smokeloader | 1099f00401095f8046173ee1839268113ed560c0fa378854589c09ebf56d77b2

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe
Size

163KB
MD5

b4d551e1ae248fd9bbf157e5c8b9a1a9
SHA1

adf99319734136d0c619dcbb089fa4d4743ae239
SHA256

1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453
SHA512

584fca9677747ccde53d82faca59938a5f353671eca9248f711e93b29852b8aa952ae6fc055107a4a1fc2c9e95bfa1f8adb1d4b38888c2a3bc09e29e189c741e
SSDEEP

3072:Eakj1CJOHiPNYH5vuncNz5X2LMTXMmg8cmoxJ/1T:ERCe4Npyz5X2LpmgvmoJ/

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1516-56-0x0000000000230000-0x0000000000239000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe

pid	process
1516	1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe
1516	1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1244
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe

pid process

1516 1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe

pid	process
1244

C:\Users\Admin\AppData\Local\Temp\1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe
"C:\Users\Admin\AppData\Local\Temp\1339d8437b13ceca77e24912f9c3fe11e30b32f71bc7da03c4f86a4c8a218453.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-59-0x000007FEF5E20000-0x000007FEF5F63000-memory.dmp

Filesize
1.3MB

Download
memory/1244-60-0x000007FE79810000-0x000007FE7981A000-memory.dmp

Filesize
40KB

Download
memory/1516-54-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/1516-55-0x000000000071B000-0x000000000072C000-memory.dmp

Filesize
68KB

Download
memory/1516-56-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1516-57-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1516-58-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download