smokeloader | a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7

Analysis

max time kernel
159s
max time network
164s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
27-11-2022 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe
Size

147KB
MD5

b3957dda4bc08c70919b56437c84c991
SHA1

478e0d84b12d251d0a0f15fd56c82f5047d35541
SHA256

a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7
SHA512

df1b766d4bcacd3f19089acc40ec1e38b072997f1f1d610715c521f16881229218055c6afd0553d5c40cb2e76c39b65b6966e0cf7a32cfa2ed6a388d3d272adf
SSDEEP

3072:Q6y3PGucCoKGE5q4sDm5sojaRzKzYAuI9CYH:0bFD1sDXojaQcCL

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3676-153-0x00000000006D0000-0x00000000006D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3048

pid	process
3048

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe

pid	process
3676	a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe
3676	a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe

pid process

3676 a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe

pid	process
3048

C:\Users\Admin\AppData\Local\Temp\a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe
"C:\Users\Admin\AppData\Local\Temp\a827e864fdf2a30cd6060a50bc4d5199075818c245804f1ddb3e66ee2040c3e7.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3676-118-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-119-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-120-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-121-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-122-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-123-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-124-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-125-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-126-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-127-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-128-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-129-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-130-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-131-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-132-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-133-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-134-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-135-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-136-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-138-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-137-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-140-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-141-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-142-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-139-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-143-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-144-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-145-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-146-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-147-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-148-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-149-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-151-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-150-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-152-0x000000000072A000-0x000000000073B000-memory.dmp

Filesize
68KB

Download
memory/3676-153-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/3676-154-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3676-155-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download