smokeloader | 2ee8a1be8e6b46d43496b23f1f2569dbdce426677e818f91d2c4c72bf8c3c88e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/07/2023, 04:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0x000a0000000152a5-110.exe
Size

32KB
MD5

23402d62c41366d1aef09ade24c6ea0f
SHA1

fc12fd9c3c950894c5ef42ec91da14bb813093cd
SHA256

2ee8a1be8e6b46d43496b23f1f2569dbdce426677e818f91d2c4c72bf8c3c88e
SHA512

5533a413f0434c68f580e5afa9b8f8f9211ff08fd9bc98257149f0d05e3223cea652723fb5526ea0e075586f2c7bacba694d1adf7be17d37a0408ac50d5db1da
SSDEEP

384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1200	Process not Found

Executes dropped EXE 1 IoCs

pid	Process
3020	BD37.exe

Loads dropped DLL 8 IoCs

pid	Process
2884	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe
524	rundll32.exe
524	rundll32.exe
524	rundll32.exe
524	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000a0000000152a5-110.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000a0000000152a5-110.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000a0000000152a5-110.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	0x000a0000000152a5-110.exe
2244	0x000a0000000152a5-110.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2244	0x000a0000000152a5-110.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1200	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1200	Process not Found
1200	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1200	Process not Found
1200	Process not Found

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 3020	1200	Process not Found	30
PID 1200 wrote to memory of 3020	1200	Process not Found	30
PID 1200 wrote to memory of 3020	1200	Process not Found	30
PID 1200 wrote to memory of 3020	1200	Process not Found	30
PID 3020 wrote to memory of 2744	3020	BD37.exe	31
PID 3020 wrote to memory of 2744	3020	BD37.exe	31
PID 3020 wrote to memory of 2744	3020	BD37.exe	31
PID 3020 wrote to memory of 2744	3020	BD37.exe	31
PID 2744 wrote to memory of 2884	2744	control.exe	32
PID 2744 wrote to memory of 2884	2744	control.exe	32
PID 2744 wrote to memory of 2884	2744	control.exe	32
PID 2744 wrote to memory of 2884	2744	control.exe	32
PID 2744 wrote to memory of 2884	2744	control.exe	32
PID 2744 wrote to memory of 2884	2744	control.exe	32
PID 2744 wrote to memory of 2884	2744	control.exe	32
PID 2884 wrote to memory of 1768	2884	rundll32.exe	33
PID 2884 wrote to memory of 1768	2884	rundll32.exe	33
PID 2884 wrote to memory of 1768	2884	rundll32.exe	33
PID 2884 wrote to memory of 1768	2884	rundll32.exe	33
PID 1768 wrote to memory of 524	1768	RunDll32.exe	34
PID 1768 wrote to memory of 524	1768	RunDll32.exe	34
PID 1768 wrote to memory of 524	1768	RunDll32.exe	34
PID 1768 wrote to memory of 524	1768	RunDll32.exe	34
PID 1768 wrote to memory of 524	1768	RunDll32.exe	34
PID 1768 wrote to memory of 524	1768	RunDll32.exe	34
PID 1768 wrote to memory of 524	1768	RunDll32.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0x000a0000000152a5-110.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a0000000152a5-110.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2244

C:\Users\Admin\AppData\Local\Temp\BD37.exe
C:\Users\Admin\AppData\Local\Temp\BD37.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\1QNE.KBN
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\1QNE.KBN
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\1QNE.KBN
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\1QNE.KBN
        5⤵
        Loads dropped DLL
        
        PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1QNE.KBN

Filesize
1.3MB

MD5
ba766002a97e7ed5b194cd987b746aae

SHA1
d28ce45684aad52590d5e0fbddffdb89a22c92b5

SHA256
249e22771af6f00a5e42bcfd1d76a1df7e2fdcaf623acb4011ffe08e0c527ed8

SHA512
c092dd47ed9e73ecfc28e6b574018baed758d3d5d94fbbe1ce7037e67907dcd741b256c8e3bdea3485da66b5626de6ac26bfd8bb8b8956d55db6585b704a36a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD37.exe

