smokeloader | 915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16-03-2023 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe
Size

173KB
MD5

593e36fe2c24170834d200de29e40fbe
SHA1

ff75b26789424de6f0ca2628d95032d434b4cbac
SHA256

915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047
SHA512

abb82bcf6c3df41259084d469546ccc2039a663682d8e584b8c3e30c776377e3a73ade78f9e2f789299fa335171d1cadf0e68cf052bdd0f50eeac0492401dcc0
SSDEEP

3072:kPoPnYWs76TAbxcpMbjS46SieWhx4dw/k7MgLDw0OeAps1XJX:fvjcGgZ6aax0eSMgLDw2J1

Score

10^/10

smokeloader lab backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

pid	Process
3224	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
3108	djaefja
4928	djaefja

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 2112	1804	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe	66
PID 3108 set thread context of 4928	3108	djaefja	68

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	djaefja
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	djaefja
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	djaefja

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe
2112	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found
3224	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3224	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2112	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe
4928	djaefja

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3224	Process not Found
Token: SeCreatePagefilePrivilege	3224	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2112	1804	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe	66
PID 1804 wrote to memory of 2112	1804	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe	66
PID 1804 wrote to memory of 2112	1804	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe	66
PID 1804 wrote to memory of 2112	1804	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe	66
PID 1804 wrote to memory of 2112	1804	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe	66
PID 1804 wrote to memory of 2112	1804	915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe	66
PID 3108 wrote to memory of 4928	3108	djaefja	68
PID 3108 wrote to memory of 4928	3108	djaefja	68
PID 3108 wrote to memory of 4928	3108	djaefja	68
PID 3108 wrote to memory of 4928	3108	djaefja	68
PID 3108 wrote to memory of 4928	3108	djaefja	68
PID 3108 wrote to memory of 4928	3108	djaefja	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe
"C:\Users\Admin\AppData\Local\Temp\915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe
  "C:\Users\Admin\AppData\Local\Temp\915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2112

C:\Users\Admin\AppData\Roaming\djaefja
C:\Users\Admin\AppData\Roaming\djaefja
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Roaming\djaefja
  C:\Users\Admin\AppData\Roaming\djaefja
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\djaefja

Filesize
173KB

MD5
593e36fe2c24170834d200de29e40fbe

SHA1
ff75b26789424de6f0ca2628d95032d434b4cbac

SHA256
915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047

SHA512
abb82bcf6c3df41259084d469546ccc2039a663682d8e584b8c3e30c776377e3a73ade78f9e2f789299fa335171d1cadf0e68cf052bdd0f50eeac0492401dcc0

Download Submit
C:\Users\Admin\AppData\Roaming\djaefja

Filesize
173KB

MD5
593e36fe2c24170834d200de29e40fbe

SHA1
ff75b26789424de6f0ca2628d95032d434b4cbac

SHA256
915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047

SHA512
abb82bcf6c3df41259084d469546ccc2039a663682d8e584b8c3e30c776377e3a73ade78f9e2f789299fa335171d1cadf0e68cf052bdd0f50eeac0492401dcc0

Download Submit
C:\Users\Admin\AppData\Roaming\djaefja

Filesize
173KB

MD5
593e36fe2c24170834d200de29e40fbe

SHA1
ff75b26789424de6f0ca2628d95032d434b4cbac

SHA256
915a66584e7280aa967eb27ba754211b9f210dc45c88410540c61adb2fd72047

SHA512
abb82bcf6c3df41259084d469546ccc2039a663682d8e584b8c3e30c776377e3a73ade78f9e2f789299fa335171d1cadf0e68cf052bdd0f50eeac0492401dcc0

Download Submit
memory/1804-122-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download
memory/2112-121-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-123-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2112-125-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3224-124-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/3224-140-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/4928-139-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4928-143-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download