smokeloader | 31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f

Analysis

max time kernel
47s
max time network
174s
platform
windows7_x64
resource
win7-en-20211104
submitted
08-11-2021 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Size

3.6MB
MD5

9725f7f222530388cb2743504a6e0667
SHA1

56d0eb91855e326b050c904147f4d9dafc596d70
SHA256

9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
SHA512

ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663

Score

10^/10

smokeloader aspackv2 backdoor suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral23/files/0x000500000001305c-71.dat	aspack_v212_v242
behavioral23/files/0x000500000001305c-72.dat	aspack_v212_v242
behavioral23/files/0x0007000000012279-73.dat	aspack_v212_v242
behavioral23/files/0x0007000000012279-74.dat	aspack_v212_v242
behavioral23/files/0x000500000001306d-78.dat	aspack_v212_v242
behavioral23/files/0x000500000001306d-77.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
996	setup_installer.exe
568	setup_install.exe

Loads dropped DLL 15 IoCs

pid	Process
656	9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
996	setup_installer.exe
996	setup_installer.exe
996	setup_installer.exe
996	setup_installer.exe
996	setup_installer.exe
996	setup_installer.exe
568	setup_install.exe
568	setup_install.exe
568	setup_install.exe
568	setup_install.exe
568	setup_install.exe
568	setup_install.exe
568	setup_install.exe
568	setup_install.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2516	568	WerFault.exe	29

Kills process with taskkill 2 IoCs

evasion

pid	Process
2812	taskkill.exe
2956	taskkill.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 996	656	9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe	28
PID 656 wrote to memory of 996	656	9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe	28
PID 656 wrote to memory of 996	656	9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe	28
PID 656 wrote to memory of 996	656	9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe	28
PID 656 wrote to memory of 996	656	9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe	28
PID 656 wrote to memory of 996	656	9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe	28
PID 656 wrote to memory of 996	656	9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe	28
PID 996 wrote to memory of 568	996	setup_installer.exe	29
PID 996 wrote to memory of 568	996	setup_installer.exe	29
PID 996 wrote to memory of 568	996	setup_installer.exe	29
PID 996 wrote to memory of 568	996	setup_installer.exe	29
PID 996 wrote to memory of 568	996	setup_installer.exe	29
PID 996 wrote to memory of 568	996	setup_installer.exe	29
PID 996 wrote to memory of 568	996	setup_installer.exe	29
PID 568 wrote to memory of 2036	568	setup_install.exe	31
PID 568 wrote to memory of 2036	568	setup_install.exe	31
PID 568 wrote to memory of 2036	568	setup_install.exe	31
PID 568 wrote to memory of 2036	568	setup_install.exe	31
PID 568 wrote to memory of 2036	568	setup_install.exe	31
PID 568 wrote to memory of 2036	568	setup_install.exe	31
PID 568 wrote to memory of 2036	568	setup_install.exe	31
PID 568 wrote to memory of 1548	568	setup_install.exe	32
PID 568 wrote to memory of 1548	568	setup_install.exe	32
PID 568 wrote to memory of 1548	568	setup_install.exe	32
PID 568 wrote to memory of 1548	568	setup_install.exe	32
PID 568 wrote to memory of 1548	568	setup_install.exe	32
PID 568 wrote to memory of 1548	568	setup_install.exe	32
PID 568 wrote to memory of 1548	568	setup_install.exe	32
PID 568 wrote to memory of 848	568	setup_install.exe	33
PID 568 wrote to memory of 848	568	setup_install.exe	33
PID 568 wrote to memory of 848	568	setup_install.exe	33
PID 568 wrote to memory of 848	568	setup_install.exe	33
PID 568 wrote to memory of 848	568	setup_install.exe	33
PID 568 wrote to memory of 848	568	setup_install.exe	33
PID 568 wrote to memory of 848	568	setup_install.exe	33
PID 568 wrote to memory of 1932	568	setup_install.exe	34
PID 568 wrote to memory of 1932	568	setup_install.exe	34
PID 568 wrote to memory of 1932	568	setup_install.exe	34
PID 568 wrote to memory of 1932	568	setup_install.exe	34
PID 568 wrote to memory of 1932	568	setup_install.exe	34
PID 568 wrote to memory of 1932	568	setup_install.exe	34
PID 568 wrote to memory of 1932	568	setup_install.exe	34

C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
"C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      PID:2036
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        
        PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1548
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed128c2773227671b3f.exe
      4⤵
      PID:848
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed128c2773227671b3f.exe
        
        Wed128c2773227671b3f.exe
        5⤵
        
        PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed12fb2a5c52f05816.exe
      4⤵
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed12fb2a5c52f05816.exe
        
