smokeloader | 59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037

Analysis

max time kernel
152s
max time network
74s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037.exe
Size

340KB
MD5

367dd41dcc8e9cc5fc4fcfbc7789928a
SHA1

b0404a85759b3137b6e1964bbf086d3638820ea0
SHA256

59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037
SHA512

f7f4b3cf095ab2aa3ba6f218de9d3151e6a8637abc7ab41c6daf31b0c0ffa6c0839e241091f7a6be485dc87b4a90b22b868c359acd3c52f28db5edf50ac059d8
SSDEEP

6144:/nuljzpf0vFNR2QrqVYmf+Fe/pLX07ITsq:/nqzpf0vjrjEw7

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/3540-139-0x0000000002CB0000-0x0000000002CB9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 1 IoCs

pid	Process
1568	cvuicdr

Deletes itself 1 IoCs

pid	Process
2112	Process not Found

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cvuicdr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cvuicdr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cvuicdr

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037.exe
3540	59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037.exe
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found
2112	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2112	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3540	59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037.exe
1568	cvuicdr

C:\Users\Admin\AppData\Local\Temp\59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037.exe
"C:\Users\Admin\AppData\Local\Temp\59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3540

C:\Users\Admin\AppData\Roaming\cvuicdr
C:\Users\Admin\AppData\Roaming\cvuicdr
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cvuicdr

Filesize
340KB

MD5
367dd41dcc8e9cc5fc4fcfbc7789928a

SHA1
b0404a85759b3137b6e1964bbf086d3638820ea0

SHA256
59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037

SHA512
f7f4b3cf095ab2aa3ba6f218de9d3151e6a8637abc7ab41c6daf31b0c0ffa6c0839e241091f7a6be485dc87b4a90b22b868c359acd3c52f28db5edf50ac059d8

Download Submit
C:\Users\Admin\AppData\Roaming\cvuicdr

Filesize
340KB

MD5
367dd41dcc8e9cc5fc4fcfbc7789928a

SHA1
b0404a85759b3137b6e1964bbf086d3638820ea0

SHA256
59882f450d336a3e79d445838b533a8439aa9f2a826ceaf5d5b0a30b52630037

SHA512
f7f4b3cf095ab2aa3ba6f218de9d3151e6a8637abc7ab41c6daf31b0c0ffa6c0839e241091f7a6be485dc87b4a90b22b868c359acd3c52f28db5edf50ac059d8

Download Submit
memory/1568-181-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-171-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-191-0x0000000002FC1000-0x0000000002FD7000-memory.dmp

Filesize
88KB

Download
memory/1568-178-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-174-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-175-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-177-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-179-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-180-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-182-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-184-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-185-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-186-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-187-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-188-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-183-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-158-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-192-0x0000000002C50000-0x0000000002D9A000-memory.dmp

Filesize
1.3MB

Download
memory/1568-176-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-173-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-172-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-170-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-169-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-168-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-167-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-166-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-165-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-194-0x0000000000400000-0x0000000002C43000-memory.dmp

Filesize
40.3MB

Download
memory/1568-163-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-162-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-161-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-160-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-159-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/1568-193-0x0000000000400000-0x0000000002C43000-memory.dmp

Filesize
40.3MB

Download
memory/1568-157-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-137-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-155-0x0000000000400000-0x0000000002C43000-memory.dmp

Filesize
40.3MB

Download
memory/3540-154-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-153-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-152-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-151-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-150-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-149-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-148-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-147-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-146-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-144-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-145-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-143-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-142-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-141-0x0000000000400000-0x0000000002C43000-memory.dmp

Filesize
40.3MB

Download
memory/3540-140-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-139-0x0000000002CB0000-0x0000000002CB9000-memory.dmp

Filesize
36KB

Download
memory/3540-138-0x0000000002D00000-0x0000000002DAE000-memory.dmp

Filesize
696KB

Download
memory/3540-118-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-136-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-135-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-134-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-133-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-132-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-129-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-131-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-130-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-128-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-127-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-126-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-124-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-123-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-122-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-121-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-120-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-119-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download