smokeloader | cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb

Analysis

max time kernel
150s
max time network
64s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
29-11-2022 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
Size

146KB
MD5

ce35e36e4cfe2fa6f701d6bc84e3dfcc
SHA1

7150ff484439c25af3a8563930aadb718b6a0f22
SHA256

cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb
SHA512

b799b8476ab3c71f91026b90f2adef9494781d51a97f9047ebbd8f07f74128a0515fde68ee8424741246f72a469de4b9ca0a22344497db64ddda5e779b2e58ab
SSDEEP

3072:xODzGplxVIeoLy5KesJBx4P3Usgtvf/6CV2BvzX:iGpjCeoFl4PEsqv3zU

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3048-149-0x0000000000540000-0x0000000000549000-memory.dmp	family_smokeloader
behavioral1/memory/5036-147-0x0000000000402DD8-mapping.dmp	family_smokeloader
behavioral1/memory/5036-146-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/5036-155-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/5036-179-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3036

pid	process
3036

Suspicious use of SetThreadContext 1 IoCs

Processes:

cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe

description	pid	process	target process
PID 3048 set thread context of 5036	3048	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe

pid	process
5036	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
5036	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe

pid process

5036 cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe

pid	process
3036

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe

description	pid	process	target process
PID 3048 wrote to memory of 5036	3048	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
PID 3048 wrote to memory of 5036	3048	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
PID 3048 wrote to memory of 5036	3048	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
PID 3048 wrote to memory of 5036	3048	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
PID 3048 wrote to memory of 5036	3048	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
PID 3048 wrote to memory of 5036	3048	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe	cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe

C:\Users\Admin\AppData\Local\Temp\cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
"C:\Users\Admin\AppData\Local\Temp\cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe
"C:\Users\Admin\AppData\Local\Temp\cf05eb67c83f275518f0ca50f1e71ed26a6b7361d26b15be821f85fc791ad1cb.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-182-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/3036-278-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/3036-277-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/3036-276-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/3036-275-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/3036-274-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-273-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/3036-247-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3036-246-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3036-245-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3036-244-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3036-243-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3036-242-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-227-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-225-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-221-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-222-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3036-220-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/3036-213-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/3036-212-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/3036-211-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/3036-210-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/3036-209-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/3036-208-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-207-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/3036-189-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-188-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-187-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-185-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3036-184-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/3048-141-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-149-0x0000000000540000-0x0000000000549000-memory.dmp

Filesize
36KB

Download
memory/3048-118-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-119-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-120-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-121-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-122-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-123-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-124-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-125-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-127-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-126-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-128-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-131-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-130-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-129-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-133-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-134-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-135-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-136-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-137-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-132-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-139-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-140-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-117-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-142-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-143-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-144-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-145-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-165-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-167-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-179-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5036-150-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-148-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-176-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-178-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-177-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-175-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-174-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-173-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-172-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-170-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-168-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-169-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-164-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-166-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-171-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-151-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-159-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-161-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-163-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-162-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-160-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-158-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-156-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-157-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-154-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-155-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5036-153-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-146-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5036-147-0x0000000000402DD8-mapping.dmp

Download
memory/5036-152-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download