smokeloader | 1bc77d71c5c8030ff0a59f02a18cbe036682f100490106bd78b6fe4a470076e1

Analysis

max time kernel
174s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a7dce505e0b3c2986f1b895c401c1f4.exe
Size

300KB
MD5

6a7dce505e0b3c2986f1b895c401c1f4
SHA1

bf2b8f824b1d3e790d9ee17f6f91fbec1720dfbc
SHA256

1bc77d71c5c8030ff0a59f02a18cbe036682f100490106bd78b6fe4a470076e1
SHA512

a2651e12f90ddefee1230ba7c2b454912d973654ab3ac64fd92ef7923f9b59e971af20fafb33498658a8f357c37ace37716801c16c58b1f49e8408ea559e387a
SSDEEP

6144:3S8scbJ3k4mIFrTJaHRBXb3J1eigavwVf:3WcBk4FHJaHPb51T

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/1688-133-0x00000000006A0000-0x00000000006A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4992	4963.exe
3936	4CA0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6a7dce505e0b3c2986f1b895c401c1f4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6a7dce505e0b3c2986f1b895c401c1f4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6a7dce505e0b3c2986f1b895c401c1f4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	6a7dce505e0b3c2986f1b895c401c1f4.exe
1688	6a7dce505e0b3c2986f1b895c401c1f4.exe
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2204	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1688	6a7dce505e0b3c2986f1b895c401c1f4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4992	2204	Process not Found	90
PID 2204 wrote to memory of 4992	2204	Process not Found	90
PID 2204 wrote to memory of 4992	2204	Process not Found	90
PID 2204 wrote to memory of 3936	2204	Process not Found	91
PID 2204 wrote to memory of 3936	2204	Process not Found	91
PID 2204 wrote to memory of 3936	2204	Process not Found	91

C:\Users\Admin\AppData\Local\Temp\6a7dce505e0b3c2986f1b895c401c1f4.exe
"C:\Users\Admin\AppData\Local\Temp\6a7dce505e0b3c2986f1b895c401c1f4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1688

C:\Users\Admin\AppData\Local\Temp\4963.exe
C:\Users\Admin\AppData\Local\Temp\4963.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\AppData\Local\Temp\4CA0.exe
C:\Users\Admin\AppData\Local\Temp\4CA0.exe
1⤵
- Executes dropped EXE
PID:3936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4963.exe

Filesize
766KB

MD5
4442123bc9e93e314f0eb444adf258f0

SHA1
ff0c60ef09499662a3607d8887ae21d4232446d3

SHA256
adfcc3d526381c7c2fe99e2db561fa91de1591188aea020b08a90e6733209f05

SHA512
7c5af88cfea196e7f4203b4c6a0379e58ae323ef4e879831258fabffba3fefce1363d57d9f075119779becebb3444528fd74e9fc8788774468c1af044f9f5dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4963.exe

Filesize
766KB

MD5
4442123bc9e93e314f0eb444adf258f0

SHA1
ff0c60ef09499662a3607d8887ae21d4232446d3

SHA256
adfcc3d526381c7c2fe99e2db561fa91de1591188aea020b08a90e6733209f05

SHA512
7c5af88cfea196e7f4203b4c6a0379e58ae323ef4e879831258fabffba3fefce1363d57d9f075119779becebb3444528fd74e9fc8788774468c1af044f9f5dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CA0.exe

Filesize
703KB

MD5
1ae1cabb5d6d98e32e779f1e866cd553

SHA1
566d2e85d6466ce6b2568ca4db484362a5f8ba54

SHA256
208ab84f20b1cb00245df65d3a8873fa14f75a567053777c8413e3e10c335ca2

SHA512
fb1c825fa51750a737c35b24badd1f2919c4e2e9317d84d86e8029fc76f77898e6d6ab8af2851abbdd7de741c78c71889dec5928b0cfb79eb68b5f1bf0f3d7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CA0.exe

Filesize
703KB

MD5
1ae1cabb5d6d98e32e779f1e866cd553

SHA1
566d2e85d6466ce6b2568ca4db484362a5f8ba54

SHA256
208ab84f20b1cb00245df65d3a8873fa14f75a567053777c8413e3e10c335ca2

SHA512
fb1c825fa51750a737c35b24badd1f2919c4e2e9317d84d86e8029fc76f77898e6d6ab8af2851abbdd7de741c78c71889dec5928b0cfb79eb68b5f1bf0f3d7ba

Download Submit
memory/1688-134-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1688-133-0x00000000006A0000-0x00000000006A9000-memory.dmp

Filesize
36KB

Download
memory/1688-132-0x000000000076E000-0x000000000077E000-memory.dmp

Filesize
64KB

Download
memory/1688-135-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download