smokeloader | 7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f

General

Target

7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe
Size

145KB
MD5

4102ef39f1a8cf2fea949454582cf44e
SHA1

07bc1d5d7e7ce2cd5fab221cddf2f5ddea26ba9c
SHA256

7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f
SHA512

30b622e67fa0e1674b27e6d2d2fe3951a25f2d3283ba860deede7437e32419cd73d55e2d2a9977e58844a0588ddd0ec6b16d147c0dadb92a36f0e358981487c2
SSDEEP

3072:kbZY1phfezV6ieQ+a6tD8xlFdUkIuGptO:cmK5Ahs1yPt

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1960-133-0x0000000002170000-0x0000000002179000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

2FBB.exe3634.exe4306.exe

pid process

3056 2FBB.exe
1440 3634.exe
3184 4306.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3056	2FBB.exe
1440	3634.exe
3184	4306.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe

pid	process
1960	7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe
1960	7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

372
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe

pid process

1960 7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372
372

pid	process
372

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372
Token: SeShutdownPrivilege	372
Token: SeCreatePagefilePrivilege	372

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

description	pid	target process
PID 372 wrote to memory of 3056	372	2FBB.exe
PID 372 wrote to memory of 3056	372	2FBB.exe
PID 372 wrote to memory of 3056	372	2FBB.exe
PID 372 wrote to memory of 1440	372	3634.exe
PID 372 wrote to memory of 1440	372	3634.exe
PID 372 wrote to memory of 1440	372	3634.exe
PID 372 wrote to memory of 3184	372	4306.exe
PID 372 wrote to memory of 3184	372	4306.exe
PID 372 wrote to memory of 3184	372	4306.exe
PID 372 wrote to memory of 4712	372	explorer.exe
PID 372 wrote to memory of 4712	372	explorer.exe
PID 372 wrote to memory of 4712	372	explorer.exe
PID 372 wrote to memory of 4712	372	explorer.exe
PID 372 wrote to memory of 2412	372	explorer.exe
PID 372 wrote to memory of 2412	372	explorer.exe
PID 372 wrote to memory of 2412	372	explorer.exe
PID 372 wrote to memory of 5012	372	explorer.exe
PID 372 wrote to memory of 5012	372	explorer.exe
PID 372 wrote to memory of 5012	372	explorer.exe
PID 372 wrote to memory of 5012	372	explorer.exe
PID 372 wrote to memory of 716	372	explorer.exe
PID 372 wrote to memory of 716	372	explorer.exe
PID 372 wrote to memory of 716	372	explorer.exe
PID 372 wrote to memory of 2068	372	explorer.exe
PID 372 wrote to memory of 2068	372	explorer.exe
PID 372 wrote to memory of 2068	372	explorer.exe
PID 372 wrote to memory of 2068	372	explorer.exe
PID 372 wrote to memory of 2000	372	explorer.exe
PID 372 wrote to memory of 2000	372	explorer.exe
PID 372 wrote to memory of 2000	372	explorer.exe
PID 372 wrote to memory of 2000	372	explorer.exe
PID 372 wrote to memory of 1148	372	explorer.exe
PID 372 wrote to memory of 1148	372	explorer.exe
PID 372 wrote to memory of 1148	372	explorer.exe
PID 372 wrote to memory of 1148	372	explorer.exe
PID 372 wrote to memory of 3248	372	explorer.exe
PID 372 wrote to memory of 3248	372	explorer.exe
PID 372 wrote to memory of 3248	372	explorer.exe
PID 372 wrote to memory of 4732	372	explorer.exe
PID 372 wrote to memory of 4732	372	explorer.exe
PID 372 wrote to memory of 4732	372	explorer.exe
PID 372 wrote to memory of 4732	372	explorer.exe

C:\Users\Admin\AppData\Local\Temp\7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe
"C:\Users\Admin\AppData\Local\Temp\7eb4d64a7d16f78d7cc76d68a709cb08a3b78cfa865ef19aa6a16a78183f850f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1960

C:\Users\Admin\AppData\Local\Temp\2FBB.exe
C:\Users\Admin\AppData\Local\Temp\2FBB.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Local\Temp\3634.exe
C:\Users\Admin\AppData\Local\Temp\3634.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Users\Admin\AppData\Local\Temp\4306.exe
C:\Users\Admin\AppData\Local\Temp\4306.exe
1⤵
- Executes dropped EXE
PID:3184

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4712

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5012

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1148

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2FBB.exe
Filesize
316KB

MD5
27cdcc66310e8a239ef822684833efd2

SHA1
7f3e3055ba30047819094b0121b316d9364e2707

SHA256
07c94a43d67cc347c043105b104a8ccc57eb97f7ffe4f5114ea6c13dcf07aba2

SHA512
6b0e4811dba1fd6afab3a074da9a440bd318f5eb74ab48cb8d57913c410115e6811f51dc5f3bd04240821dcee84db772accf3af858ab0db18e6dcd9ef2de9a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FBB.exe
Filesize
316KB

MD5
27cdcc66310e8a239ef822684833efd2

SHA1
7f3e3055ba30047819094b0121b316d9364e2707

SHA256
07c94a43d67cc347c043105b104a8ccc57eb97f7ffe4f5114ea6c13dcf07aba2

SHA512
6b0e4811dba1fd6afab3a074da9a440bd318f5eb74ab48cb8d57913c410115e6811f51dc5f3bd04240821dcee84db772accf3af858ab0db18e6dcd9ef2de9a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\3634.exe
Filesize
363KB

