smokeloader | ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f

General

Target

ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
Size

166KB
MD5

ae41e8e98cd8ba4856f463ffc4ee1d50
SHA1

61c9952e0596efd1a49461c9f9dc761618e37ec4
SHA256

ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f
SHA512

d38715d96b11d8cedad0a44fdecf981b251922be9ecc420d332153c1afc0eec4ca566de6f6ba04c21fc67006e56bc76950e7fd9321c0a648201fe51a92ce7789

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://extraterrestrial.is/

http://extraterrestrial5.ru/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Loads dropped DLL 3 IoCs

Processes:

ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

pid	process
1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

description	pid	process	target process
PID 1972 set thread context of 1632	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

pid	process
1632	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
1632	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

description	pid	process	target process
PID 1972 wrote to memory of 1288	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	msiexec.exe
PID 1972 wrote to memory of 1288	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	msiexec.exe
PID 1972 wrote to memory of 1288	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	msiexec.exe
PID 1972 wrote to memory of 1288	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	msiexec.exe
PID 1972 wrote to memory of 1288	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	msiexec.exe
PID 1972 wrote to memory of 1288	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	msiexec.exe
PID 1972 wrote to memory of 1288	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	msiexec.exe
PID 1972 wrote to memory of 1288	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	msiexec.exe
PID 1972 wrote to memory of 1288	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	msiexec.exe
PID 1972 wrote to memory of 1632	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
PID 1972 wrote to memory of 1632	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
PID 1972 wrote to memory of 1632	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
PID 1972 wrote to memory of 1632	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
PID 1972 wrote to memory of 1632	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
PID 1972 wrote to memory of 1632	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
PID 1972 wrote to memory of 1632	1972	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe	ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe

C:\Users\Admin\AppData\Local\Temp\ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
"C:\Users\Admin\AppData\Local\Temp\ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
2⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe
"C:\Users\Admin\AppData\Local\Temp\ff3a2f36acd2e6ac2ff9d8fbca3689da2260b52fb46acc2b116a74f996a7038f.exe"
2⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
PID:1632

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Ghent.dll
Filesize
84KB

MD5
55fb5ff13bfec05b9ba0e67623b6c9f7

SHA1
3c58aa8e194bbd9e2479e73593415c1445e40c65

SHA256
3902de203c08c70947946c411bef512714b4b6c4f36c8bb123f0ad82d3180196

SHA512
c192d949880bfc39a4e87e7462acee53ec10d6ecd7ab0694a169847d8a3b52ab853f56dc7306a4bb9e7b62a4ba01ed5dbde3478b0b200a3b35e47abda550b1bf

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD1D.tmp\System.dll
Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD1D.tmp\System.dll
Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/1288-59-0x0000000000000000-mapping.dmp

Download
memory/1292-68-0x00000000021B0000-0x00000000021C5000-memory.dmp

Filesize
84KB

Download
memory/1632-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1632-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1632-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1632-65-0x0000000000402995-mapping.dmp

Download
memory/1632-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1972-54-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1972-58-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads