smokeloader | 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4

General

Target

39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe
Size

2.4MB
MD5

3d7c637e0e04b7f9e10414c227a2f102
SHA1

08e66ae0af9b16775fe9b614e2ed864934b74b2b
SHA256

39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4
SHA512

6e74ddf4e7e16e00bc8e60bf09ebbd9a0d29475c2cf20dafd8c7d5a82b1b3cb0083667a8b0de015f0eb88e8a46fced28856a315a7053a725b4dea9b528665373

Score

10^/10

smokeloader xmrig backdoor miner trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://converadm.bit/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 10 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1337\cpu.exe	xmrig
C:\Users\Admin\AppData\Roaming\1337\cpu.exe	xmrig
behavioral2/memory/3068-140-0x0000000000C10000-0x00000000010DD000-memory.dmp	xmrig
behavioral2/memory/3068-145-0x0000000000C10000-0x00000000010DD000-memory.dmp	xmrig
behavioral2/memory/3068-147-0x0000000000C10000-0x00000000010DD000-memory.dmp	xmrig
C:\ProgramData\cpsvchost.exe	xmrig
C:\ProgramData\cpsvchost.exe	xmrig
behavioral2/memory/2004-150-0x0000000000BC0000-0x000000000108D000-memory.dmp	xmrig
behavioral2/memory/2004-153-0x0000000000BC0000-0x000000000108D000-memory.dmp	xmrig
behavioral2/memory/2004-155-0x0000000000BC0000-0x000000000108D000-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

Processes:

cpu.exeloder0.exeloder0.execpsvchost.exe

pid process

3068 cpu.exe
2696 loder0.exe
2536 loder0.exe
2004 cpsvchost.exe

pid	process
3068	cpu.exe
2696	loder0.exe
2536	loder0.exe
2004	cpsvchost.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1337\cpu.exe	vmprotect
C:\Users\Admin\AppData\Roaming\1337\cpu.exe	vmprotect
behavioral2/memory/3068-140-0x0000000000C10000-0x00000000010DD000-memory.dmp	vmprotect
behavioral2/memory/3068-145-0x0000000000C10000-0x00000000010DD000-memory.dmp	vmprotect
behavioral2/memory/3068-147-0x0000000000C10000-0x00000000010DD000-memory.dmp	vmprotect
C:\ProgramData\cpsvchost.exe	vmprotect
C:\ProgramData\cpsvchost.exe	vmprotect
behavioral2/memory/2004-150-0x0000000000BC0000-0x000000000108D000-memory.dmp	vmprotect
behavioral2/memory/2004-153-0x0000000000BC0000-0x000000000108D000-memory.dmp	vmprotect
behavioral2/memory/2004-155-0x0000000000BC0000-0x000000000108D000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.execpu.execpsvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cpu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cpsvchost.exe

Loads dropped DLL 1 IoCs

Processes:

39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe

pid process

1896 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe

pid	process
1896	39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

loder0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	loder0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	loder0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

loder0.exe

pid process

2696 loder0.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

loder0.exe

description pid process target process

PID 2696 set thread context of 2536 2696 loder0.exe loder0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4224 schtasks.exe
1312 schtasks.exe

description	pid	process	target process
PID 2696 set thread context of 2536	2696	loder0.exe	loder0.exe

pid	process
4224	schtasks.exe
1312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

loder0.execpu.execpsvchost.exe

pid	process
2696	loder0.exe
2696	loder0.exe
3068	cpu.exe
3068	cpu.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe
2004	cpsvchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

loder0.exe

pid process

2536 loder0.exe
2536 loder0.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cpsvchost.exe

description pid process

Token: SeLockMemoryPrivilege 2004 cpsvchost.exe
Token: SeLockMemoryPrivilege 2004 cpsvchost.exe

pid	process
2536	loder0.exe
2536	loder0.exe

description	pid	process
Token: SeLockMemoryPrivilege	2004	cpsvchost.exe
Token: SeLockMemoryPrivilege	2004	cpsvchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exeloder0.execpu.execpsvchost.exe

description	pid	process	target process
PID 1896 wrote to memory of 3068	1896	39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe	cpu.exe
PID 1896 wrote to memory of 3068	1896	39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe	cpu.exe
PID 1896 wrote to memory of 3068	1896	39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe	cpu.exe
PID 1896 wrote to memory of 2696	1896	39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe	loder0.exe
PID 1896 wrote to memory of 2696	1896	39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe	loder0.exe
PID 1896 wrote to memory of 2696	1896	39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe	loder0.exe
PID 2696 wrote to memory of 2536	2696	loder0.exe	loder0.exe
PID 2696 wrote to memory of 2536	2696	loder0.exe	loder0.exe
PID 2696 wrote to memory of 2536	2696	loder0.exe	loder0.exe
PID 2696 wrote to memory of 2536	2696	loder0.exe	loder0.exe
PID 2696 wrote to memory of 2536	2696	loder0.exe	loder0.exe
PID 2696 wrote to memory of 2536	2696	loder0.exe	loder0.exe
PID 3068 wrote to memory of 4224	3068	cpu.exe	schtasks.exe
PID 3068 wrote to memory of 4224	3068	cpu.exe	schtasks.exe
PID 3068 wrote to memory of 4224	3068	cpu.exe	schtasks.exe
PID 2004 wrote to memory of 1312	2004	cpsvchost.exe	schtasks.exe
PID 2004 wrote to memory of 1312	2004	cpsvchost.exe	schtasks.exe
PID 2004 wrote to memory of 1312	2004	cpsvchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe
"C:\Users\Admin\AppData\Local\Temp\39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Roaming\1337\cpu.exe
"C:\Users\Admin\AppData\Roaming\1337\cpu.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN System\WindowsDefender /TR C:\ProgramData\cpsvchost.exe /F
3⤵
- Creates scheduled task(s)
PID:4224