MD5
e292a6cbeb112872c04796311b52ae30

SHA1
8ecefecab9231e42429a33256f5db84eff302948

SHA256
39c4fa10490d1f6e5f909786dee9ab0d8e8eb79bb04a9c541d2209224367ad16

SHA512
c506b3c796d99f8fb3e70d36596720bd1a6328a653c77769e20cbb358da122e576d72518508f63217e80985eb9abaa79abaa681312e9100445e391828029577e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3634.exe
Filesize
363KB

MD5
e292a6cbeb112872c04796311b52ae30

SHA1
8ecefecab9231e42429a33256f5db84eff302948

SHA256
39c4fa10490d1f6e5f909786dee9ab0d8e8eb79bb04a9c541d2209224367ad16

SHA512
c506b3c796d99f8fb3e70d36596720bd1a6328a653c77769e20cbb358da122e576d72518508f63217e80985eb9abaa79abaa681312e9100445e391828029577e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4306.exe
Filesize
363KB

MD5
ad170ecbf3579649162c3cb67d398672

SHA1
838306ef60ae4286030be9b395c866abd0c8ff47

SHA256
5e924125ff6aeb76684f4fb7f578c6d9278b243ed18e9a9eff8b2b28045ec5a5

SHA512
83a5511b668f49d4361a4a9dd5c8944c6395504f8f31c3a0ab94a9ea1d75d4b17c72c433c53d73cd9dfbb641c34b2741ef15474bacc7c6728e889511ffafc185

Download Submit
C:\Users\Admin\AppData\Local\Temp\4306.exe
Filesize
363KB

MD5
ad170ecbf3579649162c3cb67d398672

SHA1
838306ef60ae4286030be9b395c866abd0c8ff47

SHA256
5e924125ff6aeb76684f4fb7f578c6d9278b243ed18e9a9eff8b2b28045ec5a5

SHA512
83a5511b668f49d4361a4a9dd5c8944c6395504f8f31c3a0ab94a9ea1d75d4b17c72c433c53d73cd9dfbb641c34b2741ef15474bacc7c6728e889511ffafc185

Download Submit
memory/716-156-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/716-175-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/716-155-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/716-154-0x0000000000000000-mapping.dmp

Download
memory/1148-178-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/1148-163-0x0000000000000000-mapping.dmp

Download
memory/1148-164-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/1148-165-0x0000000000F60000-0x0000000000F6B000-memory.dmp

Filesize
44KB

Download
memory/1440-139-0x0000000000000000-mapping.dmp

Download
memory/1960-133-0x0000000002170000-0x0000000002179000-memory.dmp

Filesize
36KB

Download
memory/1960-132-0x00000000005DD000-0x00000000005ED000-memory.dmp

Filesize
64KB

Download
memory/1960-135-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1960-134-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2000-162-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/2000-161-0x0000000000190000-0x0000000000195000-memory.dmp

Filesize
20KB

Download
memory/2000-160-0x0000000000000000-mapping.dmp

Download
memory/2000-177-0x0000000000190000-0x0000000000195000-memory.dmp

Filesize
20KB

Download
memory/2068-176-0x0000000000660000-0x0000000000682000-memory.dmp

Filesize
136KB

Download
memory/2068-159-0x0000000000630000-0x0000000000657000-memory.dmp

Filesize
156KB

Download
memory/2068-157-0x0000000000000000-mapping.dmp

Download
memory/2068-158-0x0000000000660000-0x0000000000682000-memory.dmp

Filesize
136KB

Download
memory/2412-149-0x0000000000F70000-0x0000000000F79000-memory.dmp

Filesize
36KB

Download
memory/2412-150-0x0000000000F60000-0x0000000000F6F000-memory.dmp

Filesize
60KB

Download
memory/2412-146-0x0000000000000000-mapping.dmp

Download
memory/2412-173-0x0000000000F70000-0x0000000000F79000-memory.dmp

Filesize
36KB

Download
memory/3056-136-0x0000000000000000-mapping.dmp

Download
memory/3184-142-0x0000000000000000-mapping.dmp

Download
memory/3248-168-0x00000000009E0000-0x00000000009ED000-memory.dmp

Filesize
52KB

Download
memory/3248-166-0x0000000000000000-mapping.dmp

Download
memory/3248-167-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/4712-147-0x0000000000F90000-0x0000000000F97000-memory.dmp

Filesize
28KB

Download
memory/4712-172-0x0000000000F90000-0x0000000000F97000-memory.dmp

Filesize
28KB

Download
memory/4712-148-0x0000000000F80000-0x0000000000F8B000-memory.dmp

Filesize
44KB

Download
memory/4712-145-0x0000000000000000-mapping.dmp

Download
memory/4732-169-0x0000000000000000-mapping.dmp

Download
memory/4732-170-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download
memory/4732-171-0x0000000000F60000-0x0000000000F6B000-memory.dmp

Filesize
44KB

Download
memory/4732-179-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download
memory/5012-153-0x00000000007E0000-0x00000000007E9000-memory.dmp

Filesize
36KB

Download
memory/5012-174-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download
memory/5012-151-0x0000000000000000-mapping.dmp

Download
memory/5012-152-0x00000000007F0000-0x00000000007F5000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads