smokeloader | 387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658

Analysis

max time kernel
151s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe
Size

224KB
MD5

5e3a6bec7a92d30dec303dd335ea7f92
SHA1

82bf71f1856a62c24e8c8d902d53dba99008550f
SHA256

387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658
SHA512

27341b567c888de5109da8fb27640a6b4ff2165957872923eac7cbb7ad434bc29558d913930112cdb84976d3df9a267186aae891ea89fcd825a2502c54ea8813
SSDEEP

3072:1YjdIs1K3dVAVIw0DVtyTgMr0ojauaLif/zxWHM6VyiaD5UE1ElCETy9Y:y+H0VirKnaLI/zxj6VxOUEKl

Score

10^/10

smokeloader sprg backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 1 IoCs

Processes:

adeesjw

pid process

3780 adeesjw

pid	process
3780	adeesjw

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exeadeesjw

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	adeesjw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	adeesjw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	adeesjw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe

pid	process
2116	387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe
2116	387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3128

pid	process
3128

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exeadeesjw

pid	process
2116	387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3128
3780	adeesjw

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128
Token: SeShutdownPrivilege	3128
Token: SeCreatePagefilePrivilege	3128

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

description	pid	target process
PID 3128 wrote to memory of 1340	3128	explorer.exe
PID 3128 wrote to memory of 1340	3128	explorer.exe
PID 3128 wrote to memory of 1340	3128	explorer.exe
PID 3128 wrote to memory of 1340	3128	explorer.exe
PID 3128 wrote to memory of 4284	3128	explorer.exe
PID 3128 wrote to memory of 4284	3128	explorer.exe
PID 3128 wrote to memory of 4284	3128	explorer.exe
PID 3128 wrote to memory of 1804	3128	explorer.exe
PID 3128 wrote to memory of 1804	3128	explorer.exe
PID 3128 wrote to memory of 1804	3128	explorer.exe
PID 3128 wrote to memory of 1804	3128	explorer.exe
PID 3128 wrote to memory of 1872	3128	explorer.exe
PID 3128 wrote to memory of 1872	3128	explorer.exe
PID 3128 wrote to memory of 1872	3128	explorer.exe
PID 3128 wrote to memory of 340	3128	explorer.exe
PID 3128 wrote to memory of 340	3128	explorer.exe
PID 3128 wrote to memory of 340	3128	explorer.exe
PID 3128 wrote to memory of 340	3128	explorer.exe
PID 3128 wrote to memory of 3576	3128	explorer.exe
PID 3128 wrote to memory of 3576	3128	explorer.exe
PID 3128 wrote to memory of 3576	3128	explorer.exe
PID 3128 wrote to memory of 3576	3128	explorer.exe
PID 3128 wrote to memory of 1268	3128	explorer.exe
PID 3128 wrote to memory of 1268	3128	explorer.exe
PID 3128 wrote to memory of 1268	3128	explorer.exe
PID 3128 wrote to memory of 1268	3128	explorer.exe
PID 3128 wrote to memory of 4008	3128	explorer.exe
PID 3128 wrote to memory of 4008	3128	explorer.exe
PID 3128 wrote to memory of 4008	3128	explorer.exe
PID 3128 wrote to memory of 3088	3128	explorer.exe
PID 3128 wrote to memory of 3088	3128	explorer.exe
PID 3128 wrote to memory of 3088	3128	explorer.exe
PID 3128 wrote to memory of 3088	3128	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe
"C:\Users\Admin\AppData\Local\Temp\387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1340

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4284

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1804

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1872

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:340

C:\Users\Admin\AppData\Roaming\adeesjw
C:\Users\Admin\AppData\Roaming\adeesjw
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3780

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3576

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1268

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4008

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\adeesjw

Filesize
224KB

MD5
5e3a6bec7a92d30dec303dd335ea7f92

SHA1
82bf71f1856a62c24e8c8d902d53dba99008550f

SHA256
387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658

SHA512
27341b567c888de5109da8fb27640a6b4ff2165957872923eac7cbb7ad434bc29558d913930112cdb84976d3df9a267186aae891ea89fcd825a2502c54ea8813

Download Submit
C:\Users\Admin\AppData\Roaming\adeesjw

Filesize
224KB

MD5
5e3a6bec7a92d30dec303dd335ea7f92

SHA1
82bf71f1856a62c24e8c8d902d53dba99008550f

SHA256
387e053c28b9c0fbb7749da52d4db404caf5483f9f4a3a56981cf59b1fb7b658

SHA512
27341b567c888de5109da8fb27640a6b4ff2165957872923eac7cbb7ad434bc29558d913930112cdb84976d3df9a267186aae891ea89fcd825a2502c54ea8813