        Wed12fb2a5c52f05816.exe
        5⤵
        
        PID:1592
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT( "wSCrIpT.shell").RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed12fb2a5c52f05816.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If """"=="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed12fb2a5c52f05816.exe"") do taskkill -F -IM ""%~nxE"" " ,0, TRUe ) )
        6⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed12fb2a5c52f05816.exe" VAKlCUnlQu.exe&& STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If ""=="" for %E in ( "C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed12fb2a5c52f05816.exe") do taskkill -F -IM "%~nxE"
        7⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe
        
        VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm
        8⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT( "wSCrIpT.shell").RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If ""-PRwIZKFgSE6xyUR7ivEyVbD3Oolfm ""=="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"") do taskkill -F -IM ""%~nxE"" " ,0, TRUe ) )
        9⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -IM "Wed12fb2a5c52f05816.exe"
        8⤵
        Kills process with taskkill
        
        PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed126ca6605dbec0399.exe /mixone
      4⤵
      PID:1720
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed126ca6605dbec0399.exe
        
        Wed126ca6605dbec0399.exe /mixone
        5⤵
        
        PID:1888
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Wed126ca6605dbec0399.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed126ca6605dbec0399.exe" & exit
        6⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Wed126ca6605dbec0399.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed1217e6a0ef74ed.exe
      4⤵
      PID:1908
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed1217e6a0ef74ed.exe
        
        Wed1217e6a0ef74ed.exe
        5⤵
        
        PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed120b6f5c6d562.exe
      4⤵
      PID:564
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed120b6f5c6d562.exe
        
        Wed120b6f5c6d562.exe
        5⤵
        
        PID:284
      - C:\Users\Admin\AppData\Local\Temp\is-SJ4RP.tmp\Wed120b6f5c6d562.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SJ4RP.tmp\Wed120b6f5c6d562.tmp" /SL5="$10184,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed120b6f5c6d562.exe"
        6⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed120b6f5c6d562.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed120b6f5c6d562.exe" /SILENT
        7⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\is-D2N8M.tmp\Wed120b6f5c6d562.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D2N8M.tmp\Wed120b6f5c6d562.tmp" /SL5="$6012C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed120b6f5c6d562.exe" /SILENT
        8⤵
        
        PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed12bcd18bdbc441.exe
      4⤵
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed12bcd18bdbc441.exe
        
        Wed12bcd18bdbc441.exe
        5⤵
        
        PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed12859e3c1cf63b6a0.exe
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed1229427acd4bc167.exe
      4⤵
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed1229427acd4bc167.exe
        
        Wed1229427acd4bc167.exe
        5⤵
        
        PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed12fbb08f1dfc28.exe
      4⤵
      PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed12fbb08f1dfc28.exe
        
        Wed12fbb08f1dfc28.exe
        5⤵
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed129eb9b8859.exe
      4⤵
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed129eb9b8859.exe
        
        Wed129eb9b8859.exe
        5⤵
        
        PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed12ebaf7883e1890d.exe
      4⤵
      PID:620
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed12ebaf7883e1890d.exe
        
        Wed12ebaf7883e1890d.exe
        5⤵
        
        PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed1241cc206cfb.exe
      4⤵
      PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed1241cc206cfb.exe
        
        Wed1241cc206cfb.exe
        5⤵
        
        PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed121f7e9e92793cf.exe
      4⤵
      PID:644
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E3ED976\Wed121f7e9e92793cf.exe
        
        Wed121f7e9e92793cf.exe
        5⤵
        
        PID:2220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 476
      4⤵
      Program crash
      PID:2516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/284-194-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/568-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/568-111-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/568-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/568-102-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/568-98-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/568-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/568-96-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/568-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/568-118-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/568-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/568-109-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/568-107-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/568-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/568-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/568-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/656-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1360-226-0x0000000003D40000-0x0000000003D56000-memory.dmp

Filesize
88KB

Download
memory/1488-228-0x0000000002060000-0x0000000002CAA000-memory.dmp

Filesize
12.3MB

Download
memory/1708-207-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1708-225-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/1712-229-0x0000000001F90000-0x0000000002BDA000-memory.dmp

Filesize
12.3MB

Download
memory/1888-215-0x0000000000400000-0x0000000002DC2000-memory.dmp

Filesize
41.8MB

Download
memory/1888-199-0x0000000002DD0000-0x0000000002E19000-memory.dmp

Filesize
292KB

Download
memory/1888-188-0x00000000002A0000-0x00000000002C9000-memory.dmp

Filesize
164KB

Download
memory/1912-208-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2112-195-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2140-212-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/2140-202-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2140-213-0x0000000000400000-0x0000000002DAA000-memory.dmp

Filesize
41.7MB

Download
memory/2220-206-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2348-214-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2468-221-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2504-224-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2516-239-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download