smokeloader | 538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185

Analysis

max time kernel
133s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-05-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe
Size

693KB
MD5

83741bbca9631aa4925203fbddc0ad7d
SHA1

f636ef4f3279cd49d1036a70293f8390ecc96a3e
SHA256

538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185
SHA512

55ee1b215e46024c3bb3722518d476be148c3c48d60d744c53fecba48b7a02ba9ab2f58b436b9657e4748d72d6696bc5e6f477f7805f91fa66841debd00b9a5b
SSDEEP

12288:tXBffJMAUAyQAg8Y3ElBvCm5KUwzq2uE2na367joJqTOX7gXX7:tXBfmPQXMqm5wzq2uDa367joJqaXQ7

Score

10^/10

smokeloader pub3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Labs.pif

description pid process target process

PID 3136 created 3416 3136 Labs.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Labs.pifLabs.pif

pid process

3136 Labs.pif
4752 Labs.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Labs.