smokeloader | be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348

General

Target

be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe
Size

320KB
MD5

0b15593f7c3f3533ccdc5acb09f52f2c
SHA1

59586e724c47ea28fab0ff6c0f1ba95d08e3ff8a
SHA256

be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348
SHA512

34d3b9b6839fdec05473540a9cf71f5e75da5488bd704838e0823454e5bc0cb525115513b4b1be49ee3c2251de73c63e2c45b6886c3c17c29660902b276dba3a
SSDEEP

6144:Ad7N4yeILgLTJieu2T+7Lf9Ld+c8vP6/BqUjxF:Ad72yjsLTJip2a7b+cRxF

Score

10^/10

smokeloader backdoor collection discovery spyware stealer trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4968-133-0x0000000000030000-0x0000000000039000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

53 3836 rundll32.exe
55 3836 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

702F.exe

pid process

3716 702F.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3836 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
53	3836	rundll32.exe
55	3836	rundll32.exe

pid	process
3716	702F.exe

pid	process
3836	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3836 set thread context of 3256 3836 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2636 3716 WerFault.exe 702F.exe

description	pid	process	target process
PID 3836 set thread context of 3256	3836	rundll32.exe	rundll32.exe

pid	pid_target	process	target process
2636	3716	WerFault.exe	702F.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe

pid	process
4968	be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe
4968	be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992
992

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

992
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe

pid process

4968 be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe

pid	process
992

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	992
Token: SeCreatePagefilePrivilege	992
Token: SeDebugPrivilege	3836	rundll32.exe
Token: SeShutdownPrivilege	992
Token: SeCreatePagefilePrivilege	992
Token: SeShutdownPrivilege	992
Token: SeCreatePagefilePrivilege	992

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3256 rundll32.exe
992
992
992
992
3836 rundll32.exe
992
992
992
992

pid	process
3256	rundll32.exe
992
992
992
992
3836	rundll32.exe
992
992
992
992

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

702F.exerundll32.exe

description	pid	process	target process
PID 992 wrote to memory of 3716	992		702F.exe
PID 992 wrote to memory of 3716	992		702F.exe
PID 992 wrote to memory of 3716	992		702F.exe
PID 3716 wrote to memory of 3836	3716	702F.exe	rundll32.exe
PID 3716 wrote to memory of 3836	3716	702F.exe	rundll32.exe
PID 3716 wrote to memory of 3836	3716	702F.exe	rundll32.exe
PID 3836 wrote to memory of 3256	3836	rundll32.exe	rundll32.exe
PID 3836 wrote to memory of 3256	3836	rundll32.exe	rundll32.exe
PID 3836 wrote to memory of 3256	3836	rundll32.exe	rundll32.exe
PID 3836 wrote to memory of 2992	3836	rundll32.exe	schtasks.exe
PID 3836 wrote to memory of 2992	3836	rundll32.exe	schtasks.exe
PID 3836 wrote to memory of 2992	3836	rundll32.exe	schtasks.exe
PID 3836 wrote to memory of 4080	3836	rundll32.exe	schtasks.exe
PID 3836 wrote to memory of 4080	3836	rundll32.exe	schtasks.exe
PID 3836 wrote to memory of 4080	3836	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe
"C:\Users\Admin\AppData\Local\Temp\be857d3359bc69888a68cfcf65ce7e042d0cdd1cb46c6729941d9117eb1e4348.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4968

C:\Users\Admin\AppData\Local\Temp\702F.exe
C:\Users\Admin\AppData\Local\Temp\702F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp",Qiysidaatietut
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3836

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 17206
3⤵
- Suspicious use of FindShellTrayWindow
PID:3256

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 536
2⤵
- Program crash
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3716 -ip 3716
1⤵
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\702F.exe
Filesize
1.1MB

