smokeloader | ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4

General

Target

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
Size

290KB
MD5

6db27327a2233d8ee11abbed6229604b
SHA1

feb1887bd6f9c0f84ed539be18d2812042d87e74
SHA256

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4
SHA512

a0fac0a468fbc7d4f4b9a03a2a5fb94ec90172f04805066250a6c2fbf322a149acba3ecfd4cfa6889218e0c51bcece9d26c355cf36d5f939cb828a7735d5c5bf
SSDEEP

6144:BecoZjpjdRLk/7Y8XOFPN8v9ntG/689RjObRXMA:B+ZjpRRA/7XOFPSvJq68fjObph

Score

10^/10

smokeloader pub1 backdoor evasion trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3460
Executes dropped EXE 1 IoCs

Processes:

9D78.exe

pid process

4404 9D78.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

9D78.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9D78.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

9D78.exe

pid process

4404 9D78.exe

pid	process
3460

pid	process
4404	9D78.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9D78.exe

pid	process
4404	9D78.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe

description	pid	process	target process
PID 4336 set thread context of 2080	4336	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3164	2080	WerFault.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
1200	2956	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9D78.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9D78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9D78.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe

pid	process
2080	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
2080	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe

pid process

2080 ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

9D78.exe

description	pid	process
Token: SeShutdownPrivilege	3460
Token: SeCreatePagefilePrivilege	3460
Token: SeDebugPrivilege	4404	9D78.exe
Token: SeRestorePrivilege	4404	9D78.exe
Token: SeBackupPrivilege	4404	9D78.exe
Token: SeLoadDriverPrivilege	4404	9D78.exe
Token: SeCreatePagefilePrivilege	4404	9D78.exe
Token: SeShutdownPrivilege	4404	9D78.exe
Token: SeTakeOwnershipPrivilege	4404	9D78.exe
Token: SeChangeNotifyPrivilege	4404	9D78.exe
Token: SeCreateTokenPrivilege	4404	9D78.exe
Token: SeMachineAccountPrivilege	4404	9D78.exe
Token: SeSecurityPrivilege	4404	9D78.exe
Token: SeAssignPrimaryTokenPrivilege	4404	9D78.exe
Token: SeCreateGlobalPrivilege	4404	9D78.exe
Token: 33	4404	9D78.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe

description	pid	process	target process
PID 4336 wrote to memory of 2080	4336	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
PID 4336 wrote to memory of 2080	4336	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
PID 4336 wrote to memory of 2080	4336	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
PID 4336 wrote to memory of 2080	4336	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
PID 4336 wrote to memory of 2080	4336	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
PID 4336 wrote to memory of 2080	4336	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe	ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
PID 3460 wrote to memory of 4404	3460		9D78.exe
PID 3460 wrote to memory of 4404	3460		9D78.exe
PID 3460 wrote to memory of 4404	3460		9D78.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
"C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe
  "C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4exe.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 328
    3⤵
    - Program crash
    PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 2080 -ip 2080
1⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\9D78.exe
C:\Users\Admin\AppData\Local\Temp\9D78.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4404
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1116
    3⤵
    - Program crash
    PID:1200

C:\Users\Admin\AppData\Local\Temp\A29A.exe
C:\Users\Admin\AppData\Local\Temp\A29A.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
  2⤵
  PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2956 -ip 2956
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2080-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2080-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2080-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2520-65-0x0000000072670000-0x0000000072D87000-memory.dmp

Filesize
7.1MB

Download
memory/2520-60-0x0000000072670000-0x0000000072D87000-memory.dmp

Filesize
7.1MB

Download
memory/2956-61-0x00000000034A0000-0x00000000034A2000-memory.dmp

Filesize
8KB

Download
memory/2956-64-0x0000000001200000-0x00000000012C4000-memory.dmp

Filesize
784KB

Download
memory/2956-63-0x00000000004D0000-0x0000000000903000-memory.dmp

Filesize
4.2MB

Download
memory/2956-36-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/2956-28-0x00000000004D0000-0x0000000000904000-memory.dmp

Filesize
4.2MB

Download
memory/2956-30-0x0000000001200000-0x00000000012C4000-memory.dmp

Filesize
784KB

Download
memory/2956-32-0x0000000001200000-0x00000000012C4000-memory.dmp

Filesize
784KB

Download
memory/2956-29-0x0000000001200000-0x00000000012C4000-memory.dmp

Filesize
784KB

Download
memory/2956-26-0x00000000004D0000-0x0000000000904000-memory.dmp

Filesize
4.2MB

Download
memory/3460-5-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/3980-48-0x0000000000F70000-0x0000000001506000-memory.dmp

Filesize
5.6MB

Download
memory/3980-41-0x0000000000F70000-0x0000000001506000-memory.dmp

Filesize
5.6MB

Download
memory/4336-1-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/4336-2-0x00000000021A0000-0x00000000021A9000-memory.dmp

Filesize
36KB

Download
memory/4404-16-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/4404-18-0x0000000000910000-0x0000000000976000-memory.dmp

Filesize
408KB

Download
memory/4404-19-0x0000000002640000-0x000000000264D000-memory.dmp

Filesize
52KB

Download
memory/4404-22-0x0000000077134000-0x0000000077135000-memory.dmp

Filesize
4KB

Download
memory/4404-23-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/4404-24-0x0000000002840000-0x000000000284C000-memory.dmp

Filesize
48KB

Download
memory/4404-34-0x0000000000910000-0x0000000000976000-memory.dmp

Filesize
408KB

Download
memory/4404-25-0x0000000000910000-0x0000000000976000-memory.dmp

Filesize
408KB

Download
memory/4404-20-0x0000000000910000-0x0000000000976000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads