smokeloader | 2a777ef4d19fa4387c1fae0cba2d69ca44b071a58b7348346be3eaf98b95e198

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe
Size

146KB
MD5

9b6af8aaca95df0fbced0a38e0f42fec
SHA1

27f2cb6e6c79f9ec7243c474d89a9017ce1458a0
SHA256

78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a
SHA512

d0da8ec346c5063214055e65ad64a3ee8d4d0b07645c1db069a421d47983a24f0e11ec94c990f0eadbd2a05ab38d548992655816965058f56eb9ba592005d415
SSDEEP

3072:0uFIXsAQyv5ENrlf0f6jMV2XtfhMsiBJ0FDCAvQ:lzAQ5lfC6jp6BJob

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4932-133-0x0000000002810000-0x0000000002819000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

CA40.exe

pid process

3424 CA40.exe

pid	process
3424	CA40.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe

pid	process
4932	78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe
4932	78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3076
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe

pid process

4932 78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe

pid	process
3076

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 3076 wrote to memory of 3424	3076	CA40.exe
PID 3076 wrote to memory of 3424	3076	CA40.exe
PID 3076 wrote to memory of 3424	3076	CA40.exe

C:\Users\Admin\AppData\Local\Temp\78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe
"C:\Users\Admin\AppData\Local\Temp\78077ff1e8c109107f9e8ad54c9a3660e3f8e966d61a5cd6b219e5d5226f104a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4932

C:\Users\Admin\AppData\Local\Temp\CA40.exe
C:\Users\Admin\AppData\Local\Temp\CA40.exe
1⤵
- Executes dropped EXE
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CA40.exe
Filesize
2.6MB

MD5
8e652127ce83694db2bcb0d55d550864

SHA1
b728c839b5a1e305ac679472c38d1666582d50b8

SHA256
be19bc86160c997218411346f18fd4aabfa8706ca22b028f0d478df575f566cb

SHA512
2a6635b46d8139ab4e1e4f3ac4ca14eac9e38beef4bbedc4ae8d65b818bc7ac0c5e126e5f3f69b6610ae01ca1c9298a2ed79841d91bc5c64446a977526193c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA40.exe
Filesize
1.8MB

MD5
e8b3c53bf51383620926fc1e5db78325

SHA1
2f9b5297ffec9908ca0707d7118b375443c2052c

SHA256
09c9cddb9fd1f9e77edf30908745e8432c6ab6b7f8863eb770ef3a8d1809e26f

SHA512
48f7fdca793518e2fc19e49f60930f5bfe4b6192f1c72ad2f529ad48ffb33d9fa7689040b4f40efb7440b10ff1847f5ae56998498586cfa81c42ab7e1c32a358

Download Submit
memory/3424-136-0x0000000000000000-mapping.dmp

Download
memory/4932-132-0x0000000000B3E000-0x0000000000B4E000-memory.dmp

Filesize
64KB

Download
memory/4932-133-0x0000000002810000-0x0000000002819000-memory.dmp

Filesize
36KB

Download
memory/4932-134-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/4932-135-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download