smokeloader | 2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa

Analysis

max time kernel
158s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe
Size

186KB
MD5

20265014ad062dbae27ff0398b9f1cc6
SHA1

2bb048c1aeed663031b3056019f9cd543f7a9edc
SHA256

2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa
SHA512

e87415a86b797c4a59e1d07b774b6354361a9db5e79c0fdd9c59bbe418bcf31a2a0f9f6fff1326b99ed0992ce53952a1d5fba49f2a33a0c8a71849863b1aab96
SSDEEP

3072:oDuvOZCRgdLRzZRvWFJO5BzbGdeAnGv1hB8ZlPDzS2fKpKN:euh4LRltuOnkGNhB8LPXS2fCK

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Signatures

Detects Smokeloader packer 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4460-134-0x0000000002380000-0x0000000002389000-memory.dmp	family_smokeloader
behavioral1/memory/2104-185-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/2104-188-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/2104-194-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

81C3.exeCA85.exeCA85.exe

pid process

2116 81C3.exe
2324 CA85.exe
2104 CA85.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

CA85.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation CA85.exe

pid	process
2116	81C3.exe
2324	CA85.exe
2104	CA85.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	CA85.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CA85.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iwejqxttng = "\"C:\\Users\\Admin\\AppData\\Roaming\\Raglf\\Iwejqxttng.exe\""	CA85.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

CA85.exe

description pid process target process

PID 2324 set thread context of 2104 2324 CA85.exe CA85.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4504 2116 WerFault.exe 81C3.exe

description	pid	process	target process
PID 2324 set thread context of 2104	2324	CA85.exe	CA85.exe

pid	pid_target	process	target process
4504	2116	WerFault.exe	81C3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

CA85.exe2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CA85.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CA85.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CA85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe

pid	process
4460	2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe
4460	2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2492

pid	process
2492

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exeCA85.exe

pid	process
4460	2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2104	CA85.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

CA85.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2492
Token: SeCreatePagefilePrivilege	2492
Token: SeDebugPrivilege	2324	CA85.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeShutdownPrivilege	2492
Token: SeCreatePagefilePrivilege	2492

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

CA85.exe

description	pid	process	target process
PID 2492 wrote to memory of 2116	2492		81C3.exe
PID 2492 wrote to memory of 2116	2492		81C3.exe
PID 2492 wrote to memory of 2116	2492		81C3.exe
PID 2492 wrote to memory of 2324	2492		CA85.exe
PID 2492 wrote to memory of 2324	2492		CA85.exe
PID 2492 wrote to memory of 2324	2492		CA85.exe
PID 2324 wrote to memory of 2968	2324	CA85.exe	powershell.exe
PID 2324 wrote to memory of 2968	2324	CA85.exe	powershell.exe
PID 2324 wrote to memory of 2968	2324	CA85.exe	powershell.exe
PID 2492 wrote to memory of 4420	2492		explorer.exe
PID 2492 wrote to memory of 4420	2492		explorer.exe
PID 2492 wrote to memory of 4420	2492		explorer.exe
PID 2492 wrote to memory of 4420	2492		explorer.exe
PID 2492 wrote to memory of 4436	2492		explorer.exe
PID 2492 wrote to memory of 4436	2492		explorer.exe
PID 2492 wrote to memory of 4436	2492		explorer.exe
PID 2492 wrote to memory of 2432	2492		explorer.exe
PID 2492 wrote to memory of 2432	2492		explorer.exe
PID 2492 wrote to memory of 2432	2492		explorer.exe
PID 2492 wrote to memory of 2432	2492		explorer.exe
PID 2492 wrote to memory of 5088	2492		explorer.exe
PID 2492 wrote to memory of 5088	2492		explorer.exe
PID 2492 wrote to memory of 5088	2492		explorer.exe
PID 2492 wrote to memory of 716	2492		explorer.exe
PID 2492 wrote to memory of 716	2492		explorer.exe
PID 2492 wrote to memory of 716	2492		explorer.exe
PID 2492 wrote to memory of 716	2492		explorer.exe
PID 2492 wrote to memory of 2588	2492		explorer.exe
PID 2492 wrote to memory of 2588	2492		explorer.exe
PID 2492 wrote to memory of 2588	2492		explorer.exe
PID 2492 wrote to memory of 2588	2492		explorer.exe
PID 2492 wrote to memory of 2776	2492		explorer.exe
PID 2492 wrote to memory of 2776	2492		explorer.exe
PID 2492 wrote to memory of 2776	2492		explorer.exe
PID 2492 wrote to memory of 2776	2492		explorer.exe
PID 2492 wrote to memory of 4108	2492		explorer.exe
PID 2492 wrote to memory of 4108	2492		explorer.exe
PID 2492 wrote to memory of 4108	2492		explorer.exe
PID 2492 wrote to memory of 4596	2492		explorer.exe
PID 2492 wrote to memory of 4596	2492		explorer.exe
PID 2492 wrote to memory of 4596	2492		explorer.exe
PID 2492 wrote to memory of 4596	2492		explorer.exe
PID 2324 wrote to memory of 2104	2324	CA85.exe	CA85.exe
PID 2324 wrote to memory of 2104	2324	CA85.exe	CA85.exe
PID 2324 wrote to memory of 2104	2324	CA85.exe	CA85.exe
PID 2324 wrote to memory of 2104	2324	CA85.exe	CA85.exe
PID 2324 wrote to memory of 2104	2324	CA85.exe	CA85.exe
PID 2324 wrote to memory of 2104	2324	CA85.exe	CA85.exe

C:\Users\Admin\AppData\Local\Temp\2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe
"C:\Users\Admin\AppData\Local\Temp\2ec66b67ec0734dbf1048b2f71a969e5915deeefc75aea61a91e079fc5720eaa.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4460

C:\Users\Admin\AppData\Local\Temp\81C3.exe
C:\Users\Admin\AppData\Local\Temp\81C3.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 436
2⤵
- Program crash
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2116 -ip 2116
1⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\CA85.exe
C:\Users\Admin\AppData\Local\Temp\CA85.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Users\Admin\AppData\Local\Temp\CA85.exe
C:\Users\Admin\AppData\Local\Temp\CA85.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4420

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4436

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2432

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2588

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2776

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4108

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81C3.exe

Filesize
1.0MB

MD5
fc78f5650188734808f725d0934650a1

SHA1
e5184b4aa5de2d1121572fbfd3c2f05bf2b9a000

SHA256
319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a

SHA512
d74f0f7e0fb32d3ac0ef09fdd6762032044bb48ca298ee68e9e7cfd327db812bff460efe89495778febddeb5fdb3d8aa3d6c1f61d1aff34dcaa0a2bf07f2f3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\81C3.exe

Filesize
1.0MB

MD5
fc78f5650188734808f725d0934650a1

SHA1
e5184b4aa5de2d1121572fbfd3c2f05bf2b9a000

SHA256
319ead10ec14192ea1ba28c3079e72a581bbdbb13a67a3ccbe3066dfec86179a

SHA512
d74f0f7e0fb32d3ac0ef09fdd6762032044bb48ca298ee68e9e7cfd327db812bff460efe89495778febddeb5fdb3d8aa3d6c1f61d1aff34dcaa0a2bf07f2f3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA85.exe

Filesize
6KB

MD5
1fa7079d26058ea034b51f04938b4f44

SHA1
2cccd49d886cdfcd80da806971962d93b6eeaf45

SHA256
19c00af81f362be665658f611e54d1a6e460bcdde64a15e3db3910841374e2a0

SHA512
43053b5d324b61ac922a38b8991511e21a9cdcea6e240720e7ec01f122dea06194efdb29a2e4c6b6628bfadbc7ff7846b0a324b6b5472d1501094e3dbae24f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA85.exe

Filesize
6KB

MD5
1fa7079d26058ea034b51f04938b4f44

SHA1
2cccd49d886cdfcd80da806971962d93b6eeaf45

SHA256
19c00af81f362be665658f611e54d1a6e460bcdde64a15e3db3910841374e2a0

SHA512
43053b5d324b61ac922a38b8991511e21a9cdcea6e240720e7ec01f122dea06194efdb29a2e4c6b6628bfadbc7ff7846b0a324b6b5472d1501094e3dbae24f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA85.exe

Filesize
6KB

MD5
1fa7079d26058ea034b51f04938b4f44

SHA1
2cccd49d886cdfcd80da806971962d93b6eeaf45

SHA256
19c00af81f362be665658f611e54d1a6e460bcdde64a15e3db3910841374e2a0

SHA512
43053b5d324b61ac922a38b8991511e21a9cdcea6e240720e7ec01f122dea06194efdb29a2e4c6b6628bfadbc7ff7846b0a324b6b5472d1501094e3dbae24f46

Download Submit
memory/716-170-0x0000000000A90000-0x0000000000AB7000-memory.dmp

Filesize
156KB

Download
memory/716-168-0x0000000000AC0000-0x0000000000AE2000-memory.dmp

Filesize
136KB

Download
memory/716-167-0x0000000000000000-mapping.dmp

Download
memory/716-190-0x0000000000AC0000-0x0000000000AE2000-memory.dmp

Filesize
136KB

Download
memory/2104-194-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2104-184-0x0000000000000000-mapping.dmp

Download
memory/2104-185-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2104-188-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2116-137-0x0000000000000000-mapping.dmp

Download
memory/2324-140-0x0000000000000000-mapping.dmp

Download
memory/2324-146-0x0000000006340000-0x0000000006362000-memory.dmp

Filesize
136KB

Download
memory/2324-145-0x00000000068C0000-0x0000000006E64000-memory.dmp

Filesize
5.6MB

Download
memory/2324-144-0x0000000006270000-0x0000000006302000-memory.dmp

Filesize
584KB

Download
memory/2324-143-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2432-187-0x0000000000850000-0x0000000000855000-memory.dmp

Filesize
20KB

Download
memory/2432-163-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/2432-162-0x0000000000850000-0x0000000000855000-memory.dmp

Filesize
20KB

Download
memory/2432-161-0x0000000000000000-mapping.dmp

Download
memory/2588-172-0x0000000001450000-0x0000000001455000-memory.dmp

Filesize
20KB

Download
memory/2588-191-0x0000000001450000-0x0000000001455000-memory.dmp

Filesize
20KB

Download
memory/2588-169-0x0000000000000000-mapping.dmp

Download
memory/2588-173-0x0000000001440000-0x0000000001449000-memory.dmp

Filesize
36KB

Download
memory/2776-171-0x0000000000000000-mapping.dmp

Download
memory/2776-192-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

Filesize
24KB

Download
memory/2776-174-0x0000000000CA0000-0x0000000000CAB000-memory.dmp

Filesize
44KB

Download
memory/2776-176-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

Filesize
24KB

Download
memory/2968-148-0x00000000025F0000-0x0000000002626000-memory.dmp

Filesize
216KB

Download
memory/2968-153-0x00000000071F0000-0x000000000786A000-memory.dmp

Filesize
6.5MB

Download
memory/2968-147-0x0000000000000000-mapping.dmp

Download
memory/2968-149-0x0000000004E30000-0x0000000005458000-memory.dmp

Filesize
6.2MB

Download
memory/2968-150-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/2968-151-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/2968-152-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/2968-154-0x00000000060D0000-0x00000000060EA000-memory.dmp

Filesize
104KB

Download
memory/4108-193-0x0000000000DF0000-0x0000000000DF7000-memory.dmp

Filesize
28KB

Download
memory/4108-178-0x0000000000DE0000-0x0000000000DED000-memory.dmp

Filesize
52KB

Download
memory/4108-177-0x0000000000DF0000-0x0000000000DF7000-memory.dmp

Filesize
28KB

Download
memory/4108-175-0x0000000000000000-mapping.dmp

Download
memory/4420-156-0x00000000006F0000-0x00000000006F7000-memory.dmp

Filesize
28KB

Download
memory/4420-155-0x0000000000000000-mapping.dmp

Download
memory/4420-182-0x00000000006F0000-0x00000000006F7000-memory.dmp

Filesize
28KB

Download
memory/4420-157-0x00000000006E0000-0x00000000006EB000-memory.dmp

Filesize
44KB

Download
memory/4436-183-0x0000000000120000-0x0000000000129000-memory.dmp

Filesize
36KB

Download
memory/4436-158-0x0000000000000000-mapping.dmp

Download
memory/4436-159-0x0000000000120000-0x0000000000129000-memory.dmp

Filesize
36KB

Download
memory/4436-160-0x0000000000110000-0x000000000011F000-memory.dmp

Filesize
60KB

Download
memory/4460-133-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/4460-134-0x0000000002380000-0x0000000002389000-memory.dmp

Filesize
36KB

Download
memory/4460-135-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/4460-136-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/4596-181-0x0000000001440000-0x000000000144B000-memory.dmp

Filesize
44KB

Download
memory/4596-180-0x0000000001450000-0x0000000001458000-memory.dmp

Filesize
32KB

Download
memory/4596-179-0x0000000000000000-mapping.dmp

Download
memory/4596-195-0x0000000001450000-0x0000000001458000-memory.dmp

Filesize
32KB

Download
memory/5088-189-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/5088-166-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/5088-164-0x0000000000000000-mapping.dmp

Download
memory/5088-165-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download