smokeloader | f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de

Analysis

max time kernel
160s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe
Size

145KB
MD5

cfba4356d1eea9e464ab6851c7a56f78
SHA1

92f86ca1903e6206dc4b33ccb2b5745c740a3f61
SHA256

f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de
SHA512

5ca4e77e3071d22e18c595b6027c9988abd354a67c105b90f0b63efcfd17723a21523796464117b9facf35db917b04ead5f73d5d245b932bc6b43e71b62d813f
SSDEEP

3072:mDEHxUakL3V23Up59KW+0+2222X5hXQDPclytkC+jBPWMl6wA:zxZQV25W+PXC0nlVOwA

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5036-133-0x00000000004D0000-0x00000000004D9000-memory.dmp	family_smokeloader
behavioral1/memory/5036-136-0x00000000004D0000-0x00000000004D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe

pid	process
5036	f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe
5036	f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616
2616

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2616
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe

pid process

5036 f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe

pid	process
2616

C:\Users\Admin\AppData\Local\Temp\f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe
"C:\Users\Admin\AppData\Local\Temp\f9676dee8471b304e7c11881d400ea82272d460108cd0384fdcff2f324de62de.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5036-132-0x000000000070D000-0x000000000071E000-memory.dmp

Filesize
68KB

Download
memory/5036-133-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/5036-134-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5036-135-0x000000000070D000-0x000000000071E000-memory.dmp

Filesize
68KB

Download
memory/5036-136-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/5036-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download