smokeloader | 3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331

General

Target

3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
Size

317KB
MD5

cf8ea443ae6c0a8367f3836a79ed9182
SHA1

455aa80e99b3546942fb7460404ac5205d08c282
SHA256

3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331
SHA512

98e601de70a6a93b28eec138023d6153311785eb2950ac1ef7402baea2c1cc47f1a07779aaf32a8d09708e2cbd71bf515aaf095994b50e7fde9ed310329ccde7

Score

10^/10

smokeloader backdoor evasion trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

5B27.exe

pid process

1708 5B27.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

2164

pid	process
1708	5B27.exe

pid	process
2164

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe5B27.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5B27.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5B27.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5B27.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1280 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXEipconfig.exeipconfig.exe

pid process

404 NETSTAT.EXE
1028 NETSTAT.EXE
1268 ipconfig.exe
3804 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1388 systeminfo.exe
Runs net.exe

pid	process
1280	tasklist.exe

pid	process
404	NETSTAT.EXE
1028	NETSTAT.EXE
1268	ipconfig.exe
3804	ipconfig.exe

pid	process
1388	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe

pid	process
3992	3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
3992	3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164
2164

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2164
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe5B27.exe

pid process

3992 3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
1708 5B27.exe

pid	process
2164

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: 36	1544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: 36	1544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe
Token: 35	2044	WMIC.exe
Token: 36	2044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2164 wrote to memory of 1708	2164		5B27.exe
PID 2164 wrote to memory of 1708	2164		5B27.exe
PID 2164 wrote to memory of 1708	2164		5B27.exe
PID 2164 wrote to memory of 1816	2164		cmd.exe
PID 2164 wrote to memory of 1816	2164		cmd.exe
PID 1816 wrote to memory of 1544	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 1544	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2044	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2044	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2660	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2660	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 872	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 872	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2300	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2300	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3924	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3924	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2144	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2144	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 4052	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 4052	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2416	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2416	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3228	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3228	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3196	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3196	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 4020	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 4020	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2208	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 2208	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3092	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3092	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 3804	1816	cmd.exe	ipconfig.exe
PID 1816 wrote to memory of 3804	1816	cmd.exe	ipconfig.exe
PID 1816 wrote to memory of 2160	1816	cmd.exe	ROUTE.EXE
PID 1816 wrote to memory of 2160	1816	cmd.exe	ROUTE.EXE
PID 1816 wrote to memory of 2424	1816	cmd.exe	netsh.exe
PID 1816 wrote to memory of 2424	1816	cmd.exe	netsh.exe
PID 1816 wrote to memory of 1388	1816	cmd.exe	systeminfo.exe
PID 1816 wrote to memory of 1388	1816	cmd.exe	systeminfo.exe
PID 1816 wrote to memory of 1280	1816	cmd.exe	tasklist.exe
PID 1816 wrote to memory of 1280	1816	cmd.exe	tasklist.exe
PID 1816 wrote to memory of 1640	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 1640	1816	cmd.exe	net.exe
PID 1640 wrote to memory of 3268	1640	net.exe	net1.exe
PID 1640 wrote to memory of 3268	1640	net.exe	net1.exe
PID 1816 wrote to memory of 1292	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 1292	1816	cmd.exe	net.exe
PID 1292 wrote to memory of 516	1292	net.exe	net1.exe
PID 1292 wrote to memory of 516	1292	net.exe	net1.exe
PID 1816 wrote to memory of 3616	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 3616	1816	cmd.exe	net.exe
PID 3616 wrote to memory of 328	3616	net.exe	net1.exe
PID 3616 wrote to memory of 328	3616	net.exe	net1.exe
PID 1816 wrote to memory of 64	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 64	1816	cmd.exe	net.exe
PID 64 wrote to memory of 1868	64	net.exe	net1.exe
PID 64 wrote to memory of 1868	64	net.exe	net1.exe
PID 1816 wrote to memory of 2272	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 2272	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 1340	1816	cmd.exe	net.exe
PID 1816 wrote to memory of 1340	1816	cmd.exe	net.exe
PID 1340 wrote to memory of 616	1340	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
"C:\Users\Admin\AppData\Local\Temp\3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3992

C:\Users\Admin\AppData\Local\Temp\5B27.exe
C:\Users\Admin\AppData\Local\Temp\5B27.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1708

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:2660

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:872

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:2300

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3924

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:2144

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:4052

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2416

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3228

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3196

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:4020

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:2208

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3092

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:3804

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:2160

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:2424

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1388

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:1280

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:3268

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:516

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:328

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:1868

C:\Windows\system32\net.exe
net use
2⤵
PID:2272

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:616

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:2032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:60

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1828

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:1132

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:1028

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:836

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:1268

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5B27.exe
MD5
a3c870847b4131ad8320eba44d0b3013

SHA1
4be979a1d12e4d7deaff5165ce14e6d8449d0302

SHA256
454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855

SHA512
e7495fb42f109d402ef46eee2ed6edb1b2a4b8549a8883e5b884c3cc0c0d0b8a38888d4cc4d72583eaa79de78d4517ae8a56dee90403e5af94978f46f165d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B27.exe
MD5
a3c870847b4131ad8320eba44d0b3013

SHA1
4be979a1d12e4d7deaff5165ce14e6d8449d0302

SHA256
454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855

SHA512
e7495fb42f109d402ef46eee2ed6edb1b2a4b8549a8883e5b884c3cc0c0d0b8a38888d4cc4d72583eaa79de78d4517ae8a56dee90403e5af94978f46f165d86f

Download Submit
memory/1708-121-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/1708-122-0x0000000000460000-0x0000000000469000-memory.dmp

Filesize
36KB

Download
memory/1708-123-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2164-118-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/2164-124-0x0000000002B20000-0x0000000002B36000-memory.dmp

Filesize
88KB

Download
memory/2164-127-0x00000000043C0000-0x00000000043CF000-memory.dmp

Filesize
60KB

Download
memory/3992-116-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/3992-115-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/3992-117-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads