smokeloader | db726961f1431fd7343b23e90a146a7fd19233d4980815f2d68d50c36bc1175d

Analysis

max time kernel
25s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

990a6d8f565a8df63234c7a9faabe6ba.exe
Size

290KB
MD5

990a6d8f565a8df63234c7a9faabe6ba
SHA1

328558357bbbafd16fad998fabb4e03c328900e9
SHA256

db726961f1431fd7343b23e90a146a7fd19233d4980815f2d68d50c36bc1175d
SHA512

2ae5bc20ee6b6a91662cc3d49433c7354fb8a0f3bdfb224d5da2820e6e637fb886279d6fca0b17bafa5bf991dfa9a3a4179ae9f9ba09b3f8bb04f626ea8eeabe
SSDEEP

3072:jec4fYwGFV04Lr70+sJiaUEvhqwuFVEYWQzkWl+tyYA5gi9/6NmJ5b4cQ4bRXp6h:jec43GFV04LNzEw9EYW8+lA/6+bRXMA

Score

10^/10

smokeloader up3 backdoor evasion trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1340
Executes dropped EXE 1 IoCs

Processes:

7002.exe

pid process

2724 7002.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7002.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7002.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7002.exe

pid process

2724 7002.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

990a6d8f565a8df63234c7a9faabe6ba.exe

description pid process target process

PID 2372 set thread context of 2408 2372 990a6d8f565a8df63234c7a9faabe6ba.exe 990a6d8f565a8df63234c7a9faabe6ba.exe

pid	process
1340

pid	process
2724	7002.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7002.exe

pid	process
2724	7002.exe

description	pid	process	target process
PID 2372 set thread context of 2408	2372	990a6d8f565a8df63234c7a9faabe6ba.exe	990a6d8f565a8df63234c7a9faabe6ba.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

990a6d8f565a8df63234c7a9faabe6ba.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	990a6d8f565a8df63234c7a9faabe6ba.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	990a6d8f565a8df63234c7a9faabe6ba.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	990a6d8f565a8df63234c7a9faabe6ba.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7002.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7002.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7002.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1164 schtasks.exe
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

1864 regedit.exe

pid	process
1164	schtasks.exe

pid	process
1864	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

990a6d8f565a8df63234c7a9faabe6ba.exe

pid	process
2408	990a6d8f565a8df63234c7a9faabe6ba.exe
2408	990a6d8f565a8df63234c7a9faabe6ba.exe
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

990a6d8f565a8df63234c7a9faabe6ba.exe

pid process

2408 990a6d8f565a8df63234c7a9faabe6ba.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

7002.exe

description	pid	process
Token: SeDebugPrivilege	2724	7002.exe
Token: SeRestorePrivilege	2724	7002.exe
Token: SeBackupPrivilege	2724	7002.exe
Token: SeLoadDriverPrivilege	2724	7002.exe
Token: SeCreatePagefilePrivilege	2724	7002.exe
Token: SeShutdownPrivilege	2724	7002.exe
Token: SeTakeOwnershipPrivilege	2724	7002.exe
Token: SeChangeNotifyPrivilege	2724	7002.exe
Token: SeCreateTokenPrivilege	2724	7002.exe
Token: SeMachineAccountPrivilege	2724	7002.exe
Token: SeSecurityPrivilege	2724	7002.exe
Token: SeAssignPrimaryTokenPrivilege	2724	7002.exe
Token: SeCreateGlobalPrivilege	2724	7002.exe
Token: 33	2724	7002.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

990a6d8f565a8df63234c7a9faabe6ba.exe

description	pid	process	target process
PID 2372 wrote to memory of 2408	2372	990a6d8f565a8df63234c7a9faabe6ba.exe	990a6d8f565a8df63234c7a9faabe6ba.exe
PID 2372 wrote to memory of 2408	2372	990a6d8f565a8df63234c7a9faabe6ba.exe	990a6d8f565a8df63234c7a9faabe6ba.exe
PID 2372 wrote to memory of 2408	2372	990a6d8f565a8df63234c7a9faabe6ba.exe	990a6d8f565a8df63234c7a9faabe6ba.exe
PID 2372 wrote to memory of 2408	2372	990a6d8f565a8df63234c7a9faabe6ba.exe	990a6d8f565a8df63234c7a9faabe6ba.exe
PID 2372 wrote to memory of 2408	2372	990a6d8f565a8df63234c7a9faabe6ba.exe	990a6d8f565a8df63234c7a9faabe6ba.exe
PID 2372 wrote to memory of 2408	2372	990a6d8f565a8df63234c7a9faabe6ba.exe	990a6d8f565a8df63234c7a9faabe6ba.exe
PID 2372 wrote to memory of 2408	2372	990a6d8f565a8df63234c7a9faabe6ba.exe	990a6d8f565a8df63234c7a9faabe6ba.exe
PID 1340 wrote to memory of 2724	1340		7002.exe
PID 1340 wrote to memory of 2724	1340		7002.exe
PID 1340 wrote to memory of 2724	1340		7002.exe
PID 1340 wrote to memory of 2724	1340		7002.exe

C:\Users\Admin\AppData\Local\Temp\990a6d8f565a8df63234c7a9faabe6ba.exe
"C:\Users\Admin\AppData\Local\Temp\990a6d8f565a8df63234c7a9faabe6ba.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\990a6d8f565a8df63234c7a9faabe6ba.exe
  "C:\Users\Admin\AppData\Local\Temp\990a6d8f565a8df63234c7a9faabe6ba.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2408

C:\Users\Admin\AppData\Local\Temp\7002.exe
C:\Users\Admin\AppData\Local\Temp\7002.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2724
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\o7gq9ecs5gw_1.exe
    /suac
    3⤵
    PID:2504
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\O7GQ9E~1.EXE" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1164
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\SysWOW64\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:1864

C:\Users\Admin\AppData\Local\Temp\7705.exe
C:\Users\Admin\AppData\Local\Temp\7705.exe
1⤵
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-63-0x0000000076FA1000-0x0000000076FA2000-memory.dmp

Filesize
4KB

Download
memory/1340-71-0x00000000029F0000-0x00000000029F6000-memory.dmp

Filesize
24KB

Download
memory/1340-98-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1340-7-0x0000000002D10000-0x0000000002D26000-memory.dmp

Filesize
88KB

Download
memory/1864-105-0x0000000000530000-0x0000000000595000-memory.dmp

Filesize
404KB

Download
memory/1864-102-0x0000000000530000-0x0000000000596000-memory.dmp

Filesize
408KB

Download
memory/1864-106-0x0000000000090000-0x000000000009B000-memory.dmp

Filesize
44KB

Download
memory/1864-103-0x0000000000530000-0x0000000000596000-memory.dmp

Filesize
408KB

Download
memory/1892-111-0x0000000076FA1000-0x0000000076FA2000-memory.dmp

Filesize
4KB

Download
memory/2372-2-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2372-4-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2408-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2408-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2408-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2408-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2492-61-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-69-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-38-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-43-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-45-0x0000000000250000-0x0000000000314000-memory.dmp

Filesize
784KB

Download
memory/2492-44-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2492-41-0x0000000000250000-0x0000000000314000-memory.dmp

Filesize
784KB

Download
memory/2492-40-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-47-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2492-48-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-46-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-113-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-96-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-39-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-37-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2492-35-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-52-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-34-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-33-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-78-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-76-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-74-0x0000000000250000-0x0000000000314000-memory.dmp

Filesize
784KB

Download
memory/2492-62-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-64-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-65-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-66-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-67-0x0000000076F50000-0x00000000770F9000-memory.dmp

Filesize
1.7MB

Download
memory/2492-36-0x0000000000250000-0x0000000000314000-memory.dmp

Filesize
784KB

Download
memory/2492-68-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-75-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2492-70-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-73-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2492-72-0x0000000077130000-0x00000000772B1000-memory.dmp

Filesize
1.5MB

Download
memory/2504-88-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2504-92-0x0000000002510000-0x000000000251C000-memory.dmp

Filesize
48KB

Download
memory/2504-108-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/2504-89-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2504-95-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2504-93-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2504-109-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/2504-90-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2504-110-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/2540-60-0x0000000001290000-0x0000000001826000-memory.dmp

Filesize
5.6MB

Download
memory/2540-94-0x0000000001290000-0x0000000001826000-memory.dmp

Filesize
5.6MB

Download
memory/2724-23-0x0000000001C40000-0x0000000001CA6000-memory.dmp

Filesize
408KB

Download
memory/2724-24-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2724-29-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2724-30-0x0000000002500000-0x000000000250C000-memory.dmp

Filesize
48KB

Download
memory/2724-31-0x0000000001C40000-0x0000000001CA6000-memory.dmp

Filesize
408KB

Download
memory/2724-25-0x0000000000370000-0x000000000037D000-memory.dmp

Filesize
52KB

Download
memory/2724-51-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/2724-28-0x0000000077140000-0x0000000077141000-memory.dmp

Filesize
4KB

Download
memory/2724-50-0x0000000001C40000-0x0000000001CA6000-memory.dmp

Filesize
408KB

Download
memory/2724-22-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/2724-26-0x0000000001C40000-0x0000000001CA6000-memory.dmp

Filesize
408KB

Download