smokeloader | a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2022 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13.exe
Size

214KB
MD5

04fe5ef212e085abf2cc3fc5a25d83c2
SHA1

18e2905c972f0370845bfce68b1928c27438c124
SHA256

a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13
SHA512

86d6ce720c60f474b4ababcca8ebec64f6e2ffaa14ac5f7722ae7b742facc4e27aa1175718713802fa7966ea54a448317c41c95f94a62033b61bebb8b9579460
SSDEEP

3072:ggZBV5LqYuwSR5qQEiqpvGeRQl/i47I8RsLszhGBt940zwUzQRKF+:rfrLRuhqYujeH7I8RsgzhGBt940M2b

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/4300-133-0x00000000004A0000-0x00000000004A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3956	ECA7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2748	Process not Found
3432	chrome.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3940	3956	WerFault.exe	89
4380	3432	WerFault.exe	92

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4300	a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13.exe
4300	a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13.exe
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found
2748	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4300	a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	3956	ECA7.exe
Token: SeShutdownPrivilege	2748	Process not Found
Token: SeCreatePagefilePrivilege	2748	Process not Found
Token: SeShutdownPrivilege	2748	Process not Found
Token: SeCreatePagefilePrivilege	2748	Process not Found
Token: SeDebugPrivilege	2748	Process not Found
Token: SeShutdownPrivilege	2748	Process not Found
Token: SeCreatePagefilePrivilege	2748	Process not Found
Token: SeShutdownPrivilege	2748	Process not Found
Token: SeCreatePagefilePrivilege	2748	Process not Found
Token: SeShutdownPrivilege	2748	Process not Found
Token: SeCreatePagefilePrivilege	2748	Process not Found
Token: SeShutdownPrivilege	2748	Process not Found
Token: SeCreatePagefilePrivilege	2748	Process not Found
Token: SeShutdownPrivilege	2748	Process not Found
Token: SeCreatePagefilePrivilege	2748	Process not Found
Token: SeShutdownPrivilege	2748	Process not Found
Token: SeCreatePagefilePrivilege	2748	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3956	ECA7.exe
3432	chrome.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3956	ECA7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3432	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 3956	2748	Process not Found	89
PID 2748 wrote to memory of 3956	2748	Process not Found	89
PID 2748 wrote to memory of 3956	2748	Process not Found	89
PID 2748 wrote to memory of 3432	2748	Process not Found	92
PID 2748 wrote to memory of 3432	2748	Process not Found	92
PID 3432 wrote to memory of 4308	3432	chrome.exe	93
PID 3432 wrote to memory of 4308	3432	chrome.exe	93
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 3024	3432	chrome.exe	96
PID 3432 wrote to memory of 372	3432	chrome.exe	97
PID 3432 wrote to memory of 372	3432	chrome.exe	97
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98
PID 3432 wrote to memory of 3996	3432	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13.exe
"C:\Users\Admin\AppData\Local\Temp\a13832486341f565c88eac3e00ac858e0855bbe880748d62ff8036d494017d13.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4300

C:\Users\Admin\AppData\Local\Temp\ECA7.exe
C:\Users\Admin\AppData\Local\Temp\ECA7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 388
  2⤵
  - Program crash
  PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3956 -ip 3956
1⤵
PID:560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff953c64f50,0x7ff953c64f60,0x7ff953c64f70
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,5237403951219325190,942878582776971511,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,5237403951219325190,942878582776971511,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,5237403951219325190,942878582776971511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,5237403951219325190,942878582776971511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:8
  2⤵
  PID:2392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3432 -s 3624
  2⤵
  - Program crash
  PID:4380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3432 -ip 3432
1⤵
PID:3708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ECA7.exe

Filesize
1.3MB

MD5
c1eec8ab32c230801261baa8cf687727

SHA1
b00aeaf52fb3abc779a6a820f087fc11c26c5b51

SHA256
40e3dda3161034024bd27c8ef898988d4378c9daf3f23d59c80470696da00de1

SHA512
5ac97bae0572db60c788f7d4e503e9b2151f12dab08d90696ff66a51d65b0e80a88cfbe6e5ba5bbd6b44ccd1e3fe5dd130ac81dae290bfea54a7df712fdc4258

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECA7.exe

Filesize
1.3MB

MD5
c1eec8ab32c230801261baa8cf687727

SHA1
b00aeaf52fb3abc779a6a820f087fc11c26c5b51

SHA256
40e3dda3161034024bd27c8ef898988d4378c9daf3f23d59c80470696da00de1

SHA512
5ac97bae0572db60c788f7d4e503e9b2151f12dab08d90696ff66a51d65b0e80a88cfbe6e5ba5bbd6b44ccd1e3fe5dd130ac81dae290bfea54a7df712fdc4258

Download Submit
memory/2748-145-0x0000000008040000-0x0000000008165000-memory.dmp

Filesize
1.1MB

Download
memory/2748-143-0x0000000008040000-0x0000000008165000-memory.dmp

Filesize
1.1MB

Download
memory/2748-139-0x0000000008040000-0x0000000008165000-memory.dmp

Filesize
1.1MB

Download
memory/3956-141-0x00000000022F0000-0x000000000241F000-memory.dmp

Filesize
1.2MB

Download
memory/3956-140-0x00000000007D1000-0x00000000008FF000-memory.dmp

Filesize
1.2MB

Download
memory/3956-142-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4300-132-0x0000000000572000-0x0000000000582000-memory.dmp

Filesize
64KB

Download
memory/4300-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4300-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4300-133-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download