smokeloader | 1206fbf7e6a98bf2ac11d17648cb27e3aa514774df47b8c071a4473ca4f382c5

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-en-20211014
submitted
29-10-2021 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42eabd90d252834ba52568b200e09dfd.exe
Size

185KB
MD5

42eabd90d252834ba52568b200e09dfd
SHA1

e758217035e67aa46e475e1b5fb79a7168e03078
SHA256

1206fbf7e6a98bf2ac11d17648cb27e3aa514774df47b8c071a4473ca4f382c5
SHA512

5c7d18f36093e786f06c3c383747d5f49f31677f091e6d0325d48e1d6f3de45218190a97df447a029ca896b79633a5cf7534da1513a4389eaa85b6d648db9312

Score

10^/10

smokeloader backdoor suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

C11D.exe

pid process

1436 C11D.exe
Deletes itself 1 IoCs

Processes:

pid process

1304
Loads dropped DLL 2 IoCs

Processes:

pid process

1304
1304

pid	process
1436	C11D.exe

pid	process
1304

pid	process
1304
1304

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

42eabd90d252834ba52568b200e09dfd.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42eabd90d252834ba52568b200e09dfd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42eabd90d252834ba52568b200e09dfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42eabd90d252834ba52568b200e09dfd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

42eabd90d252834ba52568b200e09dfd.exe

pid	process
1608	42eabd90d252834ba52568b200e09dfd.exe
1608	42eabd90d252834ba52568b200e09dfd.exe
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304
1304

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1304
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

42eabd90d252834ba52568b200e09dfd.exe

pid process

1608 42eabd90d252834ba52568b200e09dfd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1640 powershell.exe
Token: SeDebugPrivilege 1636 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1304
1304
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1304
1304

pid	process
1304

description	pid	process
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe

pid	process
1304
1304

pid	process
1304
1304

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

C11D.exepowershell.execsc.exe

description	pid	process	target process
PID 1304 wrote to memory of 1436	1304		C11D.exe
PID 1304 wrote to memory of 1436	1304		C11D.exe
PID 1304 wrote to memory of 1436	1304		C11D.exe
PID 1436 wrote to memory of 1640	1436	C11D.exe	powershell.exe
PID 1436 wrote to memory of 1640	1436	C11D.exe	powershell.exe
PID 1436 wrote to memory of 1640	1436	C11D.exe	powershell.exe
PID 1640 wrote to memory of 884	1640	powershell.exe	csc.exe
PID 1640 wrote to memory of 884	1640	powershell.exe	csc.exe
PID 1640 wrote to memory of 884	1640	powershell.exe	csc.exe
PID 884 wrote to memory of 1940	884	csc.exe	cvtres.exe
PID 884 wrote to memory of 1940	884	csc.exe	cvtres.exe
PID 884 wrote to memory of 1940	884	csc.exe	cvtres.exe
PID 1640 wrote to memory of 1636	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1636	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1636	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1060	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1060	1640	powershell.exe	powershell.exe
PID 1640 wrote to memory of 1060	1640	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\42eabd90d252834ba52568b200e09dfd.exe
"C:\Users\Admin\AppData\Local\Temp\42eabd90d252834ba52568b200e09dfd.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1608

C:\Users\Admin\AppData\Local\Temp\C11D.exe
C:\Users\Admin\AppData\Local\Temp\C11D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v7tvik4r.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF059.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF058.tmp"
4⤵
PID:1940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C11D.exe
MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF059.tmp
MD5
4c7fceca3bc162733953666bec22951e

SHA1
f1c54a61822fa2a1b71b4265bbfdc8d440a072ec

SHA256
904ea1726b5b84cb7125057c83c60dd3183a23df2ea5cc2737d3facb499689aa

SHA512
4ac3160447869953abe87dcb18d3f50ecc77cdcaf779abda6008e54a94bdb307c2a80cdd499508c48b44d2f8fc9d7954511d90a2f86db8246bb97f46c8a693d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
MD5
f783019c5dc4a5477d1ffd4f9f512979

SHA1
37c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b

SHA256
4c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348

SHA512
64d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7tvik4r.dll
MD5
cba8104c3dfc930a998cfa4970e170ae

SHA1
15de0162cede4a06565baed757d311383d2ef234

SHA256
3ec3fb67dd5e6c3bdeae7e0c5b27f71cba34da4abd7ee674848d0c2c11806d03

SHA512
241bd0780736ec03936f664e727d33a533fe0f3a95248420324bc34076a7466614fcc98ed64b7b0e93820f7a9fb60311e514b28aa91555755bc39517c8407029

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7tvik4r.pdb
MD5
d987fd2154cb3bd825a0818e295f8e0c

SHA1
6dc7b1cfd838bb02842506e10bbff8e4584ac7da

SHA256
bde77bb559a4ba08b354a6d4fddc30b291936d53b84c5ffaab4f861eb5e93bdf

SHA512
cd8fe139bbd8448a1d4d93dd9bcc856657f760a5e0999b5a39e07c5f7f201491c20e73e82063b0b4f2cf734bd791066feedc0f6cf6c4a72261f9e5854f91c880