Filesize
1.7MB

MD5
426bd3ea35fdf223f395b04cda11b25a

SHA1
3641ac2fa067f7d0856516362ee3d1b668d4c228

SHA256
733f140322609fbeec96cd2b69dbe45c40e4e67976c6c7aa9a2ccf107a6dcf0d

SHA512
5e1d963f340ef29a512963f38bc1acb6cb937746c28b0a0f5e077994adc64ac31a6149bb4b7ae2cb70e9b65116afe4f200245600bba574bf7f1af782d9e1db2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD37.exe

Filesize
1.7MB

MD5
426bd3ea35fdf223f395b04cda11b25a

SHA1
3641ac2fa067f7d0856516362ee3d1b668d4c228

SHA256
733f140322609fbeec96cd2b69dbe45c40e4e67976c6c7aa9a2ccf107a6dcf0d

SHA512
5e1d963f340ef29a512963f38bc1acb6cb937746c28b0a0f5e077994adc64ac31a6149bb4b7ae2cb70e9b65116afe4f200245600bba574bf7f1af782d9e1db2d

Download Submit
\Users\Admin\AppData\Local\Temp\1qnE.KBN

Filesize
1.3MB

MD5
ba766002a97e7ed5b194cd987b746aae

SHA1
d28ce45684aad52590d5e0fbddffdb89a22c92b5

SHA256
249e22771af6f00a5e42bcfd1d76a1df7e2fdcaf623acb4011ffe08e0c527ed8

SHA512
c092dd47ed9e73ecfc28e6b574018baed758d3d5d94fbbe1ce7037e67907dcd741b256c8e3bdea3485da66b5626de6ac26bfd8bb8b8956d55db6585b704a36a9

Download Submit
\Users\Admin\AppData\Local\Temp\1qnE.KBN

Filesize
1.3MB

MD5
ba766002a97e7ed5b194cd987b746aae

SHA1
d28ce45684aad52590d5e0fbddffdb89a22c92b5

SHA256
249e22771af6f00a5e42bcfd1d76a1df7e2fdcaf623acb4011ffe08e0c527ed8

SHA512
c092dd47ed9e73ecfc28e6b574018baed758d3d5d94fbbe1ce7037e67907dcd741b256c8e3bdea3485da66b5626de6ac26bfd8bb8b8956d55db6585b704a36a9

Download Submit
\Users\Admin\AppData\Local\Temp\1qnE.KBN

Filesize
1.3MB

MD5
ba766002a97e7ed5b194cd987b746aae

SHA1
d28ce45684aad52590d5e0fbddffdb89a22c92b5

SHA256
249e22771af6f00a5e42bcfd1d76a1df7e2fdcaf623acb4011ffe08e0c527ed8

SHA512
c092dd47ed9e73ecfc28e6b574018baed758d3d5d94fbbe1ce7037e67907dcd741b256c8e3bdea3485da66b5626de6ac26bfd8bb8b8956d55db6585b704a36a9

Download Submit
\Users\Admin\AppData\Local\Temp\1qnE.KBN

Filesize
1.3MB

MD5
ba766002a97e7ed5b194cd987b746aae

SHA1
d28ce45684aad52590d5e0fbddffdb89a22c92b5

SHA256
249e22771af6f00a5e42bcfd1d76a1df7e2fdcaf623acb4011ffe08e0c527ed8

SHA512
c092dd47ed9e73ecfc28e6b574018baed758d3d5d94fbbe1ce7037e67907dcd741b256c8e3bdea3485da66b5626de6ac26bfd8bb8b8956d55db6585b704a36a9

Download Submit
\Users\Admin\AppData\Local\Temp\1qnE.KBN

Filesize
1.3MB

MD5
ba766002a97e7ed5b194cd987b746aae

SHA1
d28ce45684aad52590d5e0fbddffdb89a22c92b5

SHA256
249e22771af6f00a5e42bcfd1d76a1df7e2fdcaf623acb4011ffe08e0c527ed8

SHA512
c092dd47ed9e73ecfc28e6b574018baed758d3d5d94fbbe1ce7037e67907dcd741b256c8e3bdea3485da66b5626de6ac26bfd8bb8b8956d55db6585b704a36a9

