smokeloader | 383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
Size

295KB
MD5

5b15f8dc889da6d5a360f4a487f7a038
SHA1

aad637e963fca7eb17c6e7a9a1ab39e450cec678
SHA256

383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0
SHA512

15319407743d4ce8f2f5da36e960f18a1dd0e45d44b4674e921ceb2d9411082e89cfbe197aa1e9a8bda2b921f8c35736d19dc7bea49c561ba3e669bcc6cf5930
SSDEEP

3072:nd884d08TwYNguK29vrv9yonI3PEkbHImdq/Ax76aPj5N4weew+g5NUf4Nlmc2t2:dg0yHgu3vr2b5dq46OVKbeHgnqtDDTS

Score

10^/10

smokeloader lab backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

ubhhfghubhhfgh

pid process

2208 ubhhfgh
1444 ubhhfgh

pid	process
2208	ubhhfgh
1444	ubhhfgh

Suspicious use of SetThreadContext 2 IoCs

Processes:

383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exeubhhfgh

description	pid	process	target process
PID 2072 set thread context of 4288	2072	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
PID 2208 set thread context of 1444	2208	ubhhfgh	ubhhfgh

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exeubhhfgh

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ubhhfgh
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ubhhfgh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ubhhfgh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe

pid	process
4288	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
4288	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184
3184

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3184
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exeubhhfgh

pid process

4288 383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
1444 ubhhfgh

pid	process
3184

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184
Token: SeShutdownPrivilege	3184
Token: SeCreatePagefilePrivilege	3184

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exeubhhfgh

description	pid	process	target process
PID 2072 wrote to memory of 4288	2072	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
PID 2072 wrote to memory of 4288	2072	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
PID 2072 wrote to memory of 4288	2072	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
PID 2072 wrote to memory of 4288	2072	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
PID 2072 wrote to memory of 4288	2072	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
PID 2072 wrote to memory of 4288	2072	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe	383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
PID 2208 wrote to memory of 1444	2208	ubhhfgh	ubhhfgh
PID 2208 wrote to memory of 1444	2208	ubhhfgh	ubhhfgh
PID 2208 wrote to memory of 1444	2208	ubhhfgh	ubhhfgh
PID 2208 wrote to memory of 1444	2208	ubhhfgh	ubhhfgh
PID 2208 wrote to memory of 1444	2208	ubhhfgh	ubhhfgh
PID 2208 wrote to memory of 1444	2208	ubhhfgh	ubhhfgh

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
"C:\Users\Admin\AppData\Local\Temp\383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe
"C:\Users\Admin\AppData\Local\Temp\383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4288

C:\Users\Admin\AppData\Roaming\ubhhfgh
C:\Users\Admin\AppData\Roaming\ubhhfgh
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Roaming\ubhhfgh
C:\Users\Admin\AppData\Roaming\ubhhfgh
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ubhhfgh
Filesize
295KB

MD5
5b15f8dc889da6d5a360f4a487f7a038

SHA1
aad637e963fca7eb17c6e7a9a1ab39e450cec678

SHA256
383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0

SHA512
15319407743d4ce8f2f5da36e960f18a1dd0e45d44b4674e921ceb2d9411082e89cfbe197aa1e9a8bda2b921f8c35736d19dc7bea49c561ba3e669bcc6cf5930

Download Submit
C:\Users\Admin\AppData\Roaming\ubhhfgh
Filesize
295KB

MD5
5b15f8dc889da6d5a360f4a487f7a038

SHA1
aad637e963fca7eb17c6e7a9a1ab39e450cec678

SHA256
383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0

SHA512
15319407743d4ce8f2f5da36e960f18a1dd0e45d44b4674e921ceb2d9411082e89cfbe197aa1e9a8bda2b921f8c35736d19dc7bea49c561ba3e669bcc6cf5930

Download Submit
C:\Users\Admin\AppData\Roaming\ubhhfgh
Filesize
295KB

MD5
5b15f8dc889da6d5a360f4a487f7a038

SHA1
aad637e963fca7eb17c6e7a9a1ab39e450cec678

SHA256
383c10d1b8eacf046bb82f67e863ca08119ddb58ec61a2f400d0915c391426c0

SHA512
15319407743d4ce8f2f5da36e960f18a1dd0e45d44b4674e921ceb2d9411082e89cfbe197aa1e9a8bda2b921f8c35736d19dc7bea49c561ba3e669bcc6cf5930

Download Submit
memory/1444-175-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1444-173-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2072-135-0x0000000002BF0000-0x0000000002BF9000-memory.dmp

Filesize
36KB

Download
memory/3184-185-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-153-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-150-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-151-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-152-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-190-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-154-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-155-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-156-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-191-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-158-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-159-0x0000000004070000-0x0000000004080000-memory.dmp

Filesize
64KB

Download
memory/3184-161-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-162-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-163-0x0000000004120000-0x0000000004130000-memory.dmp

Filesize
64KB

Download
memory/3184-164-0x0000000004120000-0x0000000004130000-memory.dmp

Filesize
64KB

Download
memory/3184-160-0x0000000004120000-0x0000000004130000-memory.dmp

Filesize
64KB

Download
memory/3184-165-0x0000000004120000-0x0000000004130000-memory.dmp

Filesize
64KB

Download
memory/3184-166-0x0000000004120000-0x0000000004130000-memory.dmp

Filesize
64KB

Download
memory/3184-148-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-147-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-146-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-167-0x0000000004120000-0x0000000004130000-memory.dmp

Filesize
64KB

Download
memory/3184-174-0x0000000004090000-0x00000000040A6000-memory.dmp

Filesize
88KB

Download
memory/3184-145-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-180-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-181-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-182-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-183-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-184-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-137-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/3184-186-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-187-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-188-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-220-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3184-149-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-157-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-192-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-193-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-194-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-195-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-196-0x0000000000950000-0x0000000000952000-memory.dmp

Filesize
8KB

Download
memory/3184-197-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3184-198-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3184-199-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3184-200-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3184-201-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3184-202-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-203-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-204-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-205-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-206-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-207-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-208-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-209-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-210-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-211-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-212-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-213-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-214-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-215-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-216-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-217-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-218-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/3184-219-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/3184-189-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/4288-134-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4288-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4288-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download