smokeloader | 2bffd5b400289f8b921a8f338e4603f3d373d24dc61ecb085f02ed573b99983d

General

Target

file.exe
Size

187KB
MD5

d50151680615c2bcd433c1e60e41056e
SHA1

ebb801bbf3d49670d485c6fd5e7aff568aa090a4
SHA256

2bffd5b400289f8b921a8f338e4603f3d373d24dc61ecb085f02ed573b99983d
SHA512

c1985931d97325e4ad219a572da8e33f14ab74f9b8e482c3718f203542c2d2c21a23c5d32a9cfece9ca37d049ffdd27307e1f7d312b5639926f23b7527e20636
SSDEEP

3072:hEKdQd8soLGUiWZwvj5EWUaQrZ/bcm8uiROpZhqG6tzrsj/:1d1LGUiS1raMtb2ui0Z0tzq

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4936-133-0x0000000002980000-0x0000000002989000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

107 3900 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

35C1.exe

pid process

4060 35C1.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3900 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3900 set thread context of 3420 3900 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2220 4060 WerFault.exe 35C1.exe

flow	pid	process
107	3900	rundll32.exe

pid	process
4060	35C1.exe

pid	process
3900	rundll32.exe

description	pid	process	target process
PID 3900 set thread context of 3420	3900	rundll32.exe	rundll32.exe

pid	pid_target	process	target process
2220	4060	WerFault.exe	35C1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4936	file.exe
4936	file.exe
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732
2732

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2732
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

4936 file.exe

pid	process
2732

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2732
Token: SeCreatePagefilePrivilege	2732
Token: SeShutdownPrivilege	2732
Token: SeCreatePagefilePrivilege	2732
Token: SeShutdownPrivilege	2732
Token: SeCreatePagefilePrivilege	2732
Token: SeShutdownPrivilege	2732
Token: SeCreatePagefilePrivilege	2732
Token: SeShutdownPrivilege	2732
Token: SeCreatePagefilePrivilege	2732
Token: SeShutdownPrivilege	2732
Token: SeCreatePagefilePrivilege	2732
Token: SeShutdownPrivilege	2732
Token: SeCreatePagefilePrivilege	2732

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

2732
2732

pid	process
2732
2732

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

35C1.exerundll32.exe

description	pid	process	target process
PID 2732 wrote to memory of 4060	2732		35C1.exe
PID 2732 wrote to memory of 4060	2732		35C1.exe
PID 2732 wrote to memory of 4060	2732		35C1.exe
PID 4060 wrote to memory of 3900	4060	35C1.exe	rundll32.exe
PID 4060 wrote to memory of 3900	4060	35C1.exe	rundll32.exe
PID 4060 wrote to memory of 3900	4060	35C1.exe	rundll32.exe
PID 3900 wrote to memory of 3420	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 3420	3900	rundll32.exe	rundll32.exe
PID 3900 wrote to memory of 3420	3900	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4936

C:\Users\Admin\AppData\Local\Temp\35C1.exe
C:\Users\Admin\AppData\Local\Temp\35C1.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14198
3⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 540
2⤵
- Program crash
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4060 -ip 4060
1⤵
PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35C1.exe

Filesize
1.0MB

MD5
06eb56951a589d42acf83aa7f03f42eb

SHA1
2919c57b6ed1aedb5af94183c61cf1b73c073462

SHA256
707ff527e6415a6da0bd08c3c1af3af7e2732e29ef994490cc77eee9b4b4eebd

SHA512
de8dc09da4b584422bdbc33b8a957f917382adf5206f178c0f976de7c4ef2d21dce886f438be1a8ec0be3f7cc9d0def0484a23c006e2661d5b2c6c953351a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\35C1.exe

Filesize
1.0MB

MD5
06eb56951a589d42acf83aa7f03f42eb

SHA1
2919c57b6ed1aedb5af94183c61cf1b73c073462

SHA256
707ff527e6415a6da0bd08c3c1af3af7e2732e29ef994490cc77eee9b4b4eebd

SHA512
de8dc09da4b584422bdbc33b8a957f917382adf5206f178c0f976de7c4ef2d21dce886f438be1a8ec0be3f7cc9d0def0484a23c006e2661d5b2c6c953351a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp

Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp

Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
memory/3420-159-0x000001F850120000-0x000001F850260000-memory.dmp

Filesize
1.2MB

Download
memory/3420-158-0x000001F850120000-0x000001F850260000-memory.dmp

Filesize
1.2MB

Download
memory/3420-157-0x000001F850290000-0x000001F850534000-memory.dmp

Filesize
2.6MB

Download
memory/3420-156-0x0000000000E80000-0x0000000001112000-memory.dmp

Filesize
2.6MB

Download
memory/3420-154-0x00007FF733846890-mapping.dmp

Download
memory/3900-153-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/3900-150-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/3900-155-0x0000000004CB9000-0x0000000004CBB000-memory.dmp

Filesize
8KB

Download
memory/3900-152-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/3900-151-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/3900-146-0x00000000055B0000-0x0000000006111000-memory.dmp

Filesize
11.4MB

Download
memory/3900-147-0x00000000055B0000-0x0000000006111000-memory.dmp

Filesize
11.4MB

Download
memory/3900-148-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/3900-149-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/3900-142-0x0000000000000000-mapping.dmp

Download
memory/4060-145-0x0000000000400000-0x00000000028BA000-memory.dmp

Filesize
36.7MB

Download
memory/4060-140-0x00000000046E0000-0x0000000004805000-memory.dmp

Filesize
1.1MB

Download
memory/4060-139-0x0000000004547000-0x0000000004629000-memory.dmp

Filesize
904KB

Download
memory/4060-141-0x0000000000400000-0x00000000028BA000-memory.dmp

Filesize
36.7MB

Download
memory/4060-136-0x0000000000000000-mapping.dmp

Download
memory/4936-132-0x00000000029ED000-0x00000000029FE000-memory.dmp

Filesize
68KB

Download
memory/4936-135-0x0000000000400000-0x00000000027E8000-memory.dmp

Filesize
35.9MB

Download
memory/4936-134-0x0000000000400000-0x00000000027E8000-memory.dmp

Filesize
35.9MB

Download
memory/4936-133-0x0000000002980000-0x0000000002989000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads