smokeloader | d34d39b5696942111f20b5f44c782c978433dc7285cc4ae4aa49e2cab9a7676f

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2023 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb.exe
Size

189KB
MD5

4b2e101c004ffa2da9032b9e41bd3803
SHA1

3aa99d3ad9377101f1cb7705d9b6f95f0c4c315f
SHA256

52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb
SHA512

da65b885ddc75bd22bf4b96ad64c086e34cb1129ea8192426be8fdc0f4218b70e765541498519c47fd057ba89f2bb4b2d0a95788a1ce0e354afcc81de45b002b
SSDEEP

3072:mHu7nUnEHnqNT+Abg9/PLt3eew1n6iSjxkBlwyD1NuXGdmBbW:0OnUEHqNT+00PLxeeMn6nxkvwMNMGdm

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/4688-133-0x00000000006C0000-0x00000000006C9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1612	F647.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4688	52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb.exe
4688	52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb.exe
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	Process not Found

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
4688	52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb.exe
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found
2644	Process not Found

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1612	2644	Process not Found	87
PID 2644 wrote to memory of 1612	2644	Process not Found	87
PID 2644 wrote to memory of 4376	2644	Process not Found	88
PID 2644 wrote to memory of 4376	2644	Process not Found	88
PID 2644 wrote to memory of 4376	2644	Process not Found	88
PID 2644 wrote to memory of 4376	2644	Process not Found	88
PID 2644 wrote to memory of 4280	2644	Process not Found	89
PID 2644 wrote to memory of 4280	2644	Process not Found	89
PID 2644 wrote to memory of 4280	2644	Process not Found	89
PID 2644 wrote to memory of 2800	2644	Process not Found	90
PID 2644 wrote to memory of 2800	2644	Process not Found	90
PID 2644 wrote to memory of 2800	2644	Process not Found	90
PID 2644 wrote to memory of 2800	2644	Process not Found	90
PID 2644 wrote to memory of 2868	2644	Process not Found	91
PID 2644 wrote to memory of 2868	2644	Process not Found	91
PID 2644 wrote to memory of 2868	2644	Process not Found	91
PID 2644 wrote to memory of 4468	2644	Process not Found	92
PID 2644 wrote to memory of 4468	2644	Process not Found	92
PID 2644 wrote to memory of 4468	2644	Process not Found	92
PID 2644 wrote to memory of 4468	2644	Process not Found	92
PID 2644 wrote to memory of 3412	2644	Process not Found	93
PID 2644 wrote to memory of 3412	2644	Process not Found	93
PID 2644 wrote to memory of 3412	2644	Process not Found	93
PID 2644 wrote to memory of 3412	2644	Process not Found	93

C:\Users\Admin\AppData\Local\Temp\52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb.exe
"C:\Users\Admin\AppData\Local\Temp\52e818ad807f4a682e1f1fe9b09e9cd77d88934b00279b2d899de598be290adb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4688

C:\Users\Admin\AppData\Local\Temp\F647.exe
C:\Users\Admin\AppData\Local\Temp\F647.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4376

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4280

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2800

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F647.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F647.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
memory/1612-140-0x00007FFC91C10000-0x00007FFC926D1000-memory.dmp

Filesize
10.8MB

Download
memory/1612-139-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2800-149-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

Filesize
36KB

Download
memory/2800-148-0x0000000000DF0000-0x0000000000DF5000-memory.dmp

Filesize
20KB

Download
memory/2868-151-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/2868-152-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/3412-158-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/3412-157-0x0000000000980000-0x0000000000985000-memory.dmp

Filesize
20KB

Download
memory/4280-145-0x0000000000A00000-0x0000000000A09000-memory.dmp

Filesize
36KB

Download
memory/4280-146-0x00000000007F0000-0x00000000007FF000-memory.dmp

Filesize
60KB

Download
memory/4376-142-0x0000000000B70000-0x0000000000B77000-memory.dmp

Filesize
28KB

Download
memory/4376-143-0x0000000000B60000-0x0000000000B6B000-memory.dmp

Filesize
44KB

Download
memory/4468-154-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download
memory/4468-155-0x00000000005D0000-0x00000000005F7000-memory.dmp

Filesize
156KB

Download
memory/4688-132-0x00000000006EF000-0x0000000000702000-memory.dmp

Filesize
76KB

Download
memory/4688-133-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/4688-134-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/4688-135-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download