smokeloader | 27c106e7c9e455f880849d79759df345d2117aa2e2357696dabb51bc11adce8b

Analysis

max time kernel
153s
max time network
123s
platform
windows10_x64
resource
win10v20210408
submitted
29-08-2021 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cecf25eab4285753ad7fa006aabf4405.exe
Size

143KB
MD5

cecf25eab4285753ad7fa006aabf4405
SHA1

366b60cf4a63e304c64258596aecc2b19007ad00
SHA256

27c106e7c9e455f880849d79759df345d2117aa2e2357696dabb51bc11adce8b
SHA512

15dba194b8fbc367e41a55138bdef6f604dbb011a4bfa4208df75f51f346403784393a35144089a01a73e9961f5a4d5cb4ad40e183a52407fb015dbf3063d54b

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

Processes:

pid	Process
2900

Suspicious use of SetThreadContext 1 IoCs

Processes:

cecf25eab4285753ad7fa006aabf4405.exe

description	pid	Process	procid_target
PID 4796 set thread context of 4164	4796	cecf25eab4285753ad7fa006aabf4405.exe	77

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cecf25eab4285753ad7fa006aabf4405.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cecf25eab4285753ad7fa006aabf4405.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cecf25eab4285753ad7fa006aabf4405.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cecf25eab4285753ad7fa006aabf4405.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cecf25eab4285753ad7fa006aabf4405.exe

pid	Process
4164	cecf25eab4285753ad7fa006aabf4405.exe
4164	cecf25eab4285753ad7fa006aabf4405.exe
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2900

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

cecf25eab4285753ad7fa006aabf4405.exe

pid	Process
4164	cecf25eab4285753ad7fa006aabf4405.exe
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2900

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

cecf25eab4285753ad7fa006aabf4405.exe

description	pid	Process	procid_target
PID 4796 wrote to memory of 4164	4796	cecf25eab4285753ad7fa006aabf4405.exe	77
PID 4796 wrote to memory of 4164	4796	cecf25eab4285753ad7fa006aabf4405.exe	77
PID 4796 wrote to memory of 4164	4796	cecf25eab4285753ad7fa006aabf4405.exe	77
PID 4796 wrote to memory of 4164	4796	cecf25eab4285753ad7fa006aabf4405.exe	77
PID 4796 wrote to memory of 4164	4796	cecf25eab4285753ad7fa006aabf4405.exe	77
PID 4796 wrote to memory of 4164	4796	cecf25eab4285753ad7fa006aabf4405.exe	77
PID 2900 wrote to memory of 500	2900		79
PID 2900 wrote to memory of 500	2900		79
PID 2900 wrote to memory of 500	2900		79
PID 2900 wrote to memory of 500	2900		79
PID 2900 wrote to memory of 908	2900		80
PID 2900 wrote to memory of 908	2900		80
PID 2900 wrote to memory of 908	2900		80
PID 2900 wrote to memory of 352	2900		81
PID 2900 wrote to memory of 352	2900		81
PID 2900 wrote to memory of 352	2900		81
PID 2900 wrote to memory of 352	2900		81
PID 2900 wrote to memory of 1080	2900		82
PID 2900 wrote to memory of 1080	2900		82
PID 2900 wrote to memory of 1080	2900		82
PID 2900 wrote to memory of 1212	2900		83
PID 2900 wrote to memory of 1212	2900		83
PID 2900 wrote to memory of 1212	2900		83
PID 2900 wrote to memory of 1212	2900		83
PID 2900 wrote to memory of 1412	2900		84
PID 2900 wrote to memory of 1412	2900		84
PID 2900 wrote to memory of 1412	2900		84
PID 2900 wrote to memory of 1564	2900		85
PID 2900 wrote to memory of 1564	2900		85
PID 2900 wrote to memory of 1564	2900		85
PID 2900 wrote to memory of 1564	2900		85
PID 2900 wrote to memory of 1804	2900		86
PID 2900 wrote to memory of 1804	2900		86
PID 2900 wrote to memory of 1804	2900		86
PID 2900 wrote to memory of 2040	2900		87
PID 2900 wrote to memory of 2040	2900		87
PID 2900 wrote to memory of 2040	2900		87
PID 2900 wrote to memory of 2040	2900		87

C:\Users\Admin\AppData\Local\Temp\cecf25eab4285753ad7fa006aabf4405.exe
"C:\Users\Admin\AppData\Local\Temp\cecf25eab4285753ad7fa006aabf4405.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\cecf25eab4285753ad7fa006aabf4405.exe
  "C:\Users\Admin\AppData\Local\Temp\cecf25eab4285753ad7fa006aabf4405.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4164

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:500

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:352

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1080

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1212

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1564

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/352-125-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download
memory/352-126-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/352-124-0x0000000000000000-mapping.dmp

Download
memory/500-118-0x0000000000000000-mapping.dmp

Download
memory/500-120-0x00000000006C0000-0x000000000072B000-memory.dmp

Filesize
428KB

Download
memory/500-119-0x0000000000730000-0x00000000007A4000-memory.dmp

Filesize
464KB

Download
memory/908-122-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/908-121-0x0000000000000000-mapping.dmp

Download
memory/908-123-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/1080-129-0x0000000000CC0000-0x0000000000CCF000-memory.dmp

Filesize
60KB

Download
memory/1080-128-0x0000000000CD0000-0x0000000000CD9000-memory.dmp

Filesize
36KB

Download
memory/1080-127-0x0000000000000000-mapping.dmp

Download
memory/1212-131-0x0000000000370000-0x0000000000375000-memory.dmp

Filesize
20KB

Download
memory/1212-132-0x0000000000360000-0x0000000000369000-memory.dmp

Filesize
36KB

Download
memory/1212-130-0x0000000000000000-mapping.dmp

Download
memory/1412-134-0x00000000005B0000-0x00000000005B6000-memory.dmp

Filesize
24KB

Download
memory/1412-133-0x0000000000000000-mapping.dmp

Download
memory/1412-135-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1564-136-0x0000000000000000-mapping.dmp

Download
memory/1564-137-0x00000000033B0000-0x00000000033B4000-memory.dmp

Filesize
16KB

Download
memory/1564-138-0x00000000033A0000-0x00000000033A9000-memory.dmp

Filesize
36KB

Download
memory/1804-139-0x0000000000000000-mapping.dmp

Download
memory/1804-140-0x0000000000D70000-0x0000000000D75000-memory.dmp

Filesize
20KB

Download
memory/1804-141-0x0000000000D60000-0x0000000000D69000-memory.dmp

Filesize
36KB

Download
memory/2040-142-0x0000000000000000-mapping.dmp

Download
memory/2040-144-0x0000000000930000-0x0000000000939000-memory.dmp

Filesize
36KB

Download
memory/2040-143-0x0000000000940000-0x0000000000945000-memory.dmp

Filesize
20KB

Download
memory/2900-117-0x0000000001040000-0x0000000001056000-memory.dmp

Filesize
88KB

Download
memory/4164-116-0x0000000000402FAB-mapping.dmp

Download
memory/4164-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4796-114-0x0000000001D80000-0x0000000001ECA000-memory.dmp

Filesize
1.3MB

Download