smokeloader | a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
20-12-2022 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe
Size

214KB
MD5

9ac92f2a0c65c0ef8577af9f7ce31bf5
SHA1

1a00e61a3b11d82ccfa26fdcc297bcec9c04da46
SHA256

a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581
SHA512

e5594fdd7aae6dec4d92a16fe47e53068427c4af711321f18bca8d9d756544dce9598b010a8435a9074c95efab974f5a41e7d2c48f5debe4913b88eaab22d3dc
SSDEEP

3072:NALLoo7R3C/pSGzGoJTrfOUL7PWz7b/tFdwpKWRNHCDml:aLoxhBTrfOWDWjLdwpKkCa

Score

10^/10

smokeloader systembc backdoor trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2404-141-0x00000000005D0000-0x00000000005D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

2F9.exewpxpdt.exe

pid process

4464 2F9.exe
3480 wpxpdt.exe
Deletes itself 1 IoCs

Processes:

pid process

3104
Drops file in Windows directory 2 IoCs

Processes:

2F9.exe

description ioc process

File created C:\Windows\Tasks\wpxpdt.job 2F9.exe
File opened for modification C:\Windows\Tasks\wpxpdt.job 2F9.exe

pid	process
4464	2F9.exe
3480	wpxpdt.exe

pid	process
3104

description	ioc	process
File created	C:\Windows\Tasks\wpxpdt.job	2F9.exe
File opened for modification	C:\Windows\Tasks\wpxpdt.job	2F9.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe

pid	process
2404	a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe
2404	a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3104
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe

pid process

2404 a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe

pid	process
3104

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104
Token: SeShutdownPrivilege	3104
Token: SeCreatePagefilePrivilege	3104

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 3104 wrote to memory of 4464	3104	2F9.exe
PID 3104 wrote to memory of 4464	3104	2F9.exe
PID 3104 wrote to memory of 4464	3104	2F9.exe

C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe
"C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2404

C:\Users\Admin\AppData\Local\Temp\2F9.exe
C:\Users\Admin\AppData\Local\Temp\2F9.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4464

C:\ProgramData\tlrlj\wpxpdt.exe
C:\ProgramData\tlrlj\wpxpdt.exe start
1⤵
- Executes dropped EXE
PID:3480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tlrlj\wpxpdt.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\tlrlj\wpxpdt.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F9.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F9.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
memory/2404-116-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-117-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-118-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-119-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-120-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-121-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-122-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-123-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-124-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-125-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-126-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-127-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-128-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-129-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-130-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-131-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-132-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-133-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-134-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-135-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-136-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-137-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-138-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-139-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-140-0x0000000000696000-0x00000000006A7000-memory.dmp

Filesize
68KB

Download
memory/2404-141-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/2404-142-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2404-143-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-144-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-145-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-146-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-147-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-148-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-149-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-150-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-151-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-152-0x0000000000696000-0x00000000006A7000-memory.dmp

Filesize
68KB

Download
memory/2404-153-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3480-265-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/3480-266-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/3480-270-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/3480-269-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/3480-267-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4464-176-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-214-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/4464-161-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-180-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-164-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-165-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-166-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-167-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-169-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-170-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-168-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-171-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-173-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-174-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-175-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-177-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-154-0x0000000000000000-mapping.dmp

Download
memory/4464-179-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/4464-162-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-160-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-181-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/4464-182-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-183-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-184-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-185-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-187-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-186-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-188-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-189-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-190-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-158-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-159-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-157-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-156-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-213-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4464-178-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4464-215-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download