smokeloader | a36ecc3ce3984d107bcd5c67f275d42b94810ab444473ff61a6569f27a23bd40

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-12-2022 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe
Size

214KB
MD5

dbac1e546c31e01df2df4b2ebee2f2b5
SHA1

f7837f0e02f5c0e7f3dd5ad86ee9946e1a6c81d1
SHA256

ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3
SHA512

59772e87a7b596dda7afb9895fa00c5eaaacc423c8260f6c9bbca1b5218cc48424e12fb6c2d810252fbad8a8217b9d642c99dcb1d43c15d3a5228cd3cf9054e7
SSDEEP

3072:WwUBO36L+Zj21WClRB4cRO0BZyGiyctNRAtOba+3QnBtjcbImdzmuX:nUBNL+x21j9xRO0BZ/ct03BtjcbXF

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1380-56-0x0000000000220000-0x0000000000229000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe

pid	process
1380	ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe
1380	ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1212
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe

pid process

1380 ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe

pid	process
1212

C:\Users\Admin\AppData\Local\Temp\ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe
"C:\Users\Admin\AppData\Local\Temp\ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-55-0x000000000054B000-0x000000000055C000-memory.dmp

Filesize
68KB

Download
memory/1380-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1380-57-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1380-58-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download