smokeloader | 90988c815a0d7bca3e0e8cc3ebde74d55e3eda874687ed7b92bb3528c2745d57

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

284KB
MD5

a446d1372a365a1d59bf68fbdb8f5af6
SHA1

b832411ea49bc2e87b1a950acf716d4c65f34075
SHA256

90988c815a0d7bca3e0e8cc3ebde74d55e3eda874687ed7b92bb3528c2745d57
SHA512

32de47c199311f2e9ea380feafdeb45bdf9868fb428aa83e0add048e26cadd3ce22406dfd1f8cab9ee971df5744aae06e1e09cbd001e5e9178560b4736a63476
SSDEEP

3072:sHqXjNetbVnFLYM+VnWRaR5CxaiUIozR9FsGY67ACAZMlw:sHqUFLYM+VnkaOxaiU19e+UCAZOw

Score

10^/10

smokeloader systembc backdoor persistence trojan

Malware Config

Extracted

Family

systembc

144.76.223.74:443

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2400-133-0x0000000000550000-0x0000000000559000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

E3CD.exe9BB4.exentlhost.exeCC5A.exetatgdes

pid process

176 E3CD.exe
392 9BB4.exe
1268 ntlhost.exe
2028 CC5A.exe
1112 tatgdes
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3300 rundll32.exe

pid	process
176	E3CD.exe
392	9BB4.exe
1268	ntlhost.exe
2028	CC5A.exe
1112	tatgdes

pid	process
3300	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9BB4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	9BB4.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1276 176 WerFault.exe E3CD.exe

pid	pid_target	process	target process
1276	176	WerFault.exe	E3CD.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exetatgdes

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tatgdes
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tatgdes
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tatgdes

GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 129 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	129	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
2400	file.exe
2400	file.exe
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

740
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exetatgdes

pid process

2400 file.exe
1112 tatgdes

pid	process
740

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

E3CD.exe9BB4.exe

description	pid	process	target process
PID 740 wrote to memory of 176	740		E3CD.exe
PID 740 wrote to memory of 176	740		E3CD.exe
PID 740 wrote to memory of 176	740		E3CD.exe
PID 176 wrote to memory of 3300	176	E3CD.exe	rundll32.exe
PID 176 wrote to memory of 3300	176	E3CD.exe	rundll32.exe
PID 176 wrote to memory of 3300	176	E3CD.exe	rundll32.exe
PID 740 wrote to memory of 392	740		9BB4.exe
PID 740 wrote to memory of 392	740		9BB4.exe
PID 740 wrote to memory of 392	740		9BB4.exe
PID 392 wrote to memory of 1268	392	9BB4.exe	ntlhost.exe
PID 392 wrote to memory of 1268	392	9BB4.exe	ntlhost.exe
PID 392 wrote to memory of 1268	392	9BB4.exe	ntlhost.exe
PID 740 wrote to memory of 2028	740		CC5A.exe
PID 740 wrote to memory of 2028	740		CC5A.exe
PID 740 wrote to memory of 2028	740		CC5A.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2400

C:\Users\Admin\AppData\Local\Temp\E3CD.exe
C:\Users\Admin\AppData\Local\Temp\E3CD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:176
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll,start
  2⤵
  - Loads dropped DLL
  PID:3300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 176 -s 480
  2⤵
  - Program crash
  PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 176 -ip 176
1⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\9BB4.exe
C:\Users\Admin\AppData\Local\Temp\9BB4.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1268

C:\Users\Admin\AppData\Local\Temp\CC5A.exe
C:\Users\Admin\AppData\Local\Temp\CC5A.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Users\Admin\AppData\Roaming\tatgdes
C:\Users\Admin\AppData\Roaming\tatgdes
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9BB4.exe