C:\Users\Admin\AppData\Roaming\1337\loder0.exe
"C:\Users\Admin\AppData\Roaming\1337\loder0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Roaming\1337\loder0.exe
"C:\Users\Admin\AppData\Roaming\1337\loder0.exe"
3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:2536

C:\ProgramData\cpsvchost.exe
C:\ProgramData\cpsvchost.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN System\WindowsDefender /TR C:\ProgramData\cpsvchost.exe /F
2⤵
- Creates scheduled task(s)
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cpsvchost.exe
Filesize
2.3MB

MD5
38f70ac1cf4072da6e340dc50012596c

SHA1
180dcd4b8d02db621886ccb7f038635341d545c7

SHA256
af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd

SHA512
30af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6

Download Submit
C:\ProgramData\cpsvchost.exe
Filesize
2.3MB

MD5
38f70ac1cf4072da6e340dc50012596c

SHA1
180dcd4b8d02db621886ccb7f038635341d545c7

SHA256
af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd

SHA512
30af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuA09C.tmp\System.dll
Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\cpu.exe
Filesize
2.3MB

MD5
38f70ac1cf4072da6e340dc50012596c

SHA1
180dcd4b8d02db621886ccb7f038635341d545c7

SHA256
af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd

SHA512
30af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6

Download Submit
C:\Users\Admin\AppData\Roaming\1337\cpu.exe
Filesize
2.3MB

MD5
38f70ac1cf4072da6e340dc50012596c

SHA1
180dcd4b8d02db621886ccb7f038635341d545c7

SHA256
af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd

SHA512
30af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6

Download Submit
C:\Users\Admin\AppData\Roaming\1337\loder0.exe
Filesize
177KB

MD5
fd79a8140fdf8ff8946ca44767d79e0b

SHA1
b9496b801c0e7f306ce4e56846a028a0403089ac

SHA256
7c453968a71c194077b12cb30a000c93e6dbb18dc35dce842190170c1119dd73

SHA512
16a0a3c98bdf4690d7257e4f52c2c74ff727d59a4c0fa4552de8937e135bf08395d39938eadc8f9a8ea7da2154fcadbd7137be82a29dd777068817932e25ce90

Download Submit
C:\Users\Admin\AppData\Roaming\1337\loder0.exe
Filesize
177KB

MD5
fd79a8140fdf8ff8946ca44767d79e0b

SHA1
b9496b801c0e7f306ce4e56846a028a0403089ac

SHA256
7c453968a71c194077b12cb30a000c93e6dbb18dc35dce842190170c1119dd73

SHA512
16a0a3c98bdf4690d7257e4f52c2c74ff727d59a4c0fa4552de8937e135bf08395d39938eadc8f9a8ea7da2154fcadbd7137be82a29dd777068817932e25ce90

Download Submit
C:\Users\Admin\AppData\Roaming\1337\loder0.exe
Filesize
177KB

MD5
fd79a8140fdf8ff8946ca44767d79e0b

SHA1
b9496b801c0e7f306ce4e56846a028a0403089ac

SHA256
7c453968a71c194077b12cb30a000c93e6dbb18dc35dce842190170c1119dd73

SHA512
16a0a3c98bdf4690d7257e4f52c2c74ff727d59a4c0fa4552de8937e135bf08395d39938eadc8f9a8ea7da2154fcadbd7137be82a29dd777068817932e25ce90

Download Submit
memory/1312-154-0x0000000000000000-mapping.dmp

Download
memory/2004-153-0x0000000000BC0000-0x000000000108D000-memory.dmp

Filesize
4.8MB

Download
memory/2004-150-0x0000000000BC0000-0x000000000108D000-memory.dmp

Filesize
4.8MB

Download
memory/2004-155-0x0000000000BC0000-0x000000000108D000-memory.dmp

Filesize
4.8MB

Download
memory/2536-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2536-137-0x0000000000000000-mapping.dmp

Download
memory/2536-143-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2696-134-0x0000000000000000-mapping.dmp

Download
memory/3068-140-0x0000000000C10000-0x00000000010DD000-memory.dmp

Filesize
4.8MB

Download
memory/3068-147-0x0000000000C10000-0x00000000010DD000-memory.dmp

Filesize
4.8MB

Download
memory/3068-145-0x0000000000C10000-0x00000000010DD000-memory.dmp

Filesize
4.8MB

Download
memory/3068-131-0x0000000000000000-mapping.dmp

Download
memory/3172-144-0x0000000001350000-0x0000000001365000-memory.dmp

Filesize
84KB

Download
memory/4224-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads