smokeloader | f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b

Analysis

max time kernel
150s
max time network
121s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
17-11-2022 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe
Size

163KB
MD5

7350dd116e35bf99e1d583f377f7e902
SHA1

b4465d8f92d89d72db03017e7967bdbe1da99e60
SHA256

f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b
SHA512

2c9bf321db5a83590cf5226d400d012a1a80271ed53b021aa8a80ff0096e62010ad47a117b1f28e3993e533b18b63da9983ab87cdfd7c4854184fde023039dfc
SSDEEP

3072:PjG40LroiYvot5pMtoi1Xtk3HDFzSrTWVYeuAnWFu+D:PkLE/vMMtosdkzFeyVD7nR

Score

10^/10

smokeloader systembc backdoor trojan

Malware Config

Extracted

Family

systembc

89.248.165.79:443

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2652-155-0x0000000000720000-0x0000000000729000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

FEE2.exeoovht.exe

pid process

4376 FEE2.exe
720 oovht.exe
Deletes itself 1 IoCs

Processes:

pid process

2056
Drops file in Windows directory 2 IoCs

Processes:

FEE2.exe

description ioc process

File created C:\Windows\Tasks\oovht.job FEE2.exe
File opened for modification C:\Windows\Tasks\oovht.job FEE2.exe

pid	process
4376	FEE2.exe
720	oovht.exe

pid	process
2056

description	ioc	process
File created	C:\Windows\Tasks\oovht.job	FEE2.exe
File opened for modification	C:\Windows\Tasks\oovht.job	FEE2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe

pid	process
2652	f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe
2652	f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2056
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe

pid process

2652 f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe

pid	process
2056

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 2056 wrote to memory of 4376	2056	FEE2.exe
PID 2056 wrote to memory of 4376	2056	FEE2.exe
PID 2056 wrote to memory of 4376	2056	FEE2.exe

C:\Users\Admin\AppData\Local\Temp\f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe
"C:\Users\Admin\AppData\Local\Temp\f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2652

C:\Users\Admin\AppData\Local\Temp\FEE2.exe
C:\Users\Admin\AppData\Local\Temp\FEE2.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4376

C:\ProgramData\ksncv\oovht.exe
C:\ProgramData\ksncv\oovht.exe start
1⤵
- Executes dropped EXE
PID:720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ksncv\oovht.exe

Filesize
163KB

MD5
ede4e0e4f4547b54a24a170161ae4542

SHA1
7b15b83ebd70c52302e0dea0dea0404026298713

SHA256
5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

SHA512
d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

Download Submit
C:\ProgramData\ksncv\oovht.exe

Filesize
163KB

MD5
ede4e0e4f4547b54a24a170161ae4542

SHA1
7b15b83ebd70c52302e0dea0dea0404026298713

SHA256
5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

SHA512
d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE2.exe

Filesize
163KB

MD5
ede4e0e4f4547b54a24a170161ae4542

SHA1
7b15b83ebd70c52302e0dea0dea0404026298713

SHA256
5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

SHA512
d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEE2.exe

Filesize
163KB

MD5
ede4e0e4f4547b54a24a170161ae4542

SHA1
7b15b83ebd70c52302e0dea0dea0404026298713

SHA256
5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

SHA512
d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

Download Submit
memory/720-270-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/720-275-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/720-274-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/720-271-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/720-272-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-154-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/2652-120-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-149-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-155-0x0000000000720000-0x0000000000729000-memory.dmp

Filesize
36KB

Download
memory/2652-156-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-157-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-124-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-127-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-168-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-187-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-173-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-174-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-177-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-176-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-175-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-172-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-171-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-167-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-178-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-181-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-184-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-185-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-183-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-170-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-186-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-182-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-189-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-192-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-193-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-195-0x00000000007D6000-0x00000000007E7000-memory.dmp

Filesize
68KB

Download
memory/4376-197-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/4376-191-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-190-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-188-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-180-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-179-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-160-0x0000000000000000-mapping.dmp

Download
memory/4376-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-215-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4376-219-0x00000000007D6000-0x00000000007E7000-memory.dmp

Filesize
68KB

Download
memory/4376-220-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download