smokeloader | 2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950

Resubmissions

29-08-2021 09:08

210829-kbvd4yh12j 10

29-08-2021 09:00

210829-d9htsa2ade 10

Analysis

max time kernel
1802s
max time network
1438s
platform
windows10_x64
resource
win10v20210408
submitted
29-08-2021 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf56d1d215d546e5add6dd065232224.exe
Size

143KB
MD5

bdf56d1d215d546e5add6dd065232224
SHA1

07b2cc6992490266a7cce234e7a4e2efafc72bec
SHA256

2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950
SHA512

2a7518c50d5884c8406d58e789457213c5e707279a7b6e2d7a42a9e7c8fbc3ed71ebcf796458efebacaea8d5bb56a3e4bef1c0379fb9a3dd85ea09bd27b95bf8

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

Processes:

catusvwcatusvwcatusvwcatusvwcatusvwcatusvw

pid	Process
2972	catusvw
1200	catusvw
1456	catusvw
1132	catusvw
1144	catusvw
1576	catusvw

Deletes itself 1 IoCs

Processes:

pid	Process
2740

Suspicious use of SetThreadContext 4 IoCs

Processes:

bdf56d1d215d546e5add6dd065232224.execatusvwcatusvwcatusvw

description	pid	Process	procid_target
PID 912 set thread context of 2840	912	bdf56d1d215d546e5add6dd065232224.exe	77
PID 2972 set thread context of 1200	2972	catusvw	89
PID 1456 set thread context of 1132	1456	catusvw	91
PID 1144 set thread context of 1576	1144	catusvw	93

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

catusvwcatusvwcatusvwbdf56d1d215d546e5add6dd065232224.exe

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	catusvw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	catusvw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	catusvw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bdf56d1d215d546e5add6dd065232224.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bdf56d1d215d546e5add6dd065232224.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bdf56d1d215d546e5add6dd065232224.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	catusvw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	catusvw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	catusvw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	catusvw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	catusvw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	catusvw

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bdf56d1d215d546e5add6dd065232224.exe

pid	Process
2840	bdf56d1d215d546e5add6dd065232224.exe
2840	bdf56d1d215d546e5add6dd065232224.exe
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2740

Suspicious behavior: MapViewOfSection 22 IoCs

Processes:

bdf56d1d215d546e5add6dd065232224.execatusvwcatusvwcatusvw

pid	Process
2840	bdf56d1d215d546e5add6dd065232224.exe
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
2740
1200	catusvw
1132	catusvw
1576	catusvw

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740
Token: SeShutdownPrivilege	2740
Token: SeCreatePagefilePrivilege	2740

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2740

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

bdf56d1d215d546e5add6dd065232224.execatusvwcatusvwcatusvw

description	pid	Process	procid_target
PID 912 wrote to memory of 2840	912	bdf56d1d215d546e5add6dd065232224.exe	77
PID 912 wrote to memory of 2840	912	bdf56d1d215d546e5add6dd065232224.exe	77
PID 912 wrote to memory of 2840	912	bdf56d1d215d546e5add6dd065232224.exe	77
PID 912 wrote to memory of 2840	912	bdf56d1d215d546e5add6dd065232224.exe	77
PID 912 wrote to memory of 2840	912	bdf56d1d215d546e5add6dd065232224.exe	77
PID 912 wrote to memory of 2840	912	bdf56d1d215d546e5add6dd065232224.exe	77
PID 2740 wrote to memory of 2876	2740		79
PID 2740 wrote to memory of 2876	2740		79
PID 2740 wrote to memory of 2876	2740		79
PID 2740 wrote to memory of 2876	2740		79
PID 2740 wrote to memory of 528	2740		80
PID 2740 wrote to memory of 528	2740		80
PID 2740 wrote to memory of 528	2740		80
PID 2740 wrote to memory of 2116	2740		81
PID 2740 wrote to memory of 2116	2740		81
PID 2740 wrote to memory of 2116	2740		81
PID 2740 wrote to memory of 2116	2740		81
PID 2740 wrote to memory of 1128	2740		82
PID 2740 wrote to memory of 1128	2740		82
PID 2740 wrote to memory of 1128	2740		82
PID 2740 wrote to memory of 656	2740		83
PID 2740 wrote to memory of 656	2740		83
PID 2740 wrote to memory of 656	2740		83
PID 2740 wrote to memory of 656	2740		83
PID 2740 wrote to memory of 3844	2740		84
PID 2740 wrote to memory of 3844	2740		84
PID 2740 wrote to memory of 3844	2740		84
PID 2740 wrote to memory of 4088	2740		85
PID 2740 wrote to memory of 4088	2740		85
PID 2740 wrote to memory of 4088	2740		85
PID 2740 wrote to memory of 4088	2740		85
PID 2740 wrote to memory of 4004	2740		86
PID 2740 wrote to memory of 4004	2740		86
PID 2740 wrote to memory of 4004	2740		86
PID 2740 wrote to memory of 2272	2740		87
PID 2740 wrote to memory of 2272	2740		87
PID 2740 wrote to memory of 2272	2740		87
PID 2740 wrote to memory of 2272	2740		87
PID 2972 wrote to memory of 1200	2972	catusvw	89
PID 2972 wrote to memory of 1200	2972	catusvw	89
PID 2972 wrote to memory of 1200	2972	catusvw	89
PID 2972 wrote to memory of 1200	2972	catusvw	89
PID 2972 wrote to memory of 1200	2972	catusvw	89
PID 2972 wrote to memory of 1200	2972	catusvw	89
PID 1456 wrote to memory of 1132	1456	catusvw	91
PID 1456 wrote to memory of 1132	1456	catusvw	91
PID 1456 wrote to memory of 1132	1456	catusvw	91
PID 1456 wrote to memory of 1132	1456	catusvw	91
PID 1456 wrote to memory of 1132	1456	catusvw	91
PID 1456 wrote to memory of 1132	1456	catusvw	91
PID 1144 wrote to memory of 1576	1144	catusvw	93
PID 1144 wrote to memory of 1576	1144	catusvw	93
PID 1144 wrote to memory of 1576	1144	catusvw	93
PID 1144 wrote to memory of 1576	1144	catusvw	93
PID 1144 wrote to memory of 1576	1144	catusvw	93
PID 1144 wrote to memory of 1576	1144	catusvw	93

