smokeloader | 0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058

Analysis

max time kernel
26s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
Size

178KB
MD5

05d2cf367964e2a1f8c83a9df167e836
SHA1

d12c5cc51b1ee41815c5af5f279a620ba84ac407
SHA256

0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058
SHA512

c3b9b57609b8c499c0eeadad5ac00f7e329dd064650d1f7762c1cc0d56be961ea9db178624a847cf71b7bfa52e275595514a6288ace7f557c56e42d37e72118d
SSDEEP

3072:R4qdWTLGklFGCBTk6MuMJo9aMkwtDJsT3i6IaGWK3MkCRMk5Ds:R4qATL5nGIk6zGo9aMFfsDSaGD8k4

Score

10^/10

smokeloader up3 backdoor evasion trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3404
Executes dropped EXE 1 IoCs

Processes:

B3CF.exe

pid process

1404 B3CF.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

B3CF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B3CF.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

B3CF.exe

pid process

1404 B3CF.exe

pid	process
3404

pid	process
1404	B3CF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B3CF.exe

pid	process
1404	B3CF.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe

description	pid	process	target process
PID 644 set thread context of 4484	644	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1660	4484	WerFault.exe	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
944	1104	WerFault.exe	explorer.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BAC5.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\BAC5.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B3CF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	B3CF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	B3CF.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe

pid	process
4484	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
4484	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe

pid process

4484 0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

B3CF.exe

description	pid	process
Token: SeShutdownPrivilege	3404
Token: SeCreatePagefilePrivilege	3404
Token: SeDebugPrivilege	1404	B3CF.exe
Token: SeRestorePrivilege	1404	B3CF.exe
Token: SeBackupPrivilege	1404	B3CF.exe
Token: SeLoadDriverPrivilege	1404	B3CF.exe
Token: SeCreatePagefilePrivilege	1404	B3CF.exe
Token: SeShutdownPrivilege	1404	B3CF.exe
Token: SeTakeOwnershipPrivilege	1404	B3CF.exe
Token: SeChangeNotifyPrivilege	1404	B3CF.exe
Token: SeCreateTokenPrivilege	1404	B3CF.exe
Token: SeMachineAccountPrivilege	1404	B3CF.exe
Token: SeSecurityPrivilege	1404	B3CF.exe
Token: SeAssignPrimaryTokenPrivilege	1404	B3CF.exe
Token: SeCreateGlobalPrivilege	1404	B3CF.exe
Token: 33	1404	B3CF.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe

description	pid	process	target process
PID 644 wrote to memory of 4484	644	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
PID 644 wrote to memory of 4484	644	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
PID 644 wrote to memory of 4484	644	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
PID 644 wrote to memory of 4484	644	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
PID 644 wrote to memory of 4484	644	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
PID 644 wrote to memory of 4484	644	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe	0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
PID 3404 wrote to memory of 1404	3404		B3CF.exe
PID 3404 wrote to memory of 1404	3404		B3CF.exe
PID 3404 wrote to memory of 1404	3404		B3CF.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
"C:\Users\Admin\AppData\Local\Temp\0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe
  "C:\Users\Admin\AppData\Local\Temp\0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 328
    3⤵
    - Program crash
    PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4484 -ip 4484
1⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\B3CF.exe
C:\Users\Admin\AppData\Local\Temp\B3CF.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1404
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1076
    3⤵
    - Program crash
    PID:944

C:\Users\Admin\AppData\Local\Temp\BAC5.exe
C:\Users\Admin\AppData\Local\Temp\BAC5.exe
1⤵
PID:4192
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
  2⤵
  PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1104 -ip 1104
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B3CF.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3CF.exe

Filesize
360KB

MD5
80c413180b6bd0dd664adc4e0665b494

SHA1
e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

SHA256
6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

SHA512
347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAC5.exe

Filesize
46KB

MD5
954a0fcf08fceb49abb5e1e063aaf4f4

SHA1
d1173dc7a5884e865a2040d413a1f2a19020d508

SHA256
ae6397128f82a80bf81b27b46ffe6ea70659ecde593079ab0d66f7fdc2937732

SHA512
087ccdf556ad4510f6185225d007ff0d4ff2dadb79f6de1f689d124202353192176ad5f02f56420e003d4b8e1681deeaab215518bb54630492dd896862bc168f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAC5.exe

Filesize
9KB

MD5
f43dc6f48e353b7ce3a36f3f4bef5091

SHA1
fe96b3a18f6c85c4135ab8e091d1af8b62e5a942

SHA256
6f2d2efba6a2283b0090af06976873479ba9605803a06e2339911043fd3dd553

SHA512
23e966ec9c405c173ab9919799b1414ea553540638a1ccc8c66d2979081208cb7af55e0a126363587aa5944968fe52906c57e452ff639bc482d370261da03caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

