smokeloader | 300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d

Analysis

max time kernel
90s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-06-2022 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe
Size

179KB
MD5

af843cad937791516ea04407b100310f
SHA1

fd4b6afd1311e6a446203a6556058ac05bdc43b9
SHA256

300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d
SHA512

fef565f45546637886e387c76a175b934c106bc80a8c9056904928dc2bf92723644df19266162ca7a5371730718b35de033bf5ca85ed8efc699bbd920f0c0e0c

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2018

http://lzlgoy4b17sy5.com/

http://5y6gv872eh9ez.com/

http://w0w9xdwez8dp8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe

pid	process
4256	300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe
4256	300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe

C:\Users\Admin\AppData\Local\Temp\300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe
"C:\Users\Admin\AppData\Local\Temp\300053394cc7d34e29c4d7a21b0d401bb5194d16a0e0d0eefa3d7f697d83932d.exe"
1⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2812-133-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/4256-130-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4256-131-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4256-132-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download