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
0cb500cdaf124449a3815f25f6d7f917

SHA1
314b4edd6a8e71b6ea1e1d5ca17f75ddd0484bea

SHA256
7db0d7c25629e48fa669b017cd38b215bb630c2c1f60e7c0c47bcb5e5d8b2567

SHA512
629c987e30a66a22dd14432fd6941d9e07c58de258a682d1e979ae5f31356ac0fde2be6ef37013b53a54fd6c7eb8e2d56160251365ca64a768c066c082d86fa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
0cb500cdaf124449a3815f25f6d7f917

SHA1
314b4edd6a8e71b6ea1e1d5ca17f75ddd0484bea

SHA256
7db0d7c25629e48fa669b017cd38b215bb630c2c1f60e7c0c47bcb5e5d8b2567

SHA512
629c987e30a66a22dd14432fd6941d9e07c58de258a682d1e979ae5f31356ac0fde2be6ef37013b53a54fd6c7eb8e2d56160251365ca64a768c066c082d86fa8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF058.tmp
MD5
b6cd8b68dfd49105230727f541ec6656

SHA1
585cc3a8433bc916e9572927bebd7d53fa8948a4

SHA256
125d54a138c270dea763a11d48bcfd504a1c03428a803ad77df10fb5e2070012

SHA512
0f9e70cc008fcf88c7fc5b6a470a2383747fa80f44de1f599ac0bda34aa5251d056b5a24761a5bad8941fa2a6755f7b3ec5e239f54b1f6672e8d410b1786a0a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v7tvik4r.0.cs
MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v7tvik4r.cmdline
MD5
9a95ff2ba61b19a279a0c348c0cebb67

SHA1
1a6f59874da4d33413bea0e224e41ca3843fb0db

SHA256
3bf100f616c8ad09e17ebef1e3ddcfcd1425b15847373235d37d4672224bd2cf

SHA512
688e32f06aa38601231dcdce8d42a107b258c0e451ac02c4ecaefc3a7eb6908957c54e5ed4c6207166fd929a4318ea29647a2ee81db6137c62a7bd10127b1439

Download Submit
\Users\Admin\AppData\Local\Temp\C11D.exe
MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
\Users\Admin\AppData\Local\Temp\C11D.exe
MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
memory/884-88-0x0000000002080000-0x0000000002082000-memory.dmp

Filesize
8KB

Download
memory/884-78-0x0000000000000000-mapping.dmp

Download
memory/1060-100-0x0000000000000000-mapping.dmp

Download
memory/1304-59-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/1436-67-0x00000000281C4000-0x00000000281C6000-memory.dmp

Filesize
8KB

Download
memory/1436-69-0x00000000281C7000-0x00000000281C8000-memory.dmp

Filesize
4KB

Download
memory/1436-62-0x0000000000000000-mapping.dmp

Download
memory/1436-64-0x0000000041350000-0x000000004174F000-memory.dmp

Filesize
4.0MB

Download
memory/1436-66-0x00000000281C2000-0x00000000281C4000-memory.dmp

Filesize
8KB

Download
memory/1436-68-0x00000000281C6000-0x00000000281C7000-memory.dmp

Filesize
4KB

Download
memory/1608-57-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1608-56-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1608-58-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1608-55-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1636-93-0x000007FEEB3D0000-0x000007FEEBF2D000-memory.dmp

Filesize
11.4MB

Download
memory/1636-94-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/1636-99-0x00000000024E7000-0x00000000024E8000-memory.dmp

Filesize
4KB

Download
memory/1636-98-0x00000000024EC000-0x000000000250B000-memory.dmp

Filesize
124KB

Download
memory/1636-97-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1636-96-0x00000000024E2000-0x00000000024E4000-memory.dmp

Filesize
8KB

Download
memory/1636-95-0x00000000024E0000-0x00000000024E2000-memory.dmp

Filesize
8KB

Download
memory/1636-90-0x0000000000000000-mapping.dmp

Download
memory/1640-72-0x000007FEEB3D0000-0x000007FEEBF2D000-memory.dmp

Filesize
11.4MB

Download
memory/1640-74-0x0000000002842000-0x0000000002844000-memory.dmp

Filesize
8KB

Download
memory/1640-73-0x0000000002840000-0x0000000002842000-memory.dmp

Filesize
8KB

Download
memory/1640-89-0x000000000286D000-0x000000000286E000-memory.dmp

Filesize
4KB

Download
memory/1640-79-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1640-71-0x000007FEFC441000-0x000007FEFC443000-memory.dmp

Filesize
8KB

Download
memory/1640-70-0x0000000000000000-mapping.dmp

Download
memory/1640-76-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1640-75-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1940-82-0x0000000000000000-mapping.dmp

Download