smokeloader | 9f6b8b8e7cdd07f6fa1a32840aeda503bfd5af6d238e9763ccb2015cea2d923b

Analysis

max time kernel
151s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 17:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

malware_smoke_320514046.exe
Size

3.2MB
MD5

bf0e21100030960c2645c7821463660b
SHA1

b9ede7edf5e120b93f6c6442f1b522e35ea9ad47
SHA256

9f6b8b8e7cdd07f6fa1a32840aeda503bfd5af6d238e9763ccb2015cea2d923b
SHA512

93f6b78032b823032d84d8117e722c6aefc224d7e925835adc6512f763fa5b741f35313ba72f17d02d5518c8c598069be4dd52c275198bfe1e74b47e2549d782
SSDEEP

49152:YePKD8aAjLWB1KlVq5zsFVqBrLAUj0nnTXV+V/x7Y:YePVBLdlGSYBrLAM0nTXV+

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/4100-135-0x0000000002520000-0x000000000252A000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	malware_smoke_320514046.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	malware_smoke_320514046.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	malware_smoke_320514046.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4100	malware_smoke_320514046.exe
4100	malware_smoke_320514046.exe
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found
2416	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2416	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4100	malware_smoke_320514046.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2416	Process not Found
Token: SeCreatePagefilePrivilege	2416	Process not Found
Token: SeShutdownPrivilege	2416	Process not Found
Token: SeCreatePagefilePrivilege	2416	Process not Found
Token: SeShutdownPrivilege	2416	Process not Found
Token: SeCreatePagefilePrivilege	2416	Process not Found
Token: SeShutdownPrivilege	2416	Process not Found
Token: SeCreatePagefilePrivilege	2416	Process not Found
Token: SeShutdownPrivilege	2416	Process not Found
Token: SeCreatePagefilePrivilege	2416	Process not Found
Token: SeShutdownPrivilege	2416	Process not Found
Token: SeCreatePagefilePrivilege	2416	Process not Found
Token: SeShutdownPrivilege	2416	Process not Found
Token: SeCreatePagefilePrivilege	2416	Process not Found
Token: SeShutdownPrivilege	2416	Process not Found
Token: SeCreatePagefilePrivilege	2416	Process not Found

C:\Users\Admin\AppData\Local\Temp\malware_smoke_320514046.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_320514046.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-173-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-174-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-139-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-140-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-142-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-141-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-143-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-144-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-145-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-175-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-147-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-148-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-149-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-150-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-151-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-152-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-153-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-154-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/2416-155-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-156-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-157-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-158-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-159-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-160-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-161-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-162-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-163-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-164-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-165-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-166-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-167-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-168-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-169-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-170-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-171-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-172-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-138-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-137-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-146-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-176-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-177-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-178-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-179-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-180-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-181-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-184-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-183-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-182-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-185-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-186-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-187-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-188-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-189-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-190-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-191-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-192-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-193-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-194-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-195-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-196-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-197-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-198-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-199-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-200-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-201-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-202-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2416-203-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-204-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/4100-132-0x0000000000400000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download
memory/4100-133-0x0000000004310000-0x00000000044C6000-memory.dmp

Filesize
1.7MB

Download
memory/4100-134-0x0000000000400000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download
memory/4100-135-0x0000000002520000-0x000000000252A000-memory.dmp

Filesize
40KB

Download
memory/4100-136-0x0000000000400000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download