Download Submit
\Users\Admin\AppData\Local\Temp\1qnE.KBN

Filesize
1.3MB

MD5
ba766002a97e7ed5b194cd987b746aae

SHA1
d28ce45684aad52590d5e0fbddffdb89a22c92b5

SHA256
249e22771af6f00a5e42bcfd1d76a1df7e2fdcaf623acb4011ffe08e0c527ed8

SHA512
c092dd47ed9e73ecfc28e6b574018baed758d3d5d94fbbe1ce7037e67907dcd741b256c8e3bdea3485da66b5626de6ac26bfd8bb8b8956d55db6585b704a36a9

Download Submit
\Users\Admin\AppData\Local\Temp\1qnE.KBN

Filesize
1.3MB

MD5
ba766002a97e7ed5b194cd987b746aae

SHA1
d28ce45684aad52590d5e0fbddffdb89a22c92b5

SHA256
249e22771af6f00a5e42bcfd1d76a1df7e2fdcaf623acb4011ffe08e0c527ed8

SHA512
c092dd47ed9e73ecfc28e6b574018baed758d3d5d94fbbe1ce7037e67907dcd741b256c8e3bdea3485da66b5626de6ac26bfd8bb8b8956d55db6585b704a36a9

Download Submit
\Users\Admin\AppData\Local\Temp\1qnE.KBN

Filesize
1.3MB

MD5
ba766002a97e7ed5b194cd987b746aae

SHA1
d28ce45684aad52590d5e0fbddffdb89a22c92b5

SHA256
249e22771af6f00a5e42bcfd1d76a1df7e2fdcaf623acb4011ffe08e0c527ed8

SHA512
c092dd47ed9e73ecfc28e6b574018baed758d3d5d94fbbe1ce7037e67907dcd741b256c8e3bdea3485da66b5626de6ac26bfd8bb8b8956d55db6585b704a36a9

Download Submit
memory/524-92-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/524-91-0x0000000002210000-0x0000000002361000-memory.dmp

Filesize
1.3MB

Download
memory/524-101-0x00000000028A0000-0x000000000299E000-memory.dmp

Filesize
1016KB

Download
memory/524-100-0x00000000028A0000-0x000000000299E000-memory.dmp

Filesize
1016KB

Download
memory/524-98-0x00000000028A0000-0x000000000299E000-memory.dmp

Filesize
1016KB

Download
memory/524-96-0x0000000002780000-0x0000000002899000-memory.dmp

Filesize
1.1MB

Download
memory/524-93-0x0000000002210000-0x0000000002361000-memory.dmp

Filesize
1.3MB

Download
memory/1200-54-0x00000000029A0000-0x00000000029B6000-memory.dmp

Filesize
88KB

Download
memory/1200-61-0x000007FEF5DA0000-0x000007FEF5EE3000-memory.dmp

Filesize
1.3MB

Download
memory/1200-63-0x000007FEF5DA0000-0x000007FEF5EE3000-memory.dmp

Filesize
1.3MB

Download
memory/1200-62-0x000007FF122C0000-0x000007FF122CA000-memory.dmp

Filesize
40KB

Download
memory/2244-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2244-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2884-85-0x0000000000A90000-0x0000000000BE1000-memory.dmp

Filesize
1.3MB

Download
memory/2884-82-0x00000000028F0000-0x00000000029EE000-memory.dmp

Filesize
1016KB

Download
memory/2884-84-0x00000000028F0000-0x00000000029EE000-memory.dmp

Filesize
1016KB

Download
memory/2884-81-0x00000000028F0000-0x00000000029EE000-memory.dmp

Filesize
1016KB

Download
memory/2884-76-0x0000000000A90000-0x0000000000BE1000-memory.dmp

Filesize
1.3MB

Download
memory/2884-80-0x00000000027D0000-0x00000000028E9000-memory.dmp

Filesize
1.1MB

Download
memory/2884-77-0x0000000000A90000-0x0000000000BE1000-memory.dmp

Filesize
1.3MB

Download
memory/2884-78-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/2884-86-0x00000000028F0000-0x00000000029EE000-memory.dmp

Filesize
1016KB

Download