Filesize
304KB

MD5
6e60b34969629a5732035a288c8a2ee8

SHA1
b78b5c78c9c7825cc98bad35af7ba538dc887bf2

SHA256
8688fd4bf4a95b9970d2fd23b7969f9bcd2320f4425f778facc71bec9e35be5a

SHA512
38d78ca348af644d6cd63767d122154d95b6497c68c76bbc6faf7b0b070f42e1049c66b03a7db5ff4eca763f31335e1047957b6237f49e9f8f86f735170a340e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

Filesize
363KB

MD5
fba0c8ed171e09f5fb9780fe9caa306d

SHA1
52e201b0c8b4aaa084bdb96a157705c15befcb4f

SHA256
3805884be4941b7abeaf25972484a0b8e2b6d4eb1f3a0afefb37fb2788de51e6

SHA512
6e4578c89e1125555e3e7f934b5563035bb34193716a5215b5b5a4230e2ed97036d2d9e58817e796b7199d38f21e1ae8055878be760343ad6c7363faafbfde92

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

Filesize
172KB

MD5
c86996516d5d201c7a99533efe9046d9

SHA1
069db2dce9158cd3490dbdc64531cb541e81f43d

SHA256
b4f30a35e6b29fb6c1041808d959011c884aba48caad6293b41b6a3454834878

SHA512
2ff97b1e3cee0b266ebb0e71f67d34c32891b3f2773ceb045bc8f8805f52214462d6d980bf32afdc2be7d406b9da777ca20e1f82c6f1478069b767f05cd8df99

Download Submit
C:\Users\Admin\AppData\Local\Temp\lib.dll

Filesize
231KB

MD5
cb5dbe98f66a840a73c8d194ae1b3b50

SHA1
d7978ee3094b83db8100f19363ae0512dedc1b4a

SHA256
e8e4272974211e0e6d117e46e8864b31737b4c9d31eee91d9f40e4ac0208522f

SHA512
cdb55c9941cae6cf4f6f1a985880d7bdf17abfdcbe530498e7ba01a31b4eb3c19164e696795e77f192ba03efccdd05eafc12f11d6bd705db368c1b8dc4b09c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBBEE.tmp\System.dll

Filesize
12KB

MD5
dd87a973e01c5d9f8e0fcc81a0af7c7a

SHA1
c9206ced48d1e5bc648b1d0f54cccc18bf643a14

SHA256
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

SHA512
4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

Download Submit
memory/644-2-0x00000000008D0000-0x00000000008D9000-memory.dmp

Filesize
36KB

Download
memory/644-1-0x0000000000A30000-0x0000000000B30000-memory.dmp

Filesize
1024KB

Download
memory/1104-28-0x0000000000590000-0x00000000009C4000-memory.dmp

Filesize
4.2MB

Download
memory/1104-64-0x0000000000CD0000-0x0000000000D94000-memory.dmp

Filesize
784KB

Download
memory/1104-63-0x0000000000590000-0x00000000009C3000-memory.dmp

Filesize
4.2MB

Download
memory/1104-26-0x0000000000590000-0x00000000009C4000-memory.dmp

Filesize
4.2MB

Download
memory/1104-61-0x0000000004560000-0x0000000004562000-memory.dmp

Filesize
8KB

Download
memory/1104-30-0x0000000000CD0000-0x0000000000D94000-memory.dmp

Filesize
784KB

Download
memory/1104-32-0x0000000000CD0000-0x0000000000D94000-memory.dmp

Filesize
784KB

Download
memory/1104-29-0x0000000000CD0000-0x0000000000D94000-memory.dmp

Filesize
784KB

Download
memory/1372-60-0x00000000727D0000-0x0000000072EE7000-memory.dmp

Filesize
7.1MB

Download
memory/1372-65-0x00000000727D0000-0x0000000072EE7000-memory.dmp

Filesize
7.1MB

Download
memory/1404-18-0x0000000002280000-0x00000000022E6000-memory.dmp

Filesize
408KB

Download
memory/1404-25-0x0000000002280000-0x00000000022E6000-memory.dmp

Filesize
408KB

Download
memory/1404-34-0x0000000002280000-0x00000000022E6000-memory.dmp

Filesize
408KB

Download
memory/1404-19-0x0000000002640000-0x000000000264D000-memory.dmp

Filesize
52KB

Download
memory/1404-16-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/1404-20-0x0000000077294000-0x0000000077295000-memory.dmp

Filesize
4KB

Download
memory/1404-35-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1404-21-0x0000000002280000-0x00000000022E6000-memory.dmp

Filesize
408KB

Download
memory/1404-23-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1404-24-0x0000000002830000-0x000000000283C000-memory.dmp

Filesize
48KB

Download
memory/3404-5-0x0000000002A30000-0x0000000002A46000-memory.dmp

Filesize
88KB

Download
memory/4192-48-0x0000000000FC0000-0x0000000001556000-memory.dmp

Filesize
5.6MB

Download
memory/4192-41-0x0000000000FC0000-0x0000000001556000-memory.dmp

Filesize
5.6MB

Download
memory/4484-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4484-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4484-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download