MD5
54f3ed7dcf3e38ee302db0a522de536c

SHA1
07c65a0879412284920e72b03b3749721551f923

SHA256
95144c77eb6c9fe678e3ac4dfef79a7614d443196bee29756fe345d13ef99e0c

SHA512
0c865249a17ef90df9c8a5ccee4ed99f6ab4bb05e40db48bc434ceb56313eca883d09ee02b9b4d0f28f949862232ffe069c196060f7d27016a1ed175ae64ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\702F.exe
Filesize
1.1MB

MD5
54f3ed7dcf3e38ee302db0a522de536c

SHA1
07c65a0879412284920e72b03b3749721551f923

SHA256
95144c77eb6c9fe678e3ac4dfef79a7614d443196bee29756fe345d13ef99e0c

SHA512
0c865249a17ef90df9c8a5ccee4ed99f6ab4bb05e40db48bc434ceb56313eca883d09ee02b9b4d0f28f949862232ffe069c196060f7d27016a1ed175ae64ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp
Filesize
768KB

MD5
96655ec3277ef2e9ea4b5723f60f5b04

SHA1
b29e9005cedc5e0d63981e59b05a12f006bd8640

SHA256
36cb491e91dc40d4a24f25944c5dca41195e1e7eb9788028f72e38b08789616d

SHA512
cb151e071426cba0ec433b4ff8b173a9e07fc922e2b9d9d9359bcd5367a79e5bb996e8afbbfe4dd11bde1a33724b7f70479ac248762f5c9d17f3e0d7d67c151c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp
Filesize
768KB

MD5
96655ec3277ef2e9ea4b5723f60f5b04

SHA1
b29e9005cedc5e0d63981e59b05a12f006bd8640

SHA256
36cb491e91dc40d4a24f25944c5dca41195e1e7eb9788028f72e38b08789616d

SHA512
cb151e071426cba0ec433b4ff8b173a9e07fc922e2b9d9d9359bcd5367a79e5bb996e8afbbfe4dd11bde1a33724b7f70479ac248762f5c9d17f3e0d7d67c151c

Download Submit
memory/2992-162-0x0000000000000000-mapping.dmp

Download
memory/3256-161-0x0000017B64420000-0x0000017B646C5000-memory.dmp

Filesize
2.6MB

Download
memory/3256-156-0x0000017B65E70000-0x0000017B65FB0000-memory.dmp

Filesize
1.2MB

Download
memory/3256-159-0x0000017B64420000-0x0000017B646C5000-memory.dmp

Filesize
2.6MB

Download
memory/3256-157-0x0000000000130000-0x00000000003C3000-memory.dmp

Filesize
2.6MB

Download
memory/3256-158-0x0000017B65E70000-0x0000017B65FB0000-memory.dmp

Filesize
1.2MB

Download
memory/3256-155-0x00007FF62A9A6890-mapping.dmp

Download
memory/3716-140-0x00000000007DB000-0x00000000008BA000-memory.dmp

Filesize
892KB

Download
memory/3716-141-0x00000000009D0000-0x0000000000AF0000-memory.dmp

Filesize
1.1MB

Download
memory/3716-142-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3716-146-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3716-137-0x0000000000000000-mapping.dmp

Download
memory/3836-154-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/3836-148-0x0000000005780000-0x00000000062E2000-memory.dmp

Filesize
11.4MB

Download
memory/3836-150-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/3836-151-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/3836-152-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/3836-153-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/3836-143-0x0000000000000000-mapping.dmp

Download
memory/3836-149-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/3836-160-0x0000000005780000-0x00000000062E2000-memory.dmp

Filesize
11.4MB

Download
memory/3836-147-0x0000000005780000-0x00000000062E2000-memory.dmp

Filesize
11.4MB

Download
memory/4080-163-0x0000000000000000-mapping.dmp

Download
memory/4968-136-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4968-135-0x0000000000692000-0x00000000006A7000-memory.dmp

Filesize
84KB

Download
memory/4968-132-0x0000000000692000-0x00000000006A7000-memory.dmp

Filesize
84KB

Download
memory/4968-134-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4968-133-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads