smokeloader | 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100

General

Target

3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
Size

191KB
MD5

a05b981f73e296c8edf29ea9f68b8355
SHA1

f959ea0a5569320682e194bd87ae3fbf0b382647
SHA256

3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
SHA512

d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Suspicious use of SetThreadContext 1 IoCs

Processes:

3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe

description	pid	process	target process
PID 1712 set thread context of 1580	1712	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe

pid	process
1580	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
1580	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432
2432

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2432
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe

pid process

1580 3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2432
Token: SeCreatePagefilePrivilege 2432

pid	process
2432

description	pid	process
Token: SeShutdownPrivilege	2432
Token: SeCreatePagefilePrivilege	2432

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe

description	pid	process	target process
PID 1712 wrote to memory of 1580	1712	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
PID 1712 wrote to memory of 1580	1712	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
PID 1712 wrote to memory of 1580	1712	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
PID 1712 wrote to memory of 1580	1712	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
PID 1712 wrote to memory of 1580	1712	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
PID 1712 wrote to memory of 1580	1712	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe	3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe

C:\Users\Admin\AppData\Local\Temp\3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
"C:\Users\Admin\AppData\Local\Temp\3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe
"C:\Users\Admin\AppData\Local\Temp\3b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1580

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 54d9bed1ef861f6c23881ec811e95d93 BGQEXfaXXUSNy+AvXw5Ntg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-131-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1580-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1712-130-0x0000000000580000-0x00000000005A9000-memory.dmp

Filesize
164KB

Download
memory/1712-132-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/2432-134-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads