smokeloader | 3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37

General

Target

3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
Size

263KB
MD5

f572d2cf74a7897bebb459dc08a45411
SHA1

9a6bc0b9670cf1e5ea21876c1a71bafdec32017f
SHA256

3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37
SHA512

d75df9d31d36776841854c3708727219380cd8731d0669fd18be634047b7526299bd5e5fa561385e7dce458edee417f08ed779b3a590dc9a71450f6ef3557a33
SSDEEP

3072:Y2e/zGhApVVIbW+UHPiXQGDL5mc4IRKU1uhIrueTi21TE7idvqjfyJ+dELqPtPe:OzCbWeQmLomRTVxT4O87dEL4t

Score

10^/10

smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

396 212 WerFault.exe 3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe

pid	pid_target	process	target process
396	212	WerFault.exe	3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a0a2b07e19474409a5e998fac1dca8100000000020000000000106600000001000020000000a4b2903209ba769ee03d39896ae34f55fbab9aa1364fef526a5f6bafd2305a5e000000000e8000000002000020000000bfd85557843adc46533b641be5ae8c3a690f59ab5dbebcab093b35eca364849a20000000a25ac5ba9206e33d35b94a20d1392d6d0b4408267edeb23f0ca2e4d1c4c9b0524000000035d7e74d6858fa7422f65be4342fdc5f1c06cb885b55ea6ffd8b33a50f7b7c9495c29a0d1af4d1236a2887da50fd19fe522c25d55e0974ce1f7071e7713f6990	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50634a620d98da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{766C1960-0400-11EF-8ED9-EA34BF5EE36C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420320429"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603743620d98da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a0a2b07e19474409a5e998fac1dca8100000000020000000000106600000001000020000000eaaec930fc20b75907c0f6d77b87ec1045dc09674d65a3cd13371ebd07fb843f000000000e8000000002000020000000b69fe4bced11ac47f41927b803d0f542a5f6e6abd62d47c33b8ab34d0963654720000000054d68581ea5b33e52beb8d83ade5042b3ace2dabe17574d503582a0080ad2c740000000aa25a12f95bdcab3ea69638ca9c2702f4d735289e50891685cedcb0546401ae416603ee7fd08313317e781f3dd7c64bc56231724446e3135e6fa5d307e725635	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 7 IoCs

Processes:

explorer.exeOpenWith.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

3432 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeShutdownPrivilege 3432 explorer.exe
Token: SeCreatePagefilePrivilege 3432 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeexplorer.exe

pid process

3636 iexplore.exe
3432 explorer.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

OpenWith.exeiexplore.exeIEXPLORE.EXE

pid process

408 OpenWith.exe
3636 iexplore.exe
3636 iexplore.exe
3532 IEXPLORE.EXE
3532 IEXPLORE.EXE
3532 IEXPLORE.EXE
3532 IEXPLORE.EXE
3532 IEXPLORE.EXE

pid	process
3432	explorer.exe

description	pid	process
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe

pid	process
3636	iexplore.exe
3432	explorer.exe

pid	process
408	OpenWith.exe
3636	iexplore.exe
3636	iexplore.exe
3532	IEXPLORE.EXE
3532	IEXPLORE.EXE
3532	IEXPLORE.EXE
3532	IEXPLORE.EXE
3532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3636 wrote to memory of 3532	3636	iexplore.exe	IEXPLORE.EXE
PID 3636 wrote to memory of 3532	3636	iexplore.exe	IEXPLORE.EXE
PID 3636 wrote to memory of 3532	3636	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
"C:\Users\Admin\AppData\Local\Temp\3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe"
1⤵
- Checks SCSI registry key(s)
PID:212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 356
  2⤵
  - Program crash
  PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 212 -ip 212
1⤵
PID:840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3532

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFEE9B98DD1D796F62.TMP

Filesize
16KB

MD5
fda751ee15fa9c735734a76c9f5e1bc6

SHA1
45b8a0d94e8e08fd11953dcbca9ffa27846fd5e8

SHA256
a40e6e97b2fe1947c6db841149789fc1dfa0ddbf4a6c4d2d9bc8b200561ed7a8

SHA512
1ef73bdfa3c70b74a671f9d82e0b114f213352667d28db8e0756699a148c2c3ce27d72a8fd6df4dfffc0accae18fe0790f69d3a6006c50ced73daa6de5f5e25d

Download Submit
memory/212-1-0x0000000004060000-0x0000000004160000-memory.dmp

Filesize
1024KB

Download
memory/212-2-0x0000000004630000-0x000000000463B000-memory.dmp

Filesize
44KB

Download
memory/212-4-0x0000000000400000-0x0000000004033000-memory.dmp

Filesize
60.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads