smokeloader | 0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595

Analysis

max time kernel
151s
max time network
75s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
04/12/2022, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595.exe
Size

340KB
MD5

6fd99dc4f327e6db55a4c11c2c5ee639
SHA1

53d25a5da073bf12ee21afb89f50ba6dea1646df
SHA256

0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595
SHA512

08aaf4fda392ba52a190334b8c564893a31d1e9e2abb8440a7b2026c676e0c448bc1233edafa7dc3bae8f4d7919d3e8c04231b264846700e91c2213f84e97165
SSDEEP

6144:WqoYIM/9cOvEyOycos2ZizPnMW2RqnmUzY:WqoYZdvEyOyi2MbMW3mUzY

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/2188-147-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

pid	Process
3024	Process not Found

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595.exe
2188	0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595.exe
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3024	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2188	0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595.exe

C:\Users\Admin\AppData\Local\Temp\0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595.exe
"C:\Users\Admin\AppData\Local\Temp\0de343706b9732c2ab9a52824bd2dcf9347362d94590ade27ae3bce9a9878595.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2188-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-148-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2188-147-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2188-145-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/2188-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-156-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download