C:\Users\Admin\AppData\Local\Temp\bdf56d1d215d546e5add6dd065232224.exe
"C:\Users\Admin\AppData\Local\Temp\bdf56d1d215d546e5add6dd065232224.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\bdf56d1d215d546e5add6dd065232224.exe
  "C:\Users\Admin\AppData\Local\Temp\bdf56d1d215d546e5add6dd065232224.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2840

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2876

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2116

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1128

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:656

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4088

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2272

C:\Users\Admin\AppData\Roaming\catusvw
C:\Users\Admin\AppData\Roaming\catusvw
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Roaming\catusvw
  C:\Users\Admin\AppData\Roaming\catusvw
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1200

C:\Users\Admin\AppData\Roaming\catusvw
C:\Users\Admin\AppData\Roaming\catusvw
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Roaming\catusvw
  C:\Users\Admin\AppData\Roaming\catusvw
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1132

C:\Users\Admin\AppData\Roaming\catusvw
C:\Users\Admin\AppData\Roaming\catusvw
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Roaming\catusvw
  C:\Users\Admin\AppData\Roaming\catusvw
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\catusvw

MD5
bdf56d1d215d546e5add6dd065232224

SHA1
07b2cc6992490266a7cce234e7a4e2efafc72bec

SHA256
2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950

SHA512
2a7518c50d5884c8406d58e789457213c5e707279a7b6e2d7a42a9e7c8fbc3ed71ebcf796458efebacaea8d5bb56a3e4bef1c0379fb9a3dd85ea09bd27b95bf8

Download Submit
C:\Users\Admin\AppData\Roaming\catusvw

MD5
bdf56d1d215d546e5add6dd065232224

SHA1
07b2cc6992490266a7cce234e7a4e2efafc72bec

SHA256
2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950

SHA512
2a7518c50d5884c8406d58e789457213c5e707279a7b6e2d7a42a9e7c8fbc3ed71ebcf796458efebacaea8d5bb56a3e4bef1c0379fb9a3dd85ea09bd27b95bf8

Download Submit
C:\Users\Admin\AppData\Roaming\catusvw

MD5
bdf56d1d215d546e5add6dd065232224

SHA1
07b2cc6992490266a7cce234e7a4e2efafc72bec

SHA256
2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950

SHA512
2a7518c50d5884c8406d58e789457213c5e707279a7b6e2d7a42a9e7c8fbc3ed71ebcf796458efebacaea8d5bb56a3e4bef1c0379fb9a3dd85ea09bd27b95bf8

Download Submit
C:\Users\Admin\AppData\Roaming\catusvw

MD5
bdf56d1d215d546e5add6dd065232224

SHA1
07b2cc6992490266a7cce234e7a4e2efafc72bec

SHA256
2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950

SHA512
2a7518c50d5884c8406d58e789457213c5e707279a7b6e2d7a42a9e7c8fbc3ed71ebcf796458efebacaea8d5bb56a3e4bef1c0379fb9a3dd85ea09bd27b95bf8