Download Submit
memory/340-178-0x0000000001220000-0x000000000122C000-memory.dmp

Filesize
48KB

Download
memory/340-175-0x00000000007D0000-0x00000000007F7000-memory.dmp

Filesize
156KB

Download
memory/340-179-0x00000000007D0000-0x00000000007F7000-memory.dmp

Filesize
156KB

Download
memory/1268-201-0x00000000010E0000-0x00000000010E9000-memory.dmp

Filesize
36KB

Download
memory/1268-186-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/1268-185-0x00000000010E0000-0x00000000010E9000-memory.dmp

Filesize
36KB

Download
memory/1268-184-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/1340-163-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/1340-164-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1340-196-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1340-165-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/1804-198-0x00000000010F0000-0x00000000010FF000-memory.dmp

Filesize
60KB

Download
memory/1804-169-0x00000000007E0000-0x00000000007E9000-memory.dmp

Filesize
36KB

Download
memory/1804-171-0x00000000007E0000-0x00000000007E9000-memory.dmp

Filesize
36KB

Download
memory/1804-170-0x00000000010F0000-0x00000000010FF000-memory.dmp

Filesize
60KB

Download
memory/1872-199-0x00000000007E0000-0x00000000007E9000-memory.dmp

Filesize
36KB

Download
memory/1872-174-0x0000000001220000-0x000000000122C000-memory.dmp

Filesize
48KB

Download
memory/1872-173-0x00000000007E0000-0x00000000007E9000-memory.dmp

Filesize
36KB

Download
memory/1872-172-0x0000000001220000-0x000000000122C000-memory.dmp

Filesize
48KB

Download
memory/2116-136-0x0000000000400000-0x0000000002B66000-memory.dmp

Filesize
39.4MB

Download
memory/2116-134-0x0000000002D00000-0x0000000002D09000-memory.dmp

Filesize
36KB

Download
memory/3088-190-0x0000000000F80000-0x0000000000F8B000-memory.dmp

Filesize
44KB

Download
memory/3088-191-0x0000000000F80000-0x0000000000F8B000-memory.dmp

Filesize
44KB

Download
memory/3088-203-0x00000000007F0000-0x00000000007FD000-memory.dmp

Filesize
52KB

Download
memory/3128-216-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-222-0x0000000000C80000-0x0000000000C84000-memory.dmp

Filesize
16KB

Download
memory/3128-240-0x0000000000C70000-0x0000000000C72000-memory.dmp

Filesize
8KB

Download
memory/3128-237-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-155-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-154-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-153-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-152-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-151-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-150-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-149-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-236-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-235-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-234-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-148-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-147-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-146-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-233-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-232-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-231-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-145-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-144-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-192-0x0000000008600000-0x0000000008616000-memory.dmp

Filesize
88KB

Download
memory/3128-230-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-143-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-228-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-142-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/3128-141-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-229-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-140-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-227-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-139-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-205-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-206-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-207-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-208-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-209-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-210-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-211-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-212-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-213-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-214-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-215-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-135-0x0000000002620000-0x0000000002636000-memory.dmp

Filesize
88KB

Download
memory/3128-217-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-218-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-219-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-220-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-221-0x0000000000C50000-0x0000000000C52000-memory.dmp

Filesize
8KB

Download
memory/3128-226-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-223-0x0000000000C80000-0x0000000000C84000-memory.dmp

Filesize
16KB

Download
memory/3128-224-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3128-225-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/3576-183-0x00000000010E0000-0x00000000010E9000-memory.dmp

Filesize
36KB

Download
memory/3576-181-0x00000000010E0000-0x00000000010E9000-memory.dmp

Filesize
36KB

Download
memory/3576-200-0x0000000002BA0000-0x0000000002BA9000-memory.dmp

Filesize
36KB

Download
memory/3576-182-0x0000000002BA0000-0x0000000002BA9000-memory.dmp

Filesize
36KB

Download
memory/3780-193-0x0000000000400000-0x0000000002B66000-memory.dmp

Filesize
39.4MB

Download
memory/4008-188-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/4008-187-0x00000000007F0000-0x00000000007FD000-memory.dmp

Filesize
52KB

Download
memory/4008-189-0x00000000007F0000-0x00000000007FD000-memory.dmp

Filesize
52KB

Download
memory/4008-202-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/4284-168-0x00000000010F0000-0x00000000010FF000-memory.dmp

Filesize
60KB

Download
memory/4284-197-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/4284-166-0x00000000010F0000-0x00000000010FF000-memory.dmp

Filesize
60KB

Download
memory/4284-167-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download