smokeloader | 880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270

Analysis

max time kernel
24s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe
Size

269KB
MD5

8910b96785e4e7ad11652b35920875a8
SHA1

7ffada079e34359191a161f06e7396032c3af38a
SHA256

880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270
SHA512

7e2e720bbbcf3b8fb58902913b9ca032c3a6edd5ad63ca0bea9839e6e94d12e36f31e28b993a5ce78eb916f3c638bce60ade0c526146a8473c4f49c51f4592a6
SSDEEP

6144:sWDctlMQMY6Vo++E0R6gFAOaxRjmUwhg35:sW4tiQMYlXEvmQ35

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 1 IoCs

pid	Process
716	981.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 2668	4680	880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4880	4680	WerFault.exe	16

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	AppLaunch.exe
2668	AppLaunch.exe
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found
3156	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2668	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3156	Process not Found
Token: SeCreatePagefilePrivilege	3156	Process not Found

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2668	4680	880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe	28
PID 4680 wrote to memory of 2668	4680	880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe	28
PID 4680 wrote to memory of 2668	4680	880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe	28
PID 4680 wrote to memory of 2668	4680	880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe	28
PID 4680 wrote to memory of 2668	4680	880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe	28
PID 4680 wrote to memory of 2668	4680	880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe	28
PID 3156 wrote to memory of 716	3156	Process not Found	95
PID 3156 wrote to memory of 716	3156	Process not Found	95
PID 3156 wrote to memory of 716	3156	Process not Found	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe
"C:\Users\Admin\AppData\Local\Temp\880ba79e4e30109c4d4404e49e44134a0aeee69f77af4b41409d3f44a80c3270.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 288
  2⤵
  - Program crash
  PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4680 -ip 4680
1⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\981.exe
C:\Users\Admin\AppData\Local\Temp\981.exe
1⤵
- Executes dropped EXE
PID:716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hF2Ao8MO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hF2Ao8MO.exe
  2⤵
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dl9SN7bU.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dl9SN7bU.exe
    3⤵
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vg2Lt5Ro.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vg2Lt5Ro.exe
      4⤵
      PID:1000
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9wZ4qn.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9wZ4qn.exe
        5⤵
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Pj51VN3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Pj51VN3.exe
        6⤵
        
        PID:4504

C:\Users\Admin\AppData\Local\Temp\B37.exe
C:\Users\Admin\AppData\Local\Temp\B37.exe
1⤵
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEE.bat" "
1⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\101B.exe
C:\Users\Admin\AppData\Local\Temp\101B.exe
1⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\1145.exe
C:\Users\Admin\AppData\Local\Temp\1145.exe
1⤵
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\101B.exe

Filesize
640KB

MD5
a839b88db997616ab4bfd5535600af0c

SHA1
bb49c7fa9a4a249620fa48a025d145b71a1435fa

SHA256
498c4fc8def116e0e3490f3da7f2630d498ac118c1c79ff15c897098e66724b4

SHA512
9fb57ccd4e2c1bf5f235fd48a03031899825537c230d57dc7c5186a12d4e97bbf64ed8befa7c436aaf13fb19088848b81a1330054d658a3f379b5a2c6b76bbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\981.exe

Filesize
1.5MB

MD5
1160262e422411305f05b9fab3a7f2e6

SHA1
8bfec0a26f4382eb7571e1bf98b9bbe1fb45b749

SHA256
321e37c2c46f7f2e9055c32feec44efdc9ff8ce989ae8607b0a68e7a2b1dfb94

SHA512
26b15f3ceee353b610972e655c764ff01243033745c7e9134e30c4f4682ad173a861eda506d74eb403103ae7714adce2d5ea946ea00c99a25d7309db72bcf94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\981.exe

Filesize
1.5MB

MD5
1160262e422411305f05b9fab3a7f2e6

SHA1
8bfec0a26f4382eb7571e1bf98b9bbe1fb45b749

SHA256
321e37c2c46f7f2e9055c32feec44efdc9ff8ce989ae8607b0a68e7a2b1dfb94

SHA512
26b15f3ceee353b610972e655c764ff01243033745c7e9134e30c4f4682ad173a861eda506d74eb403103ae7714adce2d5ea946ea00c99a25d7309db72bcf94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B37.exe

Filesize
1.1MB

MD5
acca3c01a6e34c31e3eff44dfbc058c5

SHA1
e38ac995e7bb21f3d353d0364d4cf56d997c11bc

SHA256
b645ffa75a32ff8842e3689693f9708c91d5171598a3f8b8c91c5c2e833a6bd5

SHA512
1b385f327484de8f6a3882e7c0bd3f20f769ad6706e2d0700a27f4467de6a4eda8de7498dd07524b6d5905ee84de4fa8db3ff29af85a91c5769807992bb21fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\B37.exe

Filesize
1.1MB

MD5
acca3c01a6e34c31e3eff44dfbc058c5

SHA1
e38ac995e7bb21f3d353d0364d4cf56d997c11bc

SHA256
b645ffa75a32ff8842e3689693f9708c91d5171598a3f8b8c91c5c2e833a6bd5

SHA512
1b385f327484de8f6a3882e7c0bd3f20f769ad6706e2d0700a27f4467de6a4eda8de7498dd07524b6d5905ee84de4fa8db3ff29af85a91c5769807992bb21fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEE.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hF2Ao8MO.exe

Filesize
1.4MB

MD5
8239a42992bd8de11a97e251790d3fff

SHA1
207f9b238fd4bd5d2ec17bc6a25948b402acfa2d

SHA256
77a9a586e881dbad96448c81a4df58a6502ba7f33d3f7bbddff4ac1e570c4e96

SHA512
86ea8032695bbbe2b1e79620d0320764e2e65aa4c62d8b2ddd9354511ed2a1998dcffed05e6beb0aada96e8fb207e291d550f9833e14f05a1acf8fc1a98077e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hF2Ao8MO.exe

Filesize
1.4MB

MD5
8239a42992bd8de11a97e251790d3fff

SHA1
207f9b238fd4bd5d2ec17bc6a25948b402acfa2d

SHA256
77a9a586e881dbad96448c81a4df58a6502ba7f33d3f7bbddff4ac1e570c4e96

SHA512
86ea8032695bbbe2b1e79620d0320764e2e65aa4c62d8b2ddd9354511ed2a1998dcffed05e6beb0aada96e8fb207e291d550f9833e14f05a1acf8fc1a98077e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dl9SN7bU.exe

Filesize
1.2MB

MD5
994cfc1f22ac406c10caea72c0b7d789

SHA1
7b89940abbacb283de5af2b89fc90ccc27aefb4d

SHA256
ecdfcbf4feb0d1328035710f3d31c19c92d60a6e44e0711be593bb76c0de5e84

SHA512
643d70d5f4ce0a6116716f45fe261471c3ace731421ef567660e708e878100f78b6e8c13c40f5d83bf46a41882a44d4636c66d2d954a2f99a6f38cb144974fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dl9SN7bU.exe

Filesize
1.2MB

MD5
994cfc1f22ac406c10caea72c0b7d789

SHA1
7b89940abbacb283de5af2b89fc90ccc27aefb4d

SHA256
ecdfcbf4feb0d1328035710f3d31c19c92d60a6e44e0711be593bb76c0de5e84

SHA512
643d70d5f4ce0a6116716f45fe261471c3ace731421ef567660e708e878100f78b6e8c13c40f5d83bf46a41882a44d4636c66d2d954a2f99a6f38cb144974fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vg2Lt5Ro.exe

Filesize
777KB

MD5
3c7772b411b3b1a53ea89b05e418edc4

SHA1
4a5fa17b256d01b01f2ac61edb834db3dbdd4466

SHA256
085cffc7f2c0b3a924c9b408fceeaa59f8f8e4ef8044871eb21bd8d29a742001

SHA512
f40d8759055e5fc5c6688726d36b287bb86f25d26ff5c560cac3b87e8fc5b9a523f9fbaf724d681446540978e710bd053f436561e39bd7a76d88bfd16b1ee41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vg2Lt5Ro.exe

Filesize
777KB

MD5
3c7772b411b3b1a53ea89b05e418edc4

SHA1
4a5fa17b256d01b01f2ac61edb834db3dbdd4466

SHA256
085cffc7f2c0b3a924c9b408fceeaa59f8f8e4ef8044871eb21bd8d29a742001

SHA512
f40d8759055e5fc5c6688726d36b287bb86f25d26ff5c560cac3b87e8fc5b9a523f9fbaf724d681446540978e710bd053f436561e39bd7a76d88bfd16b1ee41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9wZ4qn.exe

Filesize
580KB

MD5
8f7169f47b0d82716edf505408a041b8

SHA1
92c05af2d6ca0cfafc37a703642197d0b22dc38a

SHA256
39188c9e8890f35aad00eb2587c7bee4fd5b12ea9784ce514b6f41b7467aa30c

SHA512
c2623b5357e3c879531e7951b23a8bcf3d715063388bed8309f1e9a57309697b4330346c81dfd5cbe25fe870432b6b927635bd964328561fc883704b32580f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz9wZ4qn.exe

Filesize
580KB

MD5
8f7169f47b0d82716edf505408a041b8

SHA1
92c05af2d6ca0cfafc37a703642197d0b22dc38a

SHA256
39188c9e8890f35aad00eb2587c7bee4fd5b12ea9784ce514b6f41b7467aa30c

SHA512
c2623b5357e3c879531e7951b23a8bcf3d715063388bed8309f1e9a57309697b4330346c81dfd5cbe25fe870432b6b927635bd964328561fc883704b32580f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Pj51VN3.exe

Filesize
896KB

MD5
4bf7fc7d7cc6d19a8df3c55b67119378

SHA1
552191d03010622df47f91d5a334e8447ee6fdbe

SHA256
91c2272f193d67f63eef3e8334d6258f9816c452f4d45294776fcab95fc11984

SHA512
f38b05d00f848372c7f6b4557259cadf9e91f7f085a81e989d3fc7cc568638405ac54f723997906f05aec9e38288b0124b42030355df1e4c180d83d3f1ff4901

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Pj51VN3.exe

Filesize
128KB

MD5
41dd7bea3e650b7abb2cb26c25116469

SHA1
16455d5022362bee45fae16dbdcce9d5e8f69961

SHA256
e0128a972cdcf72ded26d99b62ff9b75edf9ea6d2ebc47c3c8f16da3280639be

SHA512
5f38542725d7fd8e07320bbfd55e578260462376c451556c86b8525264c5548600eec92a81e87449862794913129522303a9b7c786c2e7c6af4e0bdb1676be1c

Download Submit
memory/2668-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3156-2-0x0000000002810000-0x0000000002826000-memory.dmp

Filesize
88KB

Download