smokeloader | ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b.exe
Size

273KB
MD5

163200c03750ce16e6c13ef0660815f0
SHA1

5f16dfd00123927b9fcfe533dda5ea425d600e78
SHA256

ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b
SHA512

396edbc3708fb1d7f5258d5f35b9abc66bb6b56eec2567c46324445541176cb3a9467829ed6eb016cc4d76a5915b522637aec53736307125bb1cfdfbcd71763b
SSDEEP

6144:a+avSZ3G/y3Cc/VET2o0e/EnK/1IDcVZVVS:a+Au3G/y3Cc/ST2osnHDcpVS

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/4848-133-0x00000000021A0000-0x00000000021A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 6 IoCs

flow	pid	Process
38	3468	rundll32.exe
58	3468	rundll32.exe
84	3468	rundll32.exe
87	3468	rundll32.exe
88	3468	rundll32.exe
89	3468	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1152	49DA.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b.exe
4848	ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b.exe
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found
3048	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4848	ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1152	3048	Process not Found	87
PID 3048 wrote to memory of 1152	3048	Process not Found	87
PID 3048 wrote to memory of 1152	3048	Process not Found	87
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88
PID 1152 wrote to memory of 3468	1152	49DA.exe	88

C:\Users\Admin\AppData\Local\Temp\ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b.exe
"C:\Users\Admin\AppData\Local\Temp\ef2f8c18462be7e972bdc6cfbe8615e621b16f581c416c23a6f55254daf00d2b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4848

C:\Users\Admin\AppData\Local\Temp\49DA.exe
C:\Users\Admin\AppData\Local\Temp\49DA.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:3468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49DA.exe

Filesize
854KB

MD5
251991e45cfee086aba5e5ae22d31a54

SHA1
bc2cc8b92968e969e80338366874672fd374f030

SHA256
512b2609fa7d398c32465fe0e4092c0f1f337ba4471252c16f645df77212c43e

SHA512
a94055c58586c96b9c66cb3d7cf2e4590e7d06b0e58662fcec64d0dbf0e3a2275c17ca6799400fd67c1ac50e617eefa7418b5026a5321128b6e949426b75ccdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\49DA.exe

Filesize
854KB

MD5
251991e45cfee086aba5e5ae22d31a54

SHA1
bc2cc8b92968e969e80338366874672fd374f030

SHA256
512b2609fa7d398c32465fe0e4092c0f1f337ba4471252c16f645df77212c43e

SHA512
a94055c58586c96b9c66cb3d7cf2e4590e7d06b0e58662fcec64d0dbf0e3a2275c17ca6799400fd67c1ac50e617eefa7418b5026a5321128b6e949426b75ccdc

Download Submit
memory/1152-141-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1152-139-0x000000000069A000-0x000000000073B000-memory.dmp

Filesize
644KB

Download
memory/1152-140-0x0000000002220000-0x0000000002315000-memory.dmp

Filesize
980KB

Download
memory/1152-145-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/3468-143-0x0000000000AC0000-0x0000000000AC4000-memory.dmp

Filesize
16KB

Download
memory/3468-144-0x0000000000B20000-0x0000000000B24000-memory.dmp

Filesize
16KB

Download
memory/4848-135-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4848-134-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4848-133-0x00000000021A0000-0x00000000021A9000-memory.dmp

Filesize
36KB

Download
memory/4848-132-0x00000000006C8000-0x00000000006D9000-memory.dmp

Filesize
68KB

Download