Filesize
1.8MB

MD5
7aca913279c053180d4a033dc35f33f7

SHA1
f5d580d11f08cc3815b9ee326d6aeb5742919de6

SHA256
1063dbd630ff2a5917a3f66fca581c5742172d2fdb8e6f7c2cfa6d68fdd90420

SHA512
6c47d97a68b495c5e2fae8e2d64f6f7b17bc8225ed1bdb17d255a1425cbf462537d431dfad2939e27efe6a008d4206f109a468179a08d6039729f91456cb7041

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BB4.exe

Filesize
1.8MB

MD5
7aca913279c053180d4a033dc35f33f7

SHA1
f5d580d11f08cc3815b9ee326d6aeb5742919de6

SHA256
1063dbd630ff2a5917a3f66fca581c5742172d2fdb8e6f7c2cfa6d68fdd90420

SHA512
6c47d97a68b495c5e2fae8e2d64f6f7b17bc8225ed1bdb17d255a1425cbf462537d431dfad2939e27efe6a008d4206f109a468179a08d6039729f91456cb7041

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll

Filesize
4.3MB

MD5
29c886d97bf185d5167fcad095b2cb8f

SHA1
ac7e70556f6ed41fe09c8f9bec612c7a512cbf7d

SHA256
3e6e252ef02d1ce604d537b7607e060eacca3d25ba359b8cc805711fb30223e5

SHA512
fb782ffed1324c814443877998b4825d79990a482148c4e2486c4b653cda2a2899eb5be38d9374bbf447871dbbc03f005e1652c5002d48c2701ef7d12a76b127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll

Filesize
4.3MB

MD5
29c886d97bf185d5167fcad095b2cb8f

SHA1
ac7e70556f6ed41fe09c8f9bec612c7a512cbf7d

SHA256
3e6e252ef02d1ce604d537b7607e060eacca3d25ba359b8cc805711fb30223e5

SHA512
fb782ffed1324c814443877998b4825d79990a482148c4e2486c4b653cda2a2899eb5be38d9374bbf447871dbbc03f005e1652c5002d48c2701ef7d12a76b127

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC5A.exe

Filesize
284KB

MD5
8e8cc48e57ee82729cefb0123889b0a1

SHA1
bf28dea9cc985b46a14bef73e26efc8c0dd0cb8a

SHA256
246cbf813e7b9436404dafbeb74647098f74a7c7159a24221f01030e3fbceff1

SHA512
26ee546639e29b051dd2234a74c6f33479901bfc3a51ff9f948404f33cc5e06a3d32690032ca7feb59c03f64db1dc47cde5080f2fa39c9e6837a109be5c78aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC5A.exe

Filesize
284KB

MD5
8e8cc48e57ee82729cefb0123889b0a1

SHA1
bf28dea9cc985b46a14bef73e26efc8c0dd0cb8a

SHA256
246cbf813e7b9436404dafbeb74647098f74a7c7159a24221f01030e3fbceff1

SHA512
26ee546639e29b051dd2234a74c6f33479901bfc3a51ff9f948404f33cc5e06a3d32690032ca7feb59c03f64db1dc47cde5080f2fa39c9e6837a109be5c78aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.exe

Filesize
3.6MB

MD5
fc89e67a998341ef091bd0fde19e43cd

SHA1
c6ae898d9adc650df9d0a744ca19f05889cdb76e

SHA256
79ac314ef801c6a26b9b8ce2cadca4bf7a43d90fb325e13f1de9726db35437f0

SHA512
c0fce1ce873f31e2e79d66b60493a6077988ae0792657b092627c1090b2e91c20f593c9d6add673868d66f18263145c45469459b807dfc154ffe7174073a4096

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.exe

Filesize
3.6MB

MD5
fc89e67a998341ef091bd0fde19e43cd

SHA1
c6ae898d9adc650df9d0a744ca19f05889cdb76e

SHA256
79ac314ef801c6a26b9b8ce2cadca4bf7a43d90fb325e13f1de9726db35437f0

SHA512
c0fce1ce873f31e2e79d66b60493a6077988ae0792657b092627c1090b2e91c20f593c9d6add673868d66f18263145c45469459b807dfc154ffe7174073a4096

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
474.6MB

MD5
cc850112c3551dc6a5f134ef4205c09e

SHA1
bf274b63bcf2e87a70c6d96a584e2ae72f59d4cc

SHA256
1886bd2a9085760e11dc0edc6100a98fdc7dcdf2a28f4f34008da0f368b14a04

SHA512
a54ab25dde959d641f4c935c9be61e8b68a2f0f89a1282d92498478b30e25879b9584cd617bdbe1cc4813ea9cb8ed8f68e7af7d817fb747bb7432d5cd1daacfd

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
471.5MB

MD5
db1e791f0afe60f32eb76c01256301b0

SHA1
e6e945038ac00242c78c550388190419b9f8b222

SHA256
1963244e88e2b383df1c93da879e4ce987a051abf674848794ac37f52c09288d

SHA512
8414719c1e3cf623aa0c546f64955338db3932167cab297637fb6add85f5792a6bfe94cfca7be1d4f82aaed10681fde147184c35b91a2d9fc50a4a67d447268c

Download Submit
C:\Users\Admin\AppData\Roaming\tatgdes

Filesize
284KB

MD5
a446d1372a365a1d59bf68fbdb8f5af6

SHA1
b832411ea49bc2e87b1a950acf716d4c65f34075

SHA256
90988c815a0d7bca3e0e8cc3ebde74d55e3eda874687ed7b92bb3528c2745d57

SHA512
32de47c199311f2e9ea380feafdeb45bdf9868fb428aa83e0add048e26cadd3ce22406dfd1f8cab9ee971df5744aae06e1e09cbd001e5e9178560b4736a63476

Download Submit
C:\Users\Admin\AppData\Roaming\tatgdes

Filesize
284KB

MD5
a446d1372a365a1d59bf68fbdb8f5af6

SHA1
b832411ea49bc2e87b1a950acf716d4c65f34075

SHA256
90988c815a0d7bca3e0e8cc3ebde74d55e3eda874687ed7b92bb3528c2745d57

SHA512
32de47c199311f2e9ea380feafdeb45bdf9868fb428aa83e0add048e26cadd3ce22406dfd1f8cab9ee971df5744aae06e1e09cbd001e5e9178560b4736a63476

Download Submit
memory/176-146-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/176-136-0x0000000000000000-mapping.dmp

Download
memory/176-145-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/176-139-0x000000000270F000-0x0000000002A8D000-memory.dmp

Filesize
3.5MB

Download
memory/176-140-0x0000000002A90000-0x0000000002F6D000-memory.dmp

Filesize
4.9MB

Download
memory/176-141-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/392-150-0x0000000002494000-0x000000000263E000-memory.dmp

Filesize
1.7MB

Download
memory/392-151-0x0000000002640000-0x0000000002A10000-memory.dmp

Filesize
3.8MB

Download
memory/392-152-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/392-147-0x0000000000000000-mapping.dmp

Download
memory/392-156-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1112-168-0x0000000000519000-0x000000000052C000-memory.dmp

Filesize
76KB

Download
memory/1112-169-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1112-171-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1268-153-0x0000000000000000-mapping.dmp

Download
memory/1268-163-0x000000000245A000-0x0000000002604000-memory.dmp

Filesize
1.7MB

Download
memory/1268-170-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1268-164-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2028-162-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2028-161-0x0000000000510000-0x0000000000513000-memory.dmp

Filesize
12KB

Download
memory/2028-160-0x0000000000549000-0x000000000055C000-memory.dmp

Filesize
76KB

Download
memory/2028-157-0x0000000000000000-mapping.dmp

Download
memory/2028-167-0x0000000000549000-0x000000000055C000-memory.dmp

Filesize
76KB

Download
memory/2400-132-0x00000000005C9000-0x00000000005DC000-memory.dmp

Filesize
76KB

Download
memory/2400-135-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2400-134-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2400-133-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/3300-142-0x0000000000000000-mapping.dmp

Download