smokeloader | 7a0413cd0a25ed760cf3e17c60ce915b28c0472a658ba910d76435c19213dfac

Analysis

max time kernel
156s
max time network
120s
platform
windows10_x64
resource
win10v20210408
submitted
29/08/2021, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cbfec5cd3f0662c2715c07cb5137bc9.exe
Size

139KB
MD5

2cbfec5cd3f0662c2715c07cb5137bc9
SHA1

d9d8cbb7e646d492aaff3280898b79bb764eabf9
SHA256

7a0413cd0a25ed760cf3e17c60ce915b28c0472a658ba910d76435c19213dfac
SHA512

80450e2cd7d059cfa9f2d752f2b4d4a9d642006879a5900f102e622eadede260db97103b55ceaa408896ac87f9e82a76b87f7d34328756bdd9b57d219e0ff7fc

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

pid	Process
3044	Process not Found

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 804 set thread context of 3140	804	2cbfec5cd3f0662c2715c07cb5137bc9.exe	77

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2cbfec5cd3f0662c2715c07cb5137bc9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2cbfec5cd3f0662c2715c07cb5137bc9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2cbfec5cd3f0662c2715c07cb5137bc9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3140	2cbfec5cd3f0662c2715c07cb5137bc9.exe
3140	2cbfec5cd3f0662c2715c07cb5137bc9.exe
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
3140	2cbfec5cd3f0662c2715c07cb5137bc9.exe
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 3140	804	2cbfec5cd3f0662c2715c07cb5137bc9.exe	77
PID 804 wrote to memory of 3140	804	2cbfec5cd3f0662c2715c07cb5137bc9.exe	77
PID 804 wrote to memory of 3140	804	2cbfec5cd3f0662c2715c07cb5137bc9.exe	77
PID 804 wrote to memory of 3140	804	2cbfec5cd3f0662c2715c07cb5137bc9.exe	77
PID 804 wrote to memory of 3140	804	2cbfec5cd3f0662c2715c07cb5137bc9.exe	77
PID 804 wrote to memory of 3140	804	2cbfec5cd3f0662c2715c07cb5137bc9.exe	77
PID 3044 wrote to memory of 2912	3044	Process not Found	79
PID 3044 wrote to memory of 2912	3044	Process not Found	79
PID 3044 wrote to memory of 2912	3044	Process not Found	79
PID 3044 wrote to memory of 2912	3044	Process not Found	79
PID 3044 wrote to memory of 1264	3044	Process not Found	80
PID 3044 wrote to memory of 1264	3044	Process not Found	80
PID 3044 wrote to memory of 1264	3044	Process not Found	80
PID 3044 wrote to memory of 3332	3044	Process not Found	81
PID 3044 wrote to memory of 3332	3044	Process not Found	81
PID 3044 wrote to memory of 3332	3044	Process not Found	81
PID 3044 wrote to memory of 3332	3044	Process not Found	81
PID 3044 wrote to memory of 1116	3044	Process not Found	82
PID 3044 wrote to memory of 1116	3044	Process not Found	82
PID 3044 wrote to memory of 1116	3044	Process not Found	82
PID 3044 wrote to memory of 2192	3044	Process not Found	83
PID 3044 wrote to memory of 2192	3044	Process not Found	83
PID 3044 wrote to memory of 2192	3044	Process not Found	83
PID 3044 wrote to memory of 2192	3044	Process not Found	83
PID 3044 wrote to memory of 852	3044	Process not Found	84
PID 3044 wrote to memory of 852	3044	Process not Found	84
PID 3044 wrote to memory of 852	3044	Process not Found	84
PID 3044 wrote to memory of 2256	3044	Process not Found	85
PID 3044 wrote to memory of 2256	3044	Process not Found	85
PID 3044 wrote to memory of 2256	3044	Process not Found	85
PID 3044 wrote to memory of 2256	3044	Process not Found	85
PID 3044 wrote to memory of 2516	3044	Process not Found	86
PID 3044 wrote to memory of 2516	3044	Process not Found	86
PID 3044 wrote to memory of 2516	3044	Process not Found	86
PID 3044 wrote to memory of 3912	3044	Process not Found	87
PID 3044 wrote to memory of 3912	3044	Process not Found	87
PID 3044 wrote to memory of 3912	3044	Process not Found	87
PID 3044 wrote to memory of 3912	3044	Process not Found	87

C:\Users\Admin\AppData\Local\Temp\2cbfec5cd3f0662c2715c07cb5137bc9.exe
"C:\Users\Admin\AppData\Local\Temp\2cbfec5cd3f0662c2715c07cb5137bc9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\2cbfec5cd3f0662c2715c07cb5137bc9.exe
  "C:\Users\Admin\AppData\Local\Temp\2cbfec5cd3f0662c2715c07cb5137bc9.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3140

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2912

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1264

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3332

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2192

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:852

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2256

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-116-0x0000000001DC0000-0x0000000001E6E000-memory.dmp

Filesize
696KB

Download
memory/852-134-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/852-135-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/1116-129-0x0000000000C80000-0x0000000000C8F000-memory.dmp

Filesize
60KB

Download
memory/1116-128-0x0000000000C90000-0x0000000000C99000-memory.dmp

Filesize
36KB

Download
memory/1264-122-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/1264-123-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/2192-132-0x0000000002C70000-0x0000000002C79000-memory.dmp

Filesize
36KB

Download
memory/2192-131-0x0000000002C80000-0x0000000002C85000-memory.dmp

Filesize
20KB

Download
memory/2256-138-0x0000000002A40000-0x0000000002A49000-memory.dmp

Filesize
36KB

Download
memory/2256-137-0x0000000002A50000-0x0000000002A54000-memory.dmp

Filesize
16KB

Download
memory/2516-141-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/2516-140-0x0000000000690000-0x0000000000695000-memory.dmp

Filesize
20KB

Download
memory/2912-121-0x0000000002E20000-0x0000000002E8B000-memory.dmp

Filesize
428KB

Download
memory/2912-120-0x0000000002E90000-0x0000000002F04000-memory.dmp

Filesize
464KB

Download
memory/3044-117-0x0000000000FA0000-0x0000000000FB6000-memory.dmp

Filesize
88KB

Download
memory/3140-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3332-126-0x0000000002C30000-0x0000000002C3B000-memory.dmp

Filesize
44KB

Download
memory/3332-125-0x0000000002C40000-0x0000000002C47000-memory.dmp

Filesize
28KB

Download
memory/3912-143-0x0000000002C20000-0x0000000002C25000-memory.dmp

Filesize
20KB

Download
memory/3912-144-0x0000000002C10000-0x0000000002C19000-memory.dmp

Filesize
36KB

Download