smokeloader | 9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43

Analysis

max time kernel
150s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2022 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe
Size

332KB
MD5

664ce779de579b12f11ed6e4293f6b63
SHA1

4af3b6f9ab3fef2d00ad055ab82750dd39f83404
SHA256

9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43
SHA512

58b5626cdc8f00adfc41a8ceaa9ea1a841c2a7c3350c29a2a0620acc46b7d91df8dc1722e132423896b499be87e1ac5e50cfe6d23793ea9e78008407e2022f7e
SSDEEP

6144:9CMltB7VpK7DcFMr0+E7W148zZ+hp0fBa1Ew:A0t1fK7DfUVXhp0fQ1Ew

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3812-134-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader
behavioral1/memory/3812-136-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe

pid	process
3812	9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe
3812	9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2528
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe

pid process

3812 9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe

pid	process
2528

C:\Users\Admin\AppData\Local\Temp\9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe
"C:\Users\Admin\AppData\Local\Temp\9eb4c567819158702a3e34623a7d043d48dd5e83628f2f18b46ddbf6a9c1cf43.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3812-133-0x0000000000860000-0x0000000000960000-memory.dmp

Filesize
1024KB

Download
memory/3812-134-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3812-135-0x0000000000400000-0x0000000000857000-memory.dmp

Filesize
4.3MB

Download
memory/3812-136-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3812-137-0x0000000000400000-0x0000000000857000-memory.dmp

Filesize
4.3MB

Download