smokeloader | 7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53

General

Target

7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe
Size

296KB
MD5

659ff246b73da70a59f5b756faf67d7c
SHA1

9488358099010bde234ea4e6bc28a49fa61b9667
SHA256

7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53
SHA512

29768a345b2e02efc4b2d6e65e1cc37e13c4889bc0ce140b57e9884a48ea0daca8dacfc41c650a8bed50540fa1947419a91e7ac5d7df48232baf782b3d80b00d
SSDEEP

3072:ycdyLgcdB5nDVRTtq1IeMYFPP3gUG/nYB8I4niDLBzMQl5OM6k/XIfqF9lmc2tot:T255nDLtqv3PG/g6i4M6WIfIstDDTS

Score

10^/10

smokeloader sprg backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe

pid	process
4124	7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe
4124	7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3168

pid	process
3168

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe

pid	process
4124	7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168
3168

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

description	pid	target process
PID 3168 wrote to memory of 4076	3168	explorer.exe
PID 3168 wrote to memory of 4076	3168	explorer.exe
PID 3168 wrote to memory of 4076	3168	explorer.exe
PID 3168 wrote to memory of 4076	3168	explorer.exe
PID 3168 wrote to memory of 1208	3168	explorer.exe
PID 3168 wrote to memory of 1208	3168	explorer.exe
PID 3168 wrote to memory of 1208	3168	explorer.exe
PID 3168 wrote to memory of 2600	3168	explorer.exe
PID 3168 wrote to memory of 2600	3168	explorer.exe
PID 3168 wrote to memory of 2600	3168	explorer.exe
PID 3168 wrote to memory of 2600	3168	explorer.exe
PID 3168 wrote to memory of 1964	3168	explorer.exe
PID 3168 wrote to memory of 1964	3168	explorer.exe
PID 3168 wrote to memory of 1964	3168	explorer.exe
PID 3168 wrote to memory of 708	3168	explorer.exe
PID 3168 wrote to memory of 708	3168	explorer.exe
PID 3168 wrote to memory of 708	3168	explorer.exe
PID 3168 wrote to memory of 708	3168	explorer.exe
PID 3168 wrote to memory of 4672	3168	explorer.exe
PID 3168 wrote to memory of 4672	3168	explorer.exe
PID 3168 wrote to memory of 4672	3168	explorer.exe
PID 3168 wrote to memory of 4672	3168	explorer.exe
PID 3168 wrote to memory of 4884	3168	explorer.exe
PID 3168 wrote to memory of 4884	3168	explorer.exe
PID 3168 wrote to memory of 4884	3168	explorer.exe
PID 3168 wrote to memory of 4884	3168	explorer.exe
PID 3168 wrote to memory of 4844	3168	explorer.exe
PID 3168 wrote to memory of 4844	3168	explorer.exe
PID 3168 wrote to memory of 4844	3168	explorer.exe
PID 3168 wrote to memory of 3264	3168	explorer.exe
PID 3168 wrote to memory of 3264	3168	explorer.exe
PID 3168 wrote to memory of 3264	3168	explorer.exe
PID 3168 wrote to memory of 3264	3168	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe
"C:\Users\Admin\AppData\Local\Temp\7dcaec1fe8503cfd46ca45f4ee41ba8ec95ad1d41adb22a73ddd53f5110d6c53.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4124

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4076

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1208

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2600

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4884

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/708-157-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

Filesize
156KB

Download
memory/708-158-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/708-159-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

Filesize
156KB

Download
memory/1208-172-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/1208-149-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/1208-150-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/1208-151-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/1964-155-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/1964-174-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1964-156-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/2600-173-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/2600-154-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2600-153-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/2600-152-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3168-135-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/3264-170-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/3264-168-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/3264-178-0x0000000000940000-0x000000000094D000-memory.dmp

Filesize
52KB

Download
memory/3264-169-0x0000000000940000-0x000000000094D000-memory.dmp

Filesize
52KB

Download
memory/4076-148-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/4076-146-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/4076-147-0x0000000004770000-0x0000000004779000-memory.dmp

Filesize
36KB

Download
memory/4076-171-0x0000000004770000-0x0000000004779000-memory.dmp

Filesize
36KB

Download
memory/4124-136-0x0000000000400000-0x0000000002B77000-memory.dmp

Filesize
39.5MB

Download
memory/4124-134-0x0000000004770000-0x0000000004779000-memory.dmp

Filesize
36KB

Download
memory/4672-162-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/4672-161-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

Filesize
156KB

Download
memory/4672-175-0x0000000000FA0000-0x0000000000FC7000-memory.dmp

Filesize
156KB

Download
memory/4672-160-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/4844-167-0x0000000000940000-0x000000000094D000-memory.dmp

Filesize
52KB

Download
memory/4844-166-0x0000000000EA0000-0x0000000000EAB000-memory.dmp

Filesize
44KB

Download
memory/4844-165-0x0000000000940000-0x000000000094D000-memory.dmp

Filesize
52KB

Download
memory/4844-177-0x0000000000EA0000-0x0000000000EAB000-memory.dmp

Filesize
44KB

Download
memory/4884-164-0x0000000000EA0000-0x0000000000EAB000-memory.dmp

Filesize
44KB

Download
memory/4884-163-0x0000000000EA0000-0x0000000000EAB000-memory.dmp

Filesize
44KB

Download
memory/4884-176-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads