smokeloader | 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27

Resubmissions

26-06-2023 05:00

230626-fncv8age89 10

26-06-2023 04:48

230626-fe4ycahe5z 10

Analysis

max time kernel
300s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2023 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Size

205KB
MD5

9d8a3dd432e255ebb2e890d2a0653ddb
SHA1

0e5741c323e7c35671333863492743ae0c64f64b
SHA256

6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512

758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
SSDEEP

3072:g0t8tNh4pRETGd2/Rq9nvZCTBQAc5bGHtDuVszN54PKiIIiT28KHqK:QtJTY2/OQBQAc5qHtDN5kFIIiTVKHq

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverlogs37.xyz/statweb255/

http://servblog757.xyz/statweb255/

http://dexblog45.xyz/statweb255/

http://admlogs.online/statweb255/

http://blogstat355.xyz/statweb255/

http://blogstatserv25.xyz/statweb255/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

description	pid	process	target process
PID 4660 set thread context of 4212	4660	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

pid	process
4212	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
4212	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220
3220

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3220
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

pid process

4212 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3220
Token: SeCreatePagefilePrivilege 3220
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3220
3220
3220
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3220
3220
3220

pid	process
3220

description	pid	process
Token: SeShutdownPrivilege	3220
Token: SeCreatePagefilePrivilege	3220

pid	process
3220
3220
3220

pid	process
3220
3220
3220

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

description	pid	process	target process
PID 4660 wrote to memory of 4212	4660	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 4660 wrote to memory of 4212	4660	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 4660 wrote to memory of 4212	4660	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 4660 wrote to memory of 4212	4660	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 4660 wrote to memory of 4212	4660	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
PID 4660 wrote to memory of 4212	4660	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe	6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
  "C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3220-137-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/4212-134-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4212-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4212-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4660-135-0x0000000001C00000-0x0000000001C09000-memory.dmp

Filesize
36KB

Download