08-07-2021 11:17

210708-lndt9d354a 10

Analysis

max time kernel
1800s
max time network
1722s
platform
windows10_x64
resource
win10v20210410
submitted
08-07-2021 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x00030000000130db-122.exe
Size

345KB
MD5

c6f791cdb3ec5ab080f0d84e9cb1d4eb
SHA1

d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf
SHA256

d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414
SHA512

d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2284 created 3292 2284 WerFault.exe fbdvura
Executes dropped EXE 1 IoCs

Processes:

fbdvura

pid process

3292 fbdvura
Deletes itself 1 IoCs

Processes:

pid process

3020
Loads dropped DLL 1 IoCs

Processes:

0x00030000000130db-122.exe

pid process

2116 0x00030000000130db-122.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2284 3292 WerFault.exe fbdvura

description	pid	process	target process
PID 2284 created 3292	2284	WerFault.exe	fbdvura

pid	process
3292	fbdvura

pid	process
3020

pid	pid_target	process	target process
2284	3292	WerFault.exe	fbdvura

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0x00030000000130db-122.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x00030000000130db-122.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x00030000000130db-122.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x00030000000130db-122.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0x00030000000130db-122.exe

pid	process
2116	0x00030000000130db-122.exe
2116	0x00030000000130db-122.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3020
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0x00030000000130db-122.exe

pid process

2116 0x00030000000130db-122.exe

pid	process
3020

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

WerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeRestorePrivilege	2284	WerFault.exe
Token: SeBackupPrivilege	2284	WerFault.exe
Token: SeDebugPrivilege	2284	WerFault.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

C:\Users\Admin\AppData\Local\Temp\0x00030000000130db-122.exe
"C:\Users\Admin\AppData\Local\Temp\0x00030000000130db-122.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2116

C:\Users\Admin\AppData\Roaming\fbdvura
C:\Users\Admin\AppData\Roaming\fbdvura
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 480
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
C:\Users\Admin\AppData\Roaming\fbdvura
MD5
c6f791cdb3ec5ab080f0d84e9cb1d4eb

SHA1
d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf

SHA256
d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414

SHA512
d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30

Download Submit
C:\Users\Admin\AppData\Roaming\fbdvura
MD5
c6f791cdb3ec5ab080f0d84e9cb1d4eb

SHA1
d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf

SHA256
d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414

SHA512
d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/2116-115-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/2116-116-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/3020-117-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/3292-122-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download