smokeloader | ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
06-12-2022 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe
Size

320KB
MD5

2d4899cdb123b3f0c0c04d75abec0d7d
SHA1

99c7f1253e9b815184b54da4cd21eb5fe1a3c36f
SHA256

ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306
SHA512

bf24bf3452aa9861b8fc582e643ba8bac3edb6bf0fdfaa68c5b2677fe81cf59869056ccbdf3ea278af5c1c1a5b676ad0fc539e3c56e36d26fcf74966825ecab4
SSDEEP

6144:rm1y9MLox0RoTUrwW9QG50dkWqXRqiqx+RRF:r+yC8x0RoHmXRqisqRF

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2692-133-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3044

pid	process
3044

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe

pid	process
2692	ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe
2692	ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3044

pid	process
3044

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe

pid	process
2692	ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

description	pid	target process
PID 3044 wrote to memory of 3292	3044	explorer.exe
PID 3044 wrote to memory of 3292	3044	explorer.exe
PID 3044 wrote to memory of 3292	3044	explorer.exe
PID 3044 wrote to memory of 3292	3044	explorer.exe
PID 3044 wrote to memory of 1916	3044	explorer.exe
PID 3044 wrote to memory of 1916	3044	explorer.exe
PID 3044 wrote to memory of 1916	3044	explorer.exe
PID 3044 wrote to memory of 3692	3044	explorer.exe
PID 3044 wrote to memory of 3692	3044	explorer.exe
PID 3044 wrote to memory of 3692	3044	explorer.exe
PID 3044 wrote to memory of 3692	3044	explorer.exe
PID 3044 wrote to memory of 4268	3044	explorer.exe
PID 3044 wrote to memory of 4268	3044	explorer.exe
PID 3044 wrote to memory of 4268	3044	explorer.exe
PID 3044 wrote to memory of 4348	3044	explorer.exe
PID 3044 wrote to memory of 4348	3044	explorer.exe
PID 3044 wrote to memory of 4348	3044	explorer.exe
PID 3044 wrote to memory of 4348	3044	explorer.exe
PID 3044 wrote to memory of 4516	3044	explorer.exe
PID 3044 wrote to memory of 4516	3044	explorer.exe
PID 3044 wrote to memory of 4516	3044	explorer.exe
PID 3044 wrote to memory of 4516	3044	explorer.exe
PID 3044 wrote to memory of 4396	3044	explorer.exe
PID 3044 wrote to memory of 4396	3044	explorer.exe
PID 3044 wrote to memory of 4396	3044	explorer.exe
PID 3044 wrote to memory of 4396	3044	explorer.exe
PID 3044 wrote to memory of 1056	3044	explorer.exe
PID 3044 wrote to memory of 1056	3044	explorer.exe
PID 3044 wrote to memory of 1056	3044	explorer.exe
PID 3044 wrote to memory of 1976	3044	explorer.exe
PID 3044 wrote to memory of 1976	3044	explorer.exe
PID 3044 wrote to memory of 1976	3044	explorer.exe
PID 3044 wrote to memory of 1976	3044	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe
"C:\Users\Admin\AppData\Local\Temp\ef075e0148cf6827fe81b47a185341c6ee13741f5b586d1e6551da1e762b5306.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3292

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1916

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3692

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4348

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4396

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-453-0x0000000000000000-mapping.dmp

Download
memory/1056-456-0x0000000000610000-0x0000000000617000-memory.dmp

Filesize
28KB

Download
memory/1056-457-0x0000000000600000-0x000000000060D000-memory.dmp

Filesize
52KB

Download
memory/1056-523-0x0000000000610000-0x0000000000617000-memory.dmp

Filesize
28KB

Download
memory/1916-177-0x0000000000000000-mapping.dmp

Download
memory/1916-195-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/1916-197-0x00000000005C0000-0x00000000005CF000-memory.dmp

Filesize
60KB

Download
memory/1916-516-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/1976-458-0x0000000000000000-mapping.dmp

Download
memory/1976-514-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/1976-515-0x0000000002810000-0x000000000281B000-memory.dmp

Filesize
44KB

Download
memory/1976-524-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2692-143-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-147-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-132-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-131-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-135-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2692-136-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-137-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-138-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-139-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-134-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-140-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-141-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-130-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2692-142-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-144-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-146-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-145-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-133-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2692-148-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-149-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-150-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-151-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-153-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-152-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-155-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-154-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-156-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2692-129-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-128-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-126-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-125-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-124-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-123-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-122-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-121-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-120-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-169-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-188-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-171-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-172-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-168-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-173-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-174-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-175-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-176-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-178-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-179-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-180-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-181-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-182-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-183-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-184-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-185-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-186-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-187-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-166-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-189-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-190-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-191-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-192-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-294-0x0000000002820000-0x0000000002827000-memory.dmp

Filesize
28KB

Download
memory/3292-296-0x0000000002810000-0x000000000281B000-memory.dmp

Filesize
44KB

Download
memory/3292-167-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-170-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-159-0x0000000000000000-mapping.dmp

Download
memory/3292-165-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-164-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-160-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-163-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-518-0x0000000002820000-0x0000000002827000-memory.dmp

Filesize
28KB

Download
memory/3292-161-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3292-162-0x0000000077890000-0x0000000077A1E000-memory.dmp

Filesize
1.6MB

Download
memory/3692-519-0x0000000002EE0000-0x0000000002EE5000-memory.dmp

Filesize
20KB

Download
memory/3692-298-0x0000000002EE0000-0x0000000002EE5000-memory.dmp

Filesize
20KB

Download
memory/3692-299-0x0000000002ED0000-0x0000000002ED9000-memory.dmp

Filesize
36KB

Download
memory/3692-193-0x0000000000000000-mapping.dmp

Download
memory/4268-229-0x0000000000000000-mapping.dmp

Download
memory/4268-517-0x0000000000B70000-0x0000000000B76000-memory.dmp

Filesize
24KB

Download
memory/4268-234-0x0000000000B70000-0x0000000000B76000-memory.dmp

Filesize
24KB

Download
memory/4268-236-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/4348-277-0x0000000000000000-mapping.dmp

Download
memory/4348-367-0x00000000028B0000-0x00000000028D7000-memory.dmp

Filesize
156KB

Download
memory/4348-366-0x00000000028E0000-0x0000000002902000-memory.dmp

Filesize
136KB

Download
memory/4348-520-0x00000000028E0000-0x0000000002902000-memory.dmp

Filesize
136KB

Download
memory/4396-395-0x0000000000000000-mapping.dmp

Download
memory/4396-455-0x0000000002E30000-0x0000000002E3B000-memory.dmp

Filesize
44KB

Download
memory/4396-522-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/4396-454-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/4516-430-0x0000000003240000-0x0000000003245000-memory.dmp

Filesize
20KB

Download
memory/4516-337-0x0000000000000000-mapping.dmp

Download
memory/4516-521-0x0000000003240000-0x0000000003245000-memory.dmp

Filesize
20KB

Download
memory/4516-432-0x0000000003230000-0x0000000003239000-memory.dmp

Filesize
36KB

Download