smokeloader | ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2

General

Target

ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe
Size

239KB
MD5

a7dda8e68c3cf6c3947e5feaa77730ad
SHA1

32d21754d7dbe4f52541970c9ff865c2ac86c28b
SHA256

ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2
SHA512

babdafa8b435eab8cae3080946ed4cf78fcd9ab053876c52d8ece0341014515bb28948192ca6ef895d18867e750fb8d6b94a2bc52330d3739b44e98822427c6e
SSDEEP

3072:shtytGLK68v4iy50r53eAwKMOYD24oSCJiY9UiJuV/GohdBcf0Evier7RbR8pgX:s9Lw4iy5yKH99xY9Uiq/Goyftx7cpgX

Score

10^/10

smokeloader systembc backdoor trojan

Malware Config

Extracted

Family

systembc

C2

109.205.214.18:443

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4736-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

60 2308 rundll32.exe
66 2308 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

D650.exeE64F.exeuexd.exe

pid process

4756 D650.exe
228 E64F.exe
1200 uexd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2308 rundll32.exe
Drops file in Windows directory 2 IoCs

Processes:

E64F.exe

description ioc process

File created C:\Windows\Tasks\uexd.job E64F.exe
File opened for modification C:\Windows\Tasks\uexd.job E64F.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4744 4756 WerFault.exe D650.exe
3536 228 WerFault.exe E64F.exe

flow	pid	process
60	2308	rundll32.exe
66	2308	rundll32.exe

pid	process
4756	D650.exe
228	E64F.exe
1200	uexd.exe

pid	process
2308	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\uexd.job	E64F.exe
File opened for modification	C:\Windows\Tasks\uexd.job	E64F.exe

pid	pid_target	process	target process
4744	4756	WerFault.exe	D650.exe
3536	228	WerFault.exe	E64F.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe

pid	process
4736	ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe
4736	ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2576
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe

pid process

4736 ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe

pid	process
2576

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

D650.exe

description	pid	process	target process
PID 2576 wrote to memory of 4756	2576		D650.exe
PID 2576 wrote to memory of 4756	2576		D650.exe
PID 2576 wrote to memory of 4756	2576		D650.exe
PID 4756 wrote to memory of 2308	4756	D650.exe	rundll32.exe
PID 4756 wrote to memory of 2308	4756	D650.exe	rundll32.exe
PID 4756 wrote to memory of 2308	4756	D650.exe	rundll32.exe
PID 2576 wrote to memory of 228	2576		E64F.exe
PID 2576 wrote to memory of 228	2576		E64F.exe
PID 2576 wrote to memory of 228	2576		E64F.exe

C:\Users\Admin\AppData\Local\Temp\ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe
"C:\Users\Admin\AppData\Local\Temp\ddc74a8151032ae3c6caf35758f0b6c81185ea739659605913f55468df8384d2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4736

C:\Users\Admin\AppData\Local\Temp\D650.exe
C:\Users\Admin\AppData\Local\Temp\D650.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uyieweaiht.tmp",Hfesyte
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 556
2⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4756 -ip 4756
1⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\E64F.exe
C:\Users\Admin\AppData\Local\Temp\E64F.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 492
2⤵
- Program crash
PID:3536

C:\ProgramData\leect\uexd.exe
C:\ProgramData\leect\uexd.exe start
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 228 -ip 228
1⤵
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\leect\uexd.exe
Filesize
240KB

MD5
ca810ef2745de0c5636e539a80fc3467

SHA1
28d303ec336b54aa0ed4796e93481f788428f4b3

SHA256
52d1b27dddcf8fc24ea4258f108fc186feeaa95d9b882341c7a49a5d8b819436

SHA512
58e788b25302a3c3f29dd95fab61c74ef3971d3ea654c66ca3446a878f29e129a286cf7170bde023435b9328f98224774089ff08005d957ae6245d02ab9c92de

Download Submit
C:\ProgramData\leect\uexd.exe
Filesize
240KB

MD5
ca810ef2745de0c5636e539a80fc3467

SHA1
28d303ec336b54aa0ed4796e93481f788428f4b3

SHA256
52d1b27dddcf8fc24ea4258f108fc186feeaa95d9b882341c7a49a5d8b819436

SHA512
58e788b25302a3c3f29dd95fab61c74ef3971d3ea654c66ca3446a878f29e129a286cf7170bde023435b9328f98224774089ff08005d957ae6245d02ab9c92de

