smokeloader | 1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
Size

269KB
MD5

1bd66e5b1645d08b5fd0ea18c50b8e93
SHA1

2e97c74e094052adf2ec3654890edd9b4060cccb
SHA256

1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45
SHA512

1f86207ac7b443342644f7f2eecdbb2272d95dea2e606a474ce75a1c2970427e78d4718f19d953406886058a9db99dee0b0161cd638c48bb00eea3eef8629baf
SSDEEP

3072:bRgQ9EQG0K6WwR/Mm8FSECb6wvPQajoAa8wQ4n0N1eV4E0i6lmhZ:WFQW6Wi/MAHvK3n0HK4E3V

Score

10^/10

smokeloader lab backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe

description	pid	process	target process
PID 4616 set thread context of 1680	4616	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe

pid	process
1680	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
1680	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388
388

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

388
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe

pid process

1680 1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe

pid	process
388

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe

description	pid	process	target process
PID 4616 wrote to memory of 1680	4616	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
PID 4616 wrote to memory of 1680	4616	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
PID 4616 wrote to memory of 1680	4616	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
PID 4616 wrote to memory of 1680	4616	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
PID 4616 wrote to memory of 1680	4616	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
PID 4616 wrote to memory of 1680	4616	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe	1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
"C:\Users\Admin\AppData\Local\Temp\1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe
"C:\Users\Admin\AppData\Local\Temp\1b67964b4e2bf5341f13e8d11c5a853f97e00a7dbc3328904d42970a57d4ae45.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-137-0x0000000001080000-0x0000000001096000-memory.dmp

Filesize
88KB

Download
memory/1680-134-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1680-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1680-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4616-135-0x0000000002D20000-0x0000000002D29000-memory.dmp

Filesize
36KB

Download