smokeloader | a9ff748ee948a9a352191298b0f8b71cee1bbb703ee0c3eb5192e0081331926f

General

Target

472ba070553f9b49fdb9ba324624bf99.exe
Size

188KB
MD5

472ba070553f9b49fdb9ba324624bf99
SHA1

e8836a6a7cda5715e396ea8deb3e97c7faade2f1
SHA256

a9ff748ee948a9a352191298b0f8b71cee1bbb703ee0c3eb5192e0081331926f
SHA512

d0fd2a11b4e9147886b18efc4de4e07088bcc88715f8e34a2ed39d1bb828dc2d4e5e947a791c69353caa0383c270156ba3c3446d60906d7fae341a5fbf9234ca
SSDEEP

3072:zKpGsgK69sPu4ZcbL546S84NG5t2dmRnvhrv12l1RJt17NRE8rVKn41X:yRfpSbL546St3mBvhrslvJbEYK4p

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-133-0x00000000007E0000-0x00000000007E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

45 2912 rundll32.exe
47 2912 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

4F87.exe

pid process

3284 4F87.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2912 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3572 3284 WerFault.exe 4F87.exe

flow	pid	process
45	2912	rundll32.exe
47	2912	rundll32.exe

pid	process
3284	4F87.exe

pid	process
2912	rundll32.exe

pid	pid_target	process	target process
3572	3284	WerFault.exe	4F87.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

472ba070553f9b49fdb9ba324624bf99.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	472ba070553f9b49fdb9ba324624bf99.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	472ba070553f9b49fdb9ba324624bf99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	472ba070553f9b49fdb9ba324624bf99.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

472ba070553f9b49fdb9ba324624bf99.exe

pid	process
2620	472ba070553f9b49fdb9ba324624bf99.exe
2620	472ba070553f9b49fdb9ba324624bf99.exe
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1076
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

472ba070553f9b49fdb9ba324624bf99.exe

pid process

2620 472ba070553f9b49fdb9ba324624bf99.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1076
Token: SeCreatePagefilePrivilege 1076

pid	process
1076

description	pid	process
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4F87.exe

description	pid	process	target process
PID 1076 wrote to memory of 3284	1076		4F87.exe
PID 1076 wrote to memory of 3284	1076		4F87.exe
PID 1076 wrote to memory of 3284	1076		4F87.exe
PID 3284 wrote to memory of 2912	3284	4F87.exe	rundll32.exe
PID 3284 wrote to memory of 2912	3284	4F87.exe	rundll32.exe
PID 3284 wrote to memory of 2912	3284	4F87.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\472ba070553f9b49fdb9ba324624bf99.exe
"C:\Users\Admin\AppData\Local\Temp\472ba070553f9b49fdb9ba324624bf99.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2620

C:\Users\Admin\AppData\Local\Temp\4F87.exe
C:\Users\Admin\AppData\Local\Temp\4F87.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 528
2⤵
- Program crash
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3284 -ip 3284
1⤵
PID:3296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4F87.exe

Filesize
1.0MB

MD5
40d0b4f6c2a3058997bccc8381a56ad9

SHA1
2ff51637aa4c61bf9804e0952f949e3b417eaadf

SHA256
99cc173d688fac11fc7d504b7d1125b3a3a643e87f08abb25825d869db200a90

SHA512
693025b775a3e308ec3a9bd8e6f0ad144194dbe7ef4e45f5db96c545cb3324131cee2ebee7f6cf010d0b9848f4eb34973ee0df890ff33d34785744f203c00140

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F87.exe

Filesize
1.0MB

MD5
40d0b4f6c2a3058997bccc8381a56ad9

SHA1
2ff51637aa4c61bf9804e0952f949e3b417eaadf

SHA256
99cc173d688fac11fc7d504b7d1125b3a3a643e87f08abb25825d869db200a90

SHA512
693025b775a3e308ec3a9bd8e6f0ad144194dbe7ef4e45f5db96c545cb3324131cee2ebee7f6cf010d0b9848f4eb34973ee0df890ff33d34785744f203c00140

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp

Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp

Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
memory/2620-135-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/2620-132-0x000000000087D000-0x000000000088E000-memory.dmp

Filesize
68KB

Download
memory/2620-134-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/2620-133-0x00000000007E0000-0x00000000007E9000-memory.dmp

Filesize
36KB

Download
memory/2912-141-0x0000000000000000-mapping.dmp

Download
memory/3284-136-0x0000000000000000-mapping.dmp

Download
memory/3284-140-0x00000000025C0000-0x00000000026E5000-memory.dmp

Filesize
1.1MB

Download
memory/3284-139-0x00000000024D2000-0x00000000025B4000-memory.dmp

Filesize
904KB

Download
memory/3284-142-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download
memory/3284-145-0x0000000000400000-0x000000000071F000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads