smokeloader | bc94b163517e1a81cec89823d0d4bb7045cd09e72a46da38f1b52573cde695a8

Analysis

max time kernel
152s
max time network
152s
platform
windows7_x64
resource
win7-en-20211104
submitted
01-12-2021 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c11df57d6e3f2277ab9a9242b42dc35b.exe
Size

329KB
MD5

c11df57d6e3f2277ab9a9242b42dc35b
SHA1

832d923aaaf7bdf896d6952b8e58ad6e022f3891
SHA256

bc94b163517e1a81cec89823d0d4bb7045cd09e72a46da38f1b52573cde695a8
SHA512

e65dd1134dd42deaf20138c0f63a7324b9820414514559c668243fd2c5a90c7db63f25c76226cafaa0d2ec2325edce0a190a53ee447cad571381911fca1a44a5

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

99B0.exeSmartClock.exeB33E.exe380.exe

pid process

764 99B0.exe
1468 SmartClock.exe
1112 B33E.exe
1448 380.exe
Deletes itself 1 IoCs

Processes:

pid process

1272
Drops startup file 1 IoCs

Processes:

99B0.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 99B0.exe
Loads dropped DLL 3 IoCs

Processes:

99B0.exe

pid process

764 99B0.exe
764 99B0.exe
764 99B0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
764	99B0.exe
1468	SmartClock.exe
1112	B33E.exe
1448	380.exe

pid	process
1272

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	99B0.exe

pid	process
764	99B0.exe
764	99B0.exe
764	99B0.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

B33E.exec11df57d6e3f2277ab9a9242b42dc35b.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B33E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B33E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c11df57d6e3f2277ab9a9242b42dc35b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c11df57d6e3f2277ab9a9242b42dc35b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c11df57d6e3f2277ab9a9242b42dc35b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B33E.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1468 SmartClock.exe

pid	process
1468	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c11df57d6e3f2277ab9a9242b42dc35b.exe

pid	process
1588	c11df57d6e3f2277ab9a9242b42dc35b.exe
1588	c11df57d6e3f2277ab9a9242b42dc35b.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1272
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

c11df57d6e3f2277ab9a9242b42dc35b.exeB33E.exe

pid process

1588 c11df57d6e3f2277ab9a9242b42dc35b.exe
1112 B33E.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1272
1272
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1272
1272
1272
1272

pid	process
1272

pid	process
1272
1272

pid	process
1272
1272
1272
1272

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

99B0.exe

description	pid	process	target process
PID 1272 wrote to memory of 764	1272		99B0.exe
PID 1272 wrote to memory of 764	1272		99B0.exe
PID 1272 wrote to memory of 764	1272		99B0.exe
PID 1272 wrote to memory of 764	1272		99B0.exe
PID 764 wrote to memory of 1468	764	99B0.exe	SmartClock.exe
PID 764 wrote to memory of 1468	764	99B0.exe	SmartClock.exe
PID 764 wrote to memory of 1468	764	99B0.exe	SmartClock.exe
PID 764 wrote to memory of 1468	764	99B0.exe	SmartClock.exe
PID 1272 wrote to memory of 1112	1272		B33E.exe
PID 1272 wrote to memory of 1112	1272		B33E.exe
PID 1272 wrote to memory of 1112	1272		B33E.exe
PID 1272 wrote to memory of 1112	1272		B33E.exe
PID 1272 wrote to memory of 1448	1272		380.exe
PID 1272 wrote to memory of 1448	1272		380.exe
PID 1272 wrote to memory of 1448	1272		380.exe
PID 1272 wrote to memory of 1448	1272		380.exe

C:\Users\Admin\AppData\Local\Temp\c11df57d6e3f2277ab9a9242b42dc35b.exe
"C:\Users\Admin\AppData\Local\Temp\c11df57d6e3f2277ab9a9242b42dc35b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1588

C:\Users\Admin\AppData\Local\Temp\99B0.exe
C:\Users\Admin\AppData\Local\Temp\99B0.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1468

C:\Users\Admin\AppData\Local\Temp\B33E.exe
C:\Users\Admin\AppData\Local\Temp\B33E.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1112

C:\Users\Admin\AppData\Local\Temp\380.exe
C:\Users\Admin\AppData\Local\Temp\380.exe
1⤵
- Executes dropped EXE
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\380.exe
MD5
5e851005cb17b75845f76494ddf2dea5

SHA1
6fc4a78134acfdfa85ebcd0e4334faaa316a1a4d

SHA256
cb7951a0e9a676ac0feff058d5223321483e90e9d8e5704c796311fa2c8cf199

SHA512
bc7bef1b8314ce88b432c523a639c6732589c734eb1280beaa28e1fd8a4659d616ddd8e0c11ac9f1b2bf7d5e28a029deaea9b0032d41219d5315e5fce7867cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\99B0.exe
MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\99B0.exe
MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B33E.exe
MD5
1338d8f1a38a100d67ba32974fb3e5b4

SHA1
3ba67dedc2b57366158947b379a6c96cac00bfa8

SHA256
27ff500ad4459d1c7998f41798120b711cf243ec7ad1934f8fe39c1768236c83

SHA512
c6d73a5ac749803e6ae4185f178632cb0db2311f32e3eb750f3fbb7d6d0fea107ff3363ffea6815c37083b60ee7b336bcc48e555ca7b515b73d8c0a417dcfd04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
MD5
7f4ddf26d22700af82f3bf0ecd56f47d

SHA1
a348b4ed399d69bb699e3971c690b273fd514de2

SHA256
e4b02474ab3232b1b62057b2b20df386bfb907efc27fe933c0e9e05f6245db95

SHA512
f035ffbde8478eec0c1c67cc4bcd141866425e62503fd9d9a7ef092c82919b9a512c916b924ec2210a6536a95f08dbac6e96403c1a0eb069452a590c94c03b90

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
4ce8cbe172ddc3fe677409b51aa23862

SHA1
2b17af2b82adfde797ced33251ab5b38344e2303

SHA256
3e09298969d95adc65364deea9b78d394aac97474053dbe600a316584a25b76d

SHA512
6b2186e7a9700eb15b81ddcbfd2837989ec572a6e61bcd9aef9332d51d9f769f62ef04adeca26c056bc112da704c2c289eaebe9e26394c12c2fda8d03563ceb4

Download Submit
memory/764-71-0x0000000000330000-0x00000000003C1000-memory.dmp

Filesize
580KB

Download
memory/764-62-0x0000000000668000-0x00000000006E8000-memory.dmp

Filesize
512KB

Download
memory/764-60-0x0000000000000000-mapping.dmp

Download
memory/764-72-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1112-73-0x0000000000000000-mapping.dmp

Download
memory/1112-81-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1112-80-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1112-78-0x00000000002E8000-0x00000000002F9000-memory.dmp

Filesize
68KB

Download
memory/1272-59-0x0000000002C20000-0x0000000002C36000-memory.dmp

Filesize
88KB

Download
memory/1272-82-0x0000000003AC0000-0x0000000003AD6000-memory.dmp

Filesize
88KB

Download
memory/1448-83-0x0000000000000000-mapping.dmp

Download
memory/1448-85-0x00000000002A8000-0x00000000002D4000-memory.dmp

Filesize
176KB

Download
memory/1468-75-0x0000000000628000-0x00000000006A8000-memory.dmp

Filesize
512KB

Download
memory/1468-77-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1468-68-0x0000000000000000-mapping.dmp

Download
memory/1588-55-0x0000000000618000-0x0000000000629000-memory.dmp

Filesize
68KB

Download
memory/1588-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1588-56-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/1588-58-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download