smokeloader | 3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41

Resubmissions

25-10-2021 17:24

211025-vy3lysgdf3 10

24-10-2021 11:10

211024-m94z6aehal 10

Analysis

max time kernel
1200s
max time network
1000s
platform
windows7_x64
resource
win7-en-20210920
submitted
25-10-2021 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pub3.exe
Size

335KB
MD5

e34cba52b1206c828978872b9338f430
SHA1

7b03d09434b98a479c8b3e84a2abf990e3918b93
SHA256

3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41
SHA512

62ece1d4a19e5572fb2a2af9c9810f56fa95e9449b4133a5ce4635e928c237de48bdac0b480ef70c7a59ba0f287bd409ab618b1e4ffe557b41070a5cd16d1353

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

3736.exeSmartClock.exeucubbee

pid process

1812 3736.exe
1468 SmartClock.exe
1428 ucubbee
Deletes itself 1 IoCs

Processes:

pid process

1204
Drops startup file 1 IoCs

Processes:

3736.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 3736.exe
Loads dropped DLL 3 IoCs

Processes:

3736.exe

pid process

1812 3736.exe
1812 3736.exe
1812 3736.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1812	3736.exe
1468	SmartClock.exe
1428	ucubbee

pid	process
1204

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	3736.exe

pid	process
1812	3736.exe
1812	3736.exe
1812	3736.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub3.exeucubbee

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ucubbee
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ucubbee
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ucubbee
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub3.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1468 SmartClock.exe

pid	process
1468	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub3.exe

pid	process
1364	pub3.exe
1364	pub3.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub3.exeucubbee

pid process

1364 pub3.exe
1428 ucubbee
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1204
Token: SeShutdownPrivilege 1204
Token: SeShutdownPrivilege 1204
Token: SeShutdownPrivilege 1204
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1204
1204
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1204
1204
1204
1204

pid	process
1204

description	pid	process
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204

pid	process
1204
1204

pid	process
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3736.exetaskeng.exe

description	pid	process	target process
PID 1204 wrote to memory of 1812	1204		3736.exe
PID 1204 wrote to memory of 1812	1204		3736.exe
PID 1204 wrote to memory of 1812	1204		3736.exe
PID 1204 wrote to memory of 1812	1204		3736.exe
PID 1812 wrote to memory of 1468	1812	3736.exe	SmartClock.exe
PID 1812 wrote to memory of 1468	1812	3736.exe	SmartClock.exe
PID 1812 wrote to memory of 1468	1812	3736.exe	SmartClock.exe
PID 1812 wrote to memory of 1468	1812	3736.exe	SmartClock.exe
PID 864 wrote to memory of 1428	864	taskeng.exe	ucubbee
PID 864 wrote to memory of 1428	864	taskeng.exe	ucubbee
PID 864 wrote to memory of 1428	864	taskeng.exe	ucubbee
PID 864 wrote to memory of 1428	864	taskeng.exe	ucubbee

C:\Users\Admin\AppData\Local\Temp\pub3.exe
"C:\Users\Admin\AppData\Local\Temp\pub3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1364

C:\Users\Admin\AppData\Local\Temp\3736.exe
C:\Users\Admin\AppData\Local\Temp\3736.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1468

C:\Windows\system32\taskeng.exe
taskeng.exe {1D8BE4BD-6E0E-43D3-B31E-A1D1BEC7C119} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Roaming\ucubbee
C:\Users\Admin\AppData\Roaming\ucubbee
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3736.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3736.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
MD5
51ed3d53f7e01b3a69ee3708e03c8ee3

SHA1
ac07d5d79050bd7ab3f38ce740194fe064402033

SHA256
e1c39249fe47332c8fecf8605d6228ea35ca522d4bb00af078449ffddf0bbaed

SHA512
b530f332f6801034b1e2cdbed8e8bea0e9ebd65f4ec8a2bd3e264d8f92068c72ad1b200a0d1c9ce81d0031a74aaae1de9178c9386327aa1cda3dd8d7bd9ef9f5

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
C:\Users\Admin\AppData\Roaming\ucubbee
MD5
e34cba52b1206c828978872b9338f430

SHA1
7b03d09434b98a479c8b3e84a2abf990e3918b93

SHA256
3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41

SHA512
62ece1d4a19e5572fb2a2af9c9810f56fa95e9449b4133a5ce4635e928c237de48bdac0b480ef70c7a59ba0f287bd409ab618b1e4ffe557b41070a5cd16d1353

Download Submit
C:\Users\Admin\AppData\Roaming\ucubbee
MD5
e34cba52b1206c828978872b9338f430

SHA1
7b03d09434b98a479c8b3e84a2abf990e3918b93

SHA256
3632bc3aa58008650c9633e908804b5db470311e8e6de3a08a8ca598327b2a41

SHA512
62ece1d4a19e5572fb2a2af9c9810f56fa95e9449b4133a5ce4635e928c237de48bdac0b480ef70c7a59ba0f287bd409ab618b1e4ffe557b41070a5cd16d1353

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b4eb5c1faab823e30e812e87148e9c81

SHA1
2e000a1a5ed4acf644d6d609ed3e62b19564f40d

SHA256
bd560f1a82e35d2187916d2e43ec360c9ecf1189f3c3ffa0fb659ca55b1f1e16

SHA512
4bc3b2a9844619c2fea89ee25e48d63e7372bf0243262718d428d25a3159c557a707feaef268cbbc3a2189b42fd3bdabdf3a059c6e008d6f1b318f17948251cf

Download Submit
memory/1204-81-0x0000000003A80000-0x0000000003A96000-memory.dmp

Filesize
88KB

Download
memory/1204-58-0x0000000002920000-0x0000000002936000-memory.dmp

Filesize
88KB

Download
memory/1364-57-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download
memory/1364-54-0x00000000009E8000-0x00000000009F9000-memory.dmp

Filesize
68KB

Download
memory/1364-56-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1364-55-0x00000000768C1000-0x00000000768C3000-memory.dmp

Filesize
8KB

Download
memory/1428-80-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download
memory/1428-78-0x0000000000A48000-0x0000000000A59000-memory.dmp

Filesize
68KB

Download
memory/1428-76-0x0000000000000000-mapping.dmp

Download
memory/1468-74-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1468-72-0x00000000006E8000-0x0000000000768000-memory.dmp

Filesize
512KB

Download
memory/1468-67-0x0000000000000000-mapping.dmp

Download
memory/1812-61-0x00000000007B8000-0x0000000000838000-memory.dmp

Filesize
512KB

Download
memory/1812-59-0x0000000000000000-mapping.dmp

Download
memory/1812-70-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1812-71-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download