Download Submit
C:\Users\Admin\AppData\Roaming\catusvw

MD5
bdf56d1d215d546e5add6dd065232224

SHA1
07b2cc6992490266a7cce234e7a4e2efafc72bec

SHA256
2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950

SHA512
2a7518c50d5884c8406d58e789457213c5e707279a7b6e2d7a42a9e7c8fbc3ed71ebcf796458efebacaea8d5bb56a3e4bef1c0379fb9a3dd85ea09bd27b95bf8

Download Submit
C:\Users\Admin\AppData\Roaming\catusvw

MD5
bdf56d1d215d546e5add6dd065232224

SHA1
07b2cc6992490266a7cce234e7a4e2efafc72bec

SHA256
2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950

SHA512
2a7518c50d5884c8406d58e789457213c5e707279a7b6e2d7a42a9e7c8fbc3ed71ebcf796458efebacaea8d5bb56a3e4bef1c0379fb9a3dd85ea09bd27b95bf8

Download Submit
C:\Users\Admin\AppData\Roaming\catusvw

MD5
bdf56d1d215d546e5add6dd065232224

SHA1
07b2cc6992490266a7cce234e7a4e2efafc72bec

SHA256
2bb5cb490caca6d8a0dc1bab96ce898765f1f88948a86cd777508319025e8950

SHA512
2a7518c50d5884c8406d58e789457213c5e707279a7b6e2d7a42a9e7c8fbc3ed71ebcf796458efebacaea8d5bb56a3e4bef1c0379fb9a3dd85ea09bd27b95bf8

Download Submit
memory/528-121-0x0000000000000000-mapping.dmp

Download
memory/528-123-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/528-122-0x0000000000BB0000-0x0000000000BB7000-memory.dmp

Filesize
28KB

Download
memory/656-131-0x0000000003030000-0x0000000003035000-memory.dmp

Filesize
20KB

Download
memory/656-132-0x0000000003020000-0x0000000003029000-memory.dmp

Filesize
36KB

Download
memory/656-130-0x0000000000000000-mapping.dmp

Download
memory/912-116-0x0000000001EA0000-0x0000000001FEA000-memory.dmp

Filesize
1.3MB

Download
memory/1128-127-0x0000000000000000-mapping.dmp

Download
memory/1128-129-0x0000000000B00000-0x0000000000B0F000-memory.dmp

Filesize
60KB

Download
memory/1128-128-0x0000000000B10000-0x0000000000B19000-memory.dmp

Filesize
36KB

Download
memory/1132-154-0x0000000000402FAB-mapping.dmp

Download
memory/1200-148-0x0000000000402FAB-mapping.dmp

Download
memory/1456-156-0x0000000001D80000-0x0000000001E2E000-memory.dmp

Filesize
696KB

Download
memory/1576-160-0x0000000000402FAB-mapping.dmp

Download
memory/2116-125-0x0000000000840000-0x0000000000847000-memory.dmp

Filesize
28KB

Download
memory/2116-126-0x0000000000830000-0x000000000083B000-memory.dmp

Filesize
44KB

Download
memory/2116-124-0x0000000000000000-mapping.dmp

Download
memory/2272-142-0x0000000000000000-mapping.dmp

Download
memory/2272-144-0x0000000002D60000-0x0000000002D69000-memory.dmp

Filesize
36KB

Download
memory/2272-143-0x0000000002D70000-0x0000000002D75000-memory.dmp

Filesize
20KB

Download
memory/2740-162-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/2740-117-0x00000000010A0000-0x00000000010B6000-memory.dmp

Filesize
88KB

Download
memory/2740-157-0x0000000001120000-0x0000000001136000-memory.dmp

Filesize
88KB

Download
memory/2740-151-0x00000000010F0000-0x0000000001106000-memory.dmp

Filesize
88KB

Download
memory/2840-115-0x0000000000402FAB-mapping.dmp

Download
memory/2840-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2876-119-0x0000000000180000-0x00000000001F4000-memory.dmp

Filesize
464KB

Download
memory/2876-120-0x0000000000110000-0x000000000017B000-memory.dmp

Filesize
428KB

Download
memory/2876-118-0x0000000000000000-mapping.dmp

Download
memory/2972-150-0x0000000001E60000-0x0000000001E6A000-memory.dmp

Filesize
40KB

Download
memory/3844-133-0x0000000000000000-mapping.dmp

Download
memory/3844-135-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/3844-134-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/4004-141-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/4004-139-0x0000000000000000-mapping.dmp

Download
memory/4004-140-0x0000000000510000-0x0000000000515000-memory.dmp

Filesize
20KB

Download
memory/4088-138-0x0000000003020000-0x0000000003029000-memory.dmp

Filesize
36KB

Download
memory/4088-136-0x0000000000000000-mapping.dmp

Download
memory/4088-137-0x0000000003030000-0x0000000003034000-memory.dmp

Filesize
16KB

Download