smokeloader | e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe
Size

298KB
MD5

2f4dc143a76b941fc198f19f49064dca
SHA1

4055a041eb27e5ea28dc5d91559fc91057ee9af5
SHA256

e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8
SHA512

bf9e16d0c70e3c6a26a29f82dddefad9c672463355cdd2fb0bd58cc7bd1afdc2ddce1426668ae21357864e043a0d1b34a5114efd7cec637bff12f350a5098164
SSDEEP

3072:Czqb6b9vLHfFvRGSWrYdKys6BexzItdPXnuNhG6jB+KoNP+uQjiMTE5kTIO9a1w:CW+vLH9MScYdk6BexzItRka+uQj9La

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1092-133-0x0000000000700000-0x0000000000709000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

3B73.exe

pid process

1304 3B73.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4724 rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2932 1304 WerFault.exe 3B73.exe
2956 4724 WerFault.exe rundll32.exe

pid	process
1304	3B73.exe

pid	process
4724	rundll32.exe

pid	pid_target	process	target process
2932	1304	WerFault.exe	3B73.exe
2956	4724	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe

pid	process
1092	e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe
1092	e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2416
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe

pid process

1092 e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe

pid	process
2416

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3B73.exe

description	pid	process	target process
PID 2416 wrote to memory of 1304	2416		3B73.exe
PID 2416 wrote to memory of 1304	2416		3B73.exe
PID 2416 wrote to memory of 1304	2416		3B73.exe
PID 1304 wrote to memory of 4724	1304	3B73.exe	rundll32.exe
PID 1304 wrote to memory of 4724	1304	3B73.exe	rundll32.exe
PID 1304 wrote to memory of 4724	1304	3B73.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe
"C:\Users\Admin\AppData\Local\Temp\e294d4b824ff1e330bcfeb7b130df5162f1cb733d58861bab6970ee61c2bf7f8.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1092

C:\Users\Admin\AppData\Local\Temp\3B73.exe
C:\Users\Admin\AppData\Local\Temp\3B73.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll,start
2⤵
- Loads dropped DLL
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 796
3⤵
- Program crash
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 516
2⤵
- Program crash
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1304 -ip 1304
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4724 -ip 4724
1⤵
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3B73.exe
Filesize
3.7MB

MD5
247300a29ab85ce508146a1fe855aa41

SHA1
822b06c6b1bfdd98ce758c6b8c4c203c4a702e3d

SHA256
d394bb9b02f0b72a853d152a90ae62f21ec3bfd4a5455f2670ca59745748c4c5

SHA512
1008043bfc542e8fa0cbf4c5214a8a10ed41a9574bbddeee15dc45430f23111d8387a2508615d726ff3e19b2732ce8ed6a60ebbf8344677d96f5f81bb45e96c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B73.exe
Filesize
3.7MB

MD5
247300a29ab85ce508146a1fe855aa41

SHA1
822b06c6b1bfdd98ce758c6b8c4c203c4a702e3d

SHA256
d394bb9b02f0b72a853d152a90ae62f21ec3bfd4a5455f2670ca59745748c4c5

SHA512
1008043bfc542e8fa0cbf4c5214a8a10ed41a9574bbddeee15dc45430f23111d8387a2508615d726ff3e19b2732ce8ed6a60ebbf8344677d96f5f81bb45e96c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
6ec2c7b7e29a4a13ef2771f046de5bc8

SHA1
1f2a1f33b3aaa33cd9fc8a6a9eeebc56922099c0

SHA256
c4be1e972e8f255ce6f815d2ca5d76462458ebb5f5679b1e97eaba2210a9df47

SHA512
196035784db0c37f9966fe773e5b6127871e380445f0c46210b568650a0544cebdafb9e30c557de5cb6eaf35c7cf5281f813fde69408ea591a391e545d63b51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
6ec2c7b7e29a4a13ef2771f046de5bc8

SHA1
1f2a1f33b3aaa33cd9fc8a6a9eeebc56922099c0

SHA256
c4be1e972e8f255ce6f815d2ca5d76462458ebb5f5679b1e97eaba2210a9df47

SHA512
196035784db0c37f9966fe773e5b6127871e380445f0c46210b568650a0544cebdafb9e30c557de5cb6eaf35c7cf5281f813fde69408ea591a391e545d63b51e

Download Submit
memory/1092-133-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/1092-135-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1092-134-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1092-132-0x00000000007BE000-0x00000000007D3000-memory.dmp

Filesize
84KB

Download
memory/1304-162-0x0000000000000000-mapping.dmp

Download
memory/1304-165-0x000000000265E000-0x00000000029D6000-memory.dmp

Filesize
3.5MB

Download
memory/1304-166-0x00000000029E0000-0x0000000002EB6000-memory.dmp

Filesize
4.8MB

Download
memory/1304-171-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/1304-167-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2416-177-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-183-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-142-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-144-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-146-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2416-148-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-145-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-150-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2416-149-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-152-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-153-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-154-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-155-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-156-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-141-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-157-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-158-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-159-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2416-160-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2416-161-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2416-219-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2416-139-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-138-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-137-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-172-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-173-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-174-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-175-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-176-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-136-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-178-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-179-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-180-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-181-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-182-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-140-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-184-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-185-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/2416-186-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-187-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-188-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-189-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-190-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-193-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-192-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-195-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-194-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-191-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2416-196-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2416-197-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/2416-198-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2416-199-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-200-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-201-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-202-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-203-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-204-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-205-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-206-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-207-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-208-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-209-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-210-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-211-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-212-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-213-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-214-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-215-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2416-216-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2416-217-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2416-218-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/4724-168-0x0000000000000000-mapping.dmp

Download