smokeloader | 8fa2e2dc944134530288f4efd6b7b7288591993c08fd69dec0902b689435c028

General

Target

ab54c7300e784173d43437efb30d05b1.exe
Size

314KB
MD5

ab54c7300e784173d43437efb30d05b1
SHA1

7d0fe7468bd2e572b720abed5468f33c809ab01c
SHA256

8fa2e2dc944134530288f4efd6b7b7288591993c08fd69dec0902b689435c028
SHA512

b33998ae499ed54fbedb2e5aa20a161441dad4c037c6f9c86b1d252a1c4130b316e7d195159ff30e9db92059e3b3ff7e31e716c55459d3007aac662f2d4c0f4a

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

ab54c7300e784173d43437efb30d05b1.exe

description pid process target process

PID 2108 set thread context of 812 2108 ab54c7300e784173d43437efb30d05b1.exe ab54c7300e784173d43437efb30d05b1.exe

description	pid	process	target process
PID 2108 set thread context of 812	2108	ab54c7300e784173d43437efb30d05b1.exe	ab54c7300e784173d43437efb30d05b1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ab54c7300e784173d43437efb30d05b1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ab54c7300e784173d43437efb30d05b1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ab54c7300e784173d43437efb30d05b1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ab54c7300e784173d43437efb30d05b1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotification.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ab54c7300e784173d43437efb30d05b1.exe

pid	process
812	ab54c7300e784173d43437efb30d05b1.exe
812	ab54c7300e784173d43437efb30d05b1.exe
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440
2440

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2440
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ab54c7300e784173d43437efb30d05b1.exe

pid process

812 ab54c7300e784173d43437efb30d05b1.exe

pid	process
2440

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MusNotification.exe

description	pid	process
Token: SeShutdownPrivilege	3836	MusNotification.exe
Token: SeCreatePagefilePrivilege	3836	MusNotification.exe
Token: SeShutdownPrivilege	2440
Token: SeCreatePagefilePrivilege	2440

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ab54c7300e784173d43437efb30d05b1.exe

description	pid	process	target process
PID 2108 wrote to memory of 812	2108	ab54c7300e784173d43437efb30d05b1.exe	ab54c7300e784173d43437efb30d05b1.exe
PID 2108 wrote to memory of 812	2108	ab54c7300e784173d43437efb30d05b1.exe	ab54c7300e784173d43437efb30d05b1.exe
PID 2108 wrote to memory of 812	2108	ab54c7300e784173d43437efb30d05b1.exe	ab54c7300e784173d43437efb30d05b1.exe
PID 2108 wrote to memory of 812	2108	ab54c7300e784173d43437efb30d05b1.exe	ab54c7300e784173d43437efb30d05b1.exe
PID 2108 wrote to memory of 812	2108	ab54c7300e784173d43437efb30d05b1.exe	ab54c7300e784173d43437efb30d05b1.exe
PID 2108 wrote to memory of 812	2108	ab54c7300e784173d43437efb30d05b1.exe	ab54c7300e784173d43437efb30d05b1.exe

C:\Users\Admin\AppData\Local\Temp\ab54c7300e784173d43437efb30d05b1.exe
"C:\Users\Admin\AppData\Local\Temp\ab54c7300e784173d43437efb30d05b1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\ab54c7300e784173d43437efb30d05b1.exe
  "C:\Users\Admin\AppData\Local\Temp\ab54c7300e784173d43437efb30d05b1.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:812

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/812-132-0x0000000000000000-mapping.dmp

Download
memory/812-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2108-130-0x000000000057E000-0x000000000058F000-memory.dmp

Filesize
68KB

Download
memory/2108-131-0x0000000000530000-0x0000000000539000-memory.dmp

Filesize
36KB

Download
memory/2440-134-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads