smokeloader | e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0

Analysis

max time kernel
150s
max time network
72s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
27-11-2022 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
Size

818KB
MD5

3bc91c80e89a1e1029e8f2296cc08d8c
SHA1

b026d3a0c0e46ae59d302d16d5ea189e8f469f9e
SHA256

e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0
SHA512

ac54c9ef42f461f6d2b2426494733b4e40a38837972cc45e190ab959b13dfedce8f619aeb8b85d568cd135de3a9118e6383094852c781a37b9a53f5d996c83d8
SSDEEP

24576:A17r0U376CZ1S4Sjnw58kaJTbk0VkFg/IyXt:qdSFw5RykoX

Score

10^/10

smokeloader backdoor collection trojan

Malware Config

Signatures

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1248-187-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/1248-219-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/1248-220-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3052

pid	process
3052

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe

description	pid	process	target process
PID 4808 set thread context of 1248	4808	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe

pid	process
1248	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
1248	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3052
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe

pid process

1248 e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
3052
3052
3052
3052

pid	process
3052

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe

description	pid	process	target process
PID 4808 wrote to memory of 1248	4808	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
PID 4808 wrote to memory of 1248	4808	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
PID 4808 wrote to memory of 1248	4808	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
PID 4808 wrote to memory of 1248	4808	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
PID 4808 wrote to memory of 1248	4808	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
PID 4808 wrote to memory of 1248	4808	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe	e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
PID 3052 wrote to memory of 768	3052		explorer.exe
PID 3052 wrote to memory of 768	3052		explorer.exe
PID 3052 wrote to memory of 768	3052		explorer.exe
PID 3052 wrote to memory of 768	3052		explorer.exe
PID 3052 wrote to memory of 4596	3052		explorer.exe
PID 3052 wrote to memory of 4596	3052		explorer.exe
PID 3052 wrote to memory of 4596	3052		explorer.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
"C:\Users\Admin\AppData\Local\Temp\e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\e85fbaeccdeb53b3873a8b4d46b73749e475bfb3eac196147dc1679dba2b76a0.exe
"{path}"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:768

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-289-0x0000000002C70000-0x0000000002CDB000-memory.dmp

Filesize
428KB

Download
memory/768-273-0x0000000002CE0000-0x0000000002D54000-memory.dmp

Filesize
464KB

Download
memory/768-221-0x0000000000000000-mapping.dmp

Download
memory/1248-187-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1248-188-0x0000000000402E81-mapping.dmp

Download
memory/1248-189-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1248-192-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1248-190-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/1248-220-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1248-219-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4596-281-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/4596-280-0x0000000000000000-mapping.dmp

Download
memory/4808-155-0x0000000005260000-0x000000000575E000-memory.dmp

Filesize
5.0MB

Download
memory/4808-160-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-129-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-130-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-131-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-132-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-133-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-134-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-135-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-136-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-137-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-138-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-139-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-140-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-141-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-142-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-143-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-144-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-145-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-146-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-147-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-148-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-149-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-150-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-151-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-152-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-153-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-154-0x00000000003A0000-0x0000000000472000-memory.dmp

Filesize
840KB

Download
memory/4808-127-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-156-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-157-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/4808-158-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-159-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-128-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-161-0x0000000004E70000-0x0000000004F0C000-memory.dmp

Filesize
624KB

Download
memory/4808-162-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-163-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-164-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-165-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-166-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-167-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-168-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-169-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-170-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-171-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-172-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-173-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-174-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-175-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/4808-176-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-177-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-178-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-179-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-180-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-181-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-182-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-183-0x00000000079D0000-0x00000000079E2000-memory.dmp

Filesize
72KB

Download
memory/4808-184-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-185-0x0000000008960000-0x00000000089FE000-memory.dmp

Filesize
632KB

Download
memory/4808-126-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-125-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-124-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-123-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-122-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-121-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-120-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-186-0x000000000B180000-0x000000000B1C8000-memory.dmp

Filesize
288KB

Download
memory/4808-191-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download