smokeloader | aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e

General

Target

aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe
Size

186KB
MD5

6e0a25e8780cfc36b80a860073b5414b
SHA1

88040417696654eee720434875c2e345df000ebb
SHA256

aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e
SHA512

d1565576257d7d0db399804e117f03e07760bf2fa13a4aee1811190c216eef5b6664243a366c1cf82e26445e76e649a29b04b2652ec0dd8d5f1404a4d8af54ac
SSDEEP

3072:XBkAtbkmeqUVbLwytWIiD5ssA+E3hV5j1HyhTQCsQIVYG+:OAhMLwyt7DsbARR0TWf

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2812-134-0x00000000028A0000-0x00000000028A9000-memory.dmp	family_smokeloader
behavioral1/memory/2812-138-0x00000000028A0000-0x00000000028A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

B414.exe

pid process

1816 B414.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4900 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1712 1816 WerFault.exe B414.exe

pid	process
1816	B414.exe

pid	process
4900	rundll32.exe

pid	pid_target	process	target process
1712	1816	WerFault.exe	B414.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe

pid	process
2812	aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe
2812	aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

668
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe

pid process

2812 aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe

pid	process
668

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668
Token: SeShutdownPrivilege	668
Token: SeCreatePagefilePrivilege	668

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

B414.exe

description	pid	process	target process
PID 668 wrote to memory of 1816	668		B414.exe
PID 668 wrote to memory of 1816	668		B414.exe
PID 668 wrote to memory of 1816	668		B414.exe
PID 1816 wrote to memory of 4900	1816	B414.exe	rundll32.exe
PID 1816 wrote to memory of 4900	1816	B414.exe	rundll32.exe
PID 1816 wrote to memory of 4900	1816	B414.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe
"C:\Users\Admin\AppData\Local\Temp\aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2812

C:\Users\Admin\AppData\Local\Temp\B414.exe
C:\Users\Admin\AppData\Local\Temp\B414.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe
2⤵
- Loads dropped DLL
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 464
2⤵
- Program crash
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1816 -ip 1816
1⤵
PID:3144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B414.exe
Filesize
1.0MB

MD5
06eb56951a589d42acf83aa7f03f42eb

SHA1
2919c57b6ed1aedb5af94183c61cf1b73c073462

SHA256
707ff527e6415a6da0bd08c3c1af3af7e2732e29ef994490cc77eee9b4b4eebd

SHA512
de8dc09da4b584422bdbc33b8a957f917382adf5206f178c0f976de7c4ef2d21dce886f438be1a8ec0be3f7cc9d0def0484a23c006e2661d5b2c6c953351a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\B414.exe
Filesize
1.0MB

MD5
06eb56951a589d42acf83aa7f03f42eb

SHA1
2919c57b6ed1aedb5af94183c61cf1b73c073462

SHA256
707ff527e6415a6da0bd08c3c1af3af7e2732e29ef994490cc77eee9b4b4eebd

SHA512
de8dc09da4b584422bdbc33b8a957f917382adf5206f178c0f976de7c4ef2d21dce886f438be1a8ec0be3f7cc9d0def0484a23c006e2661d5b2c6c953351a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
memory/668-147-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-156-0x0000000007C00000-0x0000000007C10000-memory.dmp

Filesize
64KB

Download
memory/668-159-0x0000000007C00000-0x0000000007C10000-memory.dmp

Filesize
64KB

Download
memory/668-140-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/668-141-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/668-142-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-143-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-144-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-145-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/668-146-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-158-0x0000000007C00000-0x0000000007C10000-memory.dmp

Filesize
64KB

Download
memory/668-148-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/668-157-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/668-155-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/1816-152-0x00000000045CD000-0x00000000046AF000-memory.dmp

Filesize
904KB

Download
memory/1816-153-0x00000000046B0000-0x00000000047D5000-memory.dmp

Filesize
1.1MB

Download
memory/1816-154-0x0000000000400000-0x00000000028BA000-memory.dmp

Filesize
36.7MB

Download
memory/1816-149-0x0000000000000000-mapping.dmp

Download
memory/2812-136-0x0000000000400000-0x00000000027E8000-memory.dmp

Filesize
35.9MB

Download
memory/2812-137-0x000000000290F000-0x0000000002920000-memory.dmp

Filesize
68KB

Download
memory/2812-138-0x00000000028A0000-0x00000000028A9000-memory.dmp

Filesize
36KB

Download
memory/2812-133-0x000000000290F000-0x0000000002920000-memory.dmp

Filesize
68KB

Download
memory/2812-139-0x0000000000400000-0x00000000027E8000-memory.dmp

Filesize
35.9MB

Download
memory/2812-135-0x0000000000400000-0x00000000027E8000-memory.dmp

Filesize
35.9MB

Download
memory/2812-134-0x00000000028A0000-0x00000000028A9000-memory.dmp

Filesize
36KB

Download
memory/4900-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads