smokeloader | e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9

Analysis

max time kernel
150s
max time network
58s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-03-2023 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe
Size

198KB
MD5

5bc1774ebeca1525058ae1501e5e11c7
SHA1

7a51999683bc1d9388925479d890d1037ac6c6cb
SHA256

e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9
SHA512

5631bce54e0d97724d94266baf768d4b5bf91821d354660feb3e5813407eb3895151764dc7303fe2db4539c152f6592859226d271f0f3a1067f1dbeeb56df1e4
SSDEEP

3072:1vHtFqxDMYWC70ckqrWV4q4vNJ3j3f0MzY8/POtmcgldD1ywW:9NFMgYYk24qINJ3zNY83OMzdw

Score

10^/10

smokeloader sprg backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

pid	Process
3136	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
3432	rfruatf

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rfruatf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rfruatf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rfruatf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4124	e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe
4124	e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3136	Process not Found

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
4124	e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3432	rfruatf

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 4280	3136	Process not Found	66
PID 3136 wrote to memory of 4280	3136	Process not Found	66
PID 3136 wrote to memory of 4280	3136	Process not Found	66
PID 3136 wrote to memory of 4280	3136	Process not Found	66
PID 3136 wrote to memory of 1604	3136	Process not Found	67
PID 3136 wrote to memory of 1604	3136	Process not Found	67
PID 3136 wrote to memory of 1604	3136	Process not Found	67
PID 3136 wrote to memory of 4324	3136	Process not Found	68
PID 3136 wrote to memory of 4324	3136	Process not Found	68
PID 3136 wrote to memory of 4324	3136	Process not Found	68
PID 3136 wrote to memory of 4324	3136	Process not Found	68
PID 3136 wrote to memory of 4000	3136	Process not Found	69
PID 3136 wrote to memory of 4000	3136	Process not Found	69
PID 3136 wrote to memory of 4000	3136	Process not Found	69
PID 3136 wrote to memory of 3024	3136	Process not Found	70
PID 3136 wrote to memory of 3024	3136	Process not Found	70
PID 3136 wrote to memory of 3024	3136	Process not Found	70
PID 3136 wrote to memory of 3024	3136	Process not Found	70
PID 3136 wrote to memory of 4724	3136	Process not Found	71
PID 3136 wrote to memory of 4724	3136	Process not Found	71
PID 3136 wrote to memory of 4724	3136	Process not Found	71
PID 3136 wrote to memory of 4724	3136	Process not Found	71
PID 3136 wrote to memory of 1948	3136	Process not Found	72
PID 3136 wrote to memory of 1948	3136	Process not Found	72
PID 3136 wrote to memory of 1948	3136	Process not Found	72
PID 3136 wrote to memory of 1948	3136	Process not Found	72
PID 3136 wrote to memory of 2808	3136	Process not Found	73
PID 3136 wrote to memory of 2808	3136	Process not Found	73
PID 3136 wrote to memory of 2808	3136	Process not Found	73
PID 3136 wrote to memory of 4652	3136	Process not Found	74
PID 3136 wrote to memory of 4652	3136	Process not Found	74
PID 3136 wrote to memory of 4652	3136	Process not Found	74
PID 3136 wrote to memory of 4652	3136	Process not Found	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe
"C:\Users\Admin\AppData\Local\Temp\e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4124

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4280

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1604

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4324

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3024

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4724

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1948

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4652

C:\Users\Admin\AppData\Roaming\rfruatf
C:\Users\Admin\AppData\Roaming\rfruatf
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rfruatf

Filesize
198KB

MD5
5bc1774ebeca1525058ae1501e5e11c7

SHA1
7a51999683bc1d9388925479d890d1037ac6c6cb

SHA256
e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9

SHA512
5631bce54e0d97724d94266baf768d4b5bf91821d354660feb3e5813407eb3895151764dc7303fe2db4539c152f6592859226d271f0f3a1067f1dbeeb56df1e4

Download Submit
C:\Users\Admin\AppData\Roaming\rfruatf

Filesize
198KB

MD5
5bc1774ebeca1525058ae1501e5e11c7

SHA1
7a51999683bc1d9388925479d890d1037ac6c6cb

SHA256
e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9

SHA512
5631bce54e0d97724d94266baf768d4b5bf91821d354660feb3e5813407eb3895151764dc7303fe2db4539c152f6592859226d271f0f3a1067f1dbeeb56df1e4

Download Submit
memory/1604-168-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1604-169-0x0000000000870000-0x000000000087B000-memory.dmp

Filesize
44KB

Download
memory/1604-170-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1948-185-0x0000000000AF0000-0x0000000000AFB000-memory.dmp

Filesize
44KB

Download
memory/1948-184-0x0000000003490000-0x0000000003499000-memory.dmp

Filesize
36KB

Download
memory/1948-183-0x0000000000AF0000-0x0000000000AFB000-memory.dmp

Filesize
44KB

Download
memory/1948-195-0x0000000003490000-0x0000000003499000-memory.dmp

Filesize
36KB

Download
memory/2808-187-0x0000000000AF0000-0x0000000000AFB000-memory.dmp

Filesize
44KB

Download
memory/2808-186-0x00000000010C0000-0x00000000010CD000-memory.dmp

Filesize
52KB

Download
memory/2808-188-0x00000000010C0000-0x00000000010CD000-memory.dmp

Filesize
52KB

Download
memory/2808-196-0x0000000000AF0000-0x0000000000AFB000-memory.dmp

Filesize
44KB

Download
memory/3024-179-0x0000000000C00000-0x0000000000C27000-memory.dmp

Filesize
156KB

Download
memory/3024-178-0x0000000001010000-0x000000000101C000-memory.dmp

Filesize
48KB

Download
memory/3024-177-0x0000000000C00000-0x0000000000C27000-memory.dmp

Filesize
156KB

Download
memory/3136-157-0x0000000002890000-0x000000000289D000-memory.dmp

Filesize
52KB

Download
memory/3136-218-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-154-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-155-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-156-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-246-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-245-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-243-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-244-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-150-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-149-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-148-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-240-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-237-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-236-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-235-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-234-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-233-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-146-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-147-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-143-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-230-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-229-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3136-224-0x0000000002F50000-0x0000000002F66000-memory.dmp

Filesize
88KB

Download
memory/3136-140-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-139-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-138-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-136-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/3136-137-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-134-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-123-0x0000000001050000-0x0000000001066000-memory.dmp

Filesize
88KB

Download
memory/3136-220-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-219-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-153-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-217-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-216-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-131-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-129-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3136-198-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3136-199-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-202-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-203-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-204-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-205-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-206-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-209-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-212-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-213-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-214-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3136-215-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3432-227-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4000-176-0x0000000001010000-0x000000000101C000-memory.dmp

Filesize
48KB

Download
memory/4000-193-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4000-174-0x0000000001010000-0x000000000101C000-memory.dmp

Filesize
48KB

Download
memory/4000-175-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4124-122-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/4124-124-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4280-192-0x0000000000880000-0x0000000000889000-memory.dmp

Filesize
36KB

Download
memory/4280-165-0x0000000000870000-0x000000000087B000-memory.dmp

Filesize
44KB

Download
memory/4280-166-0x0000000000880000-0x0000000000889000-memory.dmp

Filesize
36KB

Download
memory/4280-167-0x0000000000870000-0x000000000087B000-memory.dmp

Filesize
44KB

Download
memory/4324-172-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/4324-173-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4324-171-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4652-189-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/4652-190-0x00000000010C0000-0x00000000010CD000-memory.dmp

Filesize
52KB

Download
memory/4652-191-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/4724-180-0x0000000003490000-0x0000000003499000-memory.dmp

Filesize
36KB

Download
memory/4724-181-0x0000000000C00000-0x0000000000C27000-memory.dmp

Filesize
156KB

Download
memory/4724-194-0x0000000000C00000-0x0000000000C27000-memory.dmp

Filesize
156KB

Download
memory/4724-182-0x0000000003490000-0x0000000003499000-memory.dmp

Filesize
36KB

Download