smokeloader | 382b7aef805a0d3a25cfa6dd776d110a7f01a4672903c6eed05c3a61509f3e03

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2023, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333.exe
Size

199KB
MD5

2ceed127a480b715d1229631e84a38ac
SHA1

b0d9198a9566a089406d374304eb7b95e2715ea0
SHA256

8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333
SHA512

fd790f39c172f3469abc6b4f28e6de423f3d4ec64e0892350f6e1b9446887d91dc65ec2f02e8ac4adcbbfd0f32ff0d6ca30d1defa9068e8a808f0114f61b9120
SSDEEP

3072:uBN2LS2tmwLb1nkvXtS5t7xoO44U0umYO9FE/xhabgF5Db0YhjWN:CmpLbyvXtk00PYBpAbgF5XdjW

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/4024-133-0x0000000002DF0000-0x0000000002DF9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1400	5469.exe

Loads dropped DLL 2 IoCs

pid	Process
1800	rundll32.exe
1800	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3760	1400	WerFault.exe	83

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4024	8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333.exe
4024	8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333.exe
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4024	8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3044	Process not Found
Token: SeCreatePagefilePrivilege	3044	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1400	3044	Process not Found	83
PID 3044 wrote to memory of 1400	3044	Process not Found	83
PID 3044 wrote to memory of 1400	3044	Process not Found	83
PID 1400 wrote to memory of 1800	1400	5469.exe	87
PID 1400 wrote to memory of 1800	1400	5469.exe	87
PID 1400 wrote to memory of 1800	1400	5469.exe	87

C:\Users\Admin\AppData\Local\Temp\8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333.exe
"C:\Users\Admin\AppData\Local\Temp\8ccd7a50b7f49ffd4bc65ce6389c60a68b6e76f2f595c734a6f410fb15380333.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4024

C:\Users\Admin\AppData\Local\Temp\5469.exe
C:\Users\Admin\AppData\Local\Temp\5469.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll,start
  2⤵
  - Loads dropped DLL
  PID:1800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 520
  2⤵
  - Program crash
  PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1400 -ip 1400
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5469.exe

Filesize
3.1MB

MD5
f8f43bc988fd35dbd9dc3801223a00c0

SHA1
d31a18d5b012d19fb77a6e23dab02a314054672c

SHA256
7c63fa71c9d97192d237a05926aa90f3f5d88f3186fa8c1354355046b568c090

SHA512
90783521a1d6fd28441128637f96802b53874fb89c2e578f41912cecc73b965c04a94f22fc7210af19a0437f6ad273c1cd003e9a01e4a43e2b1af942cbae5fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5469.exe

Filesize
3.1MB

MD5
f8f43bc988fd35dbd9dc3801223a00c0

SHA1
d31a18d5b012d19fb77a6e23dab02a314054672c

SHA256
7c63fa71c9d97192d237a05926aa90f3f5d88f3186fa8c1354355046b568c090

SHA512
90783521a1d6fd28441128637f96802b53874fb89c2e578f41912cecc73b965c04a94f22fc7210af19a0437f6ad273c1cd003e9a01e4a43e2b1af942cbae5fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll

Filesize
4.2MB

MD5
e9fb7828bde045d1a62f2dddfa90003c

SHA1
1cc2b0a63d513fb48d753ff9e037f648a4901d92

SHA256
adf89a2683f67bd49bb0bba3ff1c7c350b8beb7b42fb4e19d04329f2671731f6

SHA512
df364a00ea1cd814021af8baf36baf146a8171e08afa648c8a8e3d79aa7f95c7ebed611416d3c552a71ccd35ee7be3a181570f53a5f43fb66f5e9f3a285424c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll

Filesize
4.2MB

MD5
e9fb7828bde045d1a62f2dddfa90003c

SHA1
1cc2b0a63d513fb48d753ff9e037f648a4901d92

SHA256
adf89a2683f67bd49bb0bba3ff1c7c350b8beb7b42fb4e19d04329f2671731f6

SHA512
df364a00ea1cd814021af8baf36baf146a8171e08afa648c8a8e3d79aa7f95c7ebed611416d3c552a71ccd35ee7be3a181570f53a5f43fb66f5e9f3a285424c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll

Filesize
4.2MB

MD5
e9fb7828bde045d1a62f2dddfa90003c

SHA1
1cc2b0a63d513fb48d753ff9e037f648a4901d92

SHA256
adf89a2683f67bd49bb0bba3ff1c7c350b8beb7b42fb4e19d04329f2671731f6

SHA512
df364a00ea1cd814021af8baf36baf146a8171e08afa648c8a8e3d79aa7f95c7ebed611416d3c552a71ccd35ee7be3a181570f53a5f43fb66f5e9f3a285424c4

Download Submit
memory/1400-140-0x0000000004E50000-0x000000000520C000-memory.dmp

Filesize
3.7MB

Download
memory/1400-139-0x0000000004B49000-0x0000000004E49000-memory.dmp

Filesize
3.0MB

Download
memory/1400-141-0x0000000000400000-0x0000000002E87000-memory.dmp

Filesize
42.5MB

Download
memory/1400-147-0x0000000000400000-0x0000000002E87000-memory.dmp

Filesize
42.5MB

Download
memory/1800-146-0x0000000001F50000-0x000000000238C000-memory.dmp

Filesize
4.2MB

Download
memory/4024-132-0x0000000002E19000-0x0000000002E2C000-memory.dmp

Filesize
76KB

Download
memory/4024-135-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4024-134-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4024-133-0x0000000002DF0000-0x0000000002DF9000-memory.dmp

Filesize
36KB

Download