smokeloader | e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb

Analysis

max time kernel
278s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe
Size

184KB
MD5

cb57d4933a6d9ce877f27b034a3b0332
SHA1

af274db3e0a20fbd23637aa6129bfdf8ca6ed709
SHA256

e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb
SHA512

db1d5bf204efe872c1dc1ea69156f821c5d0bcbf569859d39314cb67d6b17648fe0243b068f95dec8d20ce274cd997d7e2bb3e2a490abfbd972ad26eb0651f23
SSDEEP

3072:9DoMRLPAxgsIK5hz5r8k7wmL9BI2HyNsWsDL90LYZcEJ:6M+xgklh7dHHBV08

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4556-133-0x00000000005C0000-0x00000000005C9000-memory.dmp	family_smokeloader
behavioral1/memory/4556-136-0x00000000005C0000-0x00000000005C9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

5F57.exeA877.exe

pid process

2984 5F57.exe
1724 A877.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
2984	5F57.exe
1724	A877.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe

pid	process
4556	e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe
4556	e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe

pid process

4556 e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1204
Token: SeCreatePagefilePrivilege 1204

pid	process
1204

description	pid	process
Token: SeShutdownPrivilege	1204
Token: SeCreatePagefilePrivilege	1204

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2984	1204	5F57.exe
PID 1204 wrote to memory of 2984	1204	5F57.exe
PID 1204 wrote to memory of 2984	1204	5F57.exe
PID 1204 wrote to memory of 1724	1204	A877.exe
PID 1204 wrote to memory of 1724	1204	A877.exe
PID 1204 wrote to memory of 1724	1204	A877.exe

C:\Users\Admin\AppData\Local\Temp\e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe
"C:\Users\Admin\AppData\Local\Temp\e583878f0974903860253b100c69b71aa4bafcb34567ebb60ee53af6900d91bb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4556

C:\Users\Admin\AppData\Local\Temp\5F57.exe
C:\Users\Admin\AppData\Local\Temp\5F57.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\A877.exe
C:\Users\Admin\AppData\Local\Temp\A877.exe
1⤵
- Executes dropped EXE
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F57.exe
Filesize
1.2MB

MD5
0b9a0f37d63b0ed9ab9b662a25357962

SHA1
256a3fc7f7d00649ed2664695d508529a4a56368

SHA256
d0f0577d7516a681492b8be0ee6f445dbd79242b41e14e03f5f5f60f1b9069c1

SHA512
cde99253a4e580ec3b7840cfc0d58846d99299910177c8284fe75aa1b4c6ceafb2ff9fc7d9d453c5a541a65fc6958022e15166fd1ba0e1e0a85bd5f0cfeb03bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\A877.exe
Filesize
243KB

MD5
016b1e045f0c32c751466cbfef9369f9

SHA1
94278f97e1f4b221cdc7f593507948c618a4e05b

SHA256
894197e5c275eb7537858af6ee922a4cc4966f78b74954db74d16bdc9757ff5e

SHA512
8300d455690df141dc408d63aaff6944f6019fd474e8ccefe9f7830d9e9a6623a20967831fb348a6a710c97a76d3283f12bb9af6346402d67e76fd74b256529f

Download Submit
memory/1724-141-0x0000000000000000-mapping.dmp

Download
memory/2984-139-0x0000000000000000-mapping.dmp

Download
memory/4556-132-0x000000000068E000-0x000000000069E000-memory.dmp

Filesize
64KB

Download
memory/4556-133-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/4556-134-0x000000000068E000-0x000000000069E000-memory.dmp

Filesize
64KB

Download
memory/4556-135-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4556-136-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/4556-137-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4556-138-0x000000000068E000-0x000000000069E000-memory.dmp

Filesize
64KB

Download