smokeloader | 7fbf96cc89463da90fa962ea3ff11cebd0d742176e669631019787fe9c9e1430

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2023 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0007000000015c2d-101.exe
Size

32KB
MD5

2d91d81ac965bfeb635da7ad8cfe7c65
SHA1

44f1d984702dde8f182f6491d71c8912160a8c63
SHA256

7fbf96cc89463da90fa962ea3ff11cebd0d742176e669631019787fe9c9e1430
SHA512

899f9ba01b937f3dbc5ed38bd4f43a7f91f167841f23ddac6dfc3d8c4ccfae25c169c0bb77aa555b25bdc37f062cda122791211e664846cbc2ce75bb19c55d4b
SSDEEP

384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	BB0E.exe

Executes dropped EXE 1 IoCs

pid	Process
5036	BB0E.exe

Loads dropped DLL 2 IoCs

pid	Process
3576	regsvr32.exe
3576	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0007000000015c2d-101.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0007000000015c2d-101.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0007000000015c2d-101.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	0x0007000000015c2d-101.exe
2328	0x0007000000015c2d-101.exe
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3228	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2328	0x0007000000015c2d-101.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 5036	3228	Process not Found	99
PID 3228 wrote to memory of 5036	3228	Process not Found	99
PID 3228 wrote to memory of 5036	3228	Process not Found	99
PID 5036 wrote to memory of 3576	5036	BB0E.exe	100
PID 5036 wrote to memory of 3576	5036	BB0E.exe	100
PID 5036 wrote to memory of 3576	5036	BB0E.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0x0007000000015c2d-101.exe
"C:\Users\Admin\AppData\Local\Temp\0x0007000000015c2d-101.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2328

C:\Users\Admin\AppData\Local\Temp\BB0E.exe
C:\Users\Admin\AppData\Local\Temp\BB0E.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -S .\eJZ6SYMl.6 -u
  2⤵
  - Loads dropped DLL
  PID:3576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BB0E.exe

Filesize
1.6MB

MD5
e0cf69a1bc822e9cf24df2f1daee2ca3

SHA1
28dc068f9d1dea86f67a6b6f815129f3ef9128f6

SHA256
c710785c891834d0b5ad5804efa04c326508bd40d6697d60a56e6cb620977792

SHA512
e12762e5a50b5332638f2e68e0d873f2ab65aec89ed37ecda034fa8af2d5ce717badb5a6c8d404e91955bbddd7747d8f4e416383cbcb07bd2cc6a5bf80582ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB0E.exe

Filesize
1.6MB

MD5
e0cf69a1bc822e9cf24df2f1daee2ca3

SHA1
28dc068f9d1dea86f67a6b6f815129f3ef9128f6

SHA256
c710785c891834d0b5ad5804efa04c326508bd40d6697d60a56e6cb620977792

SHA512
e12762e5a50b5332638f2e68e0d873f2ab65aec89ed37ecda034fa8af2d5ce717badb5a6c8d404e91955bbddd7747d8f4e416383cbcb07bd2cc6a5bf80582ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJZ6SYMl.6

Filesize
1.2MB

MD5
2651caece5999959da1ccffd43784e23

SHA1
08954d58a7161c69395ff25362a32c4b0736265c

SHA256
ae5a095329e5c9ad8e2c30536e3978b393a871abbda9e5d66f20c82afd9a6378

SHA512
5250a6c2d2ee8efaa3b97200623a403f65ffbb9d969efb124c0cd8aa37bb5c242f0fe0c91eba54299baafd60e3d188b5b55a956d1df4e80e047cd35a526db331

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejZ6SYMl.6

Filesize
1.2MB

MD5
2651caece5999959da1ccffd43784e23

SHA1
08954d58a7161c69395ff25362a32c4b0736265c

SHA256
ae5a095329e5c9ad8e2c30536e3978b393a871abbda9e5d66f20c82afd9a6378

SHA512
5250a6c2d2ee8efaa3b97200623a403f65ffbb9d969efb124c0cd8aa37bb5c242f0fe0c91eba54299baafd60e3d188b5b55a956d1df4e80e047cd35a526db331

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejZ6SYMl.6

Filesize
1.2MB

MD5
2651caece5999959da1ccffd43784e23

SHA1
08954d58a7161c69395ff25362a32c4b0736265c

SHA256
ae5a095329e5c9ad8e2c30536e3978b393a871abbda9e5d66f20c82afd9a6378

SHA512
5250a6c2d2ee8efaa3b97200623a403f65ffbb9d969efb124c0cd8aa37bb5c242f0fe0c91eba54299baafd60e3d188b5b55a956d1df4e80e047cd35a526db331

Download Submit
memory/2328-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2328-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3228-134-0x0000000002FA0000-0x0000000002FB6000-memory.dmp

Filesize
88KB

Download
memory/3576-151-0x0000000000B70000-0x0000000000CA3000-memory.dmp

Filesize
1.2MB

Download
memory/3576-152-0x0000000000910000-0x0000000000916000-memory.dmp

Filesize
24KB

Download
memory/3576-153-0x0000000000B70000-0x0000000000CA3000-memory.dmp

Filesize
1.2MB

Download
memory/3576-156-0x00000000024E0000-0x00000000025E3000-memory.dmp

Filesize
1.0MB

Download
memory/3576-157-0x00000000025F0000-0x00000000026D9000-memory.dmp

Filesize
932KB

Download
memory/3576-158-0x00000000025F0000-0x00000000026D9000-memory.dmp

Filesize
932KB

Download
memory/3576-160-0x00000000025F0000-0x00000000026D9000-memory.dmp

Filesize
932KB

Download
memory/3576-161-0x00000000025F0000-0x00000000026D9000-memory.dmp

Filesize
932KB

Download