Download Submit
C:\Users\Admin\AppData\Local\Temp\D650.exe
Filesize
1.1MB

MD5
cf372ea7f9cab8a6805c6890e1d56b64

SHA1
869d9c3b027dcc1286eaf23d3225ed3fcedd66ed

SHA256
de8ce0ef219b1221ca150899cbbb21a0c35265a22f4c6a3374ef179bb052fa37

SHA512
0b6487bd5a4a56b7a2d10c31f52e8d8a2714a4c26d022d222152b832098015e7b352674a18de9cddec9a17e946606ec00e4e19405dd2c30076455d0cdb3c948e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D650.exe
Filesize
1.1MB

MD5
cf372ea7f9cab8a6805c6890e1d56b64

SHA1
869d9c3b027dcc1286eaf23d3225ed3fcedd66ed

SHA256
de8ce0ef219b1221ca150899cbbb21a0c35265a22f4c6a3374ef179bb052fa37

SHA512
0b6487bd5a4a56b7a2d10c31f52e8d8a2714a4c26d022d222152b832098015e7b352674a18de9cddec9a17e946606ec00e4e19405dd2c30076455d0cdb3c948e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E64F.exe
Filesize
240KB

MD5
ca810ef2745de0c5636e539a80fc3467

SHA1
28d303ec336b54aa0ed4796e93481f788428f4b3

SHA256
52d1b27dddcf8fc24ea4258f108fc186feeaa95d9b882341c7a49a5d8b819436

SHA512
58e788b25302a3c3f29dd95fab61c74ef3971d3ea654c66ca3446a878f29e129a286cf7170bde023435b9328f98224774089ff08005d957ae6245d02ab9c92de

Download Submit
C:\Users\Admin\AppData\Local\Temp\E64F.exe
Filesize
240KB

MD5
ca810ef2745de0c5636e539a80fc3467

SHA1
28d303ec336b54aa0ed4796e93481f788428f4b3

SHA256
52d1b27dddcf8fc24ea4258f108fc186feeaa95d9b882341c7a49a5d8b819436

SHA512
58e788b25302a3c3f29dd95fab61c74ef3971d3ea654c66ca3446a878f29e129a286cf7170bde023435b9328f98224774089ff08005d957ae6245d02ab9c92de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uyieweaiht.tmp
Filesize
788KB

MD5
8e37ae196e2cdea4dbc44dc99a84a80f

SHA1
b81e6a81a6efe6f44a0edd73ef3b8635b8ae3a0e

SHA256
f61cae9301f5336f9048c1b7e68eab13bb839f63925bc6625f8e7e20f32f00c6

SHA512
fbb1418cab570e6e4e375da3dd99616add73576da1ace88a44adc57a39a6911dab2e3e150366cc7b662604859e6ede53b2a9f2876afe14a0b5e0ea7b7db75e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uyieweaiht.tmp
Filesize
788KB

MD5
8e37ae196e2cdea4dbc44dc99a84a80f

SHA1
b81e6a81a6efe6f44a0edd73ef3b8635b8ae3a0e

SHA256
f61cae9301f5336f9048c1b7e68eab13bb839f63925bc6625f8e7e20f32f00c6

SHA512
fbb1418cab570e6e4e375da3dd99616add73576da1ace88a44adc57a39a6911dab2e3e150366cc7b662604859e6ede53b2a9f2876afe14a0b5e0ea7b7db75e41

Download Submit
memory/228-150-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/228-148-0x00000000007A3000-0x00000000007B4000-memory.dmp

Filesize
68KB

Download
memory/228-155-0x00000000007A3000-0x00000000007B4000-memory.dmp

Filesize
68KB

Download
memory/228-145-0x0000000000000000-mapping.dmp

Download
memory/228-149-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1200-154-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1200-153-0x000000000082D000-0x000000000083E000-memory.dmp

Filesize
68KB

Download
memory/2308-139-0x0000000000000000-mapping.dmp

Download
memory/4736-132-0x0000000000582000-0x0000000000592000-memory.dmp

Filesize
64KB

Download
memory/4736-135-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4736-134-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4736-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4756-136-0x0000000000000000-mapping.dmp

Download
memory/4756-143-0x0000000002400000-0x0000000002529000-memory.dmp

Filesize
1.2MB

Download
memory/4756-144-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/4756-142-0x0000000000888000-0x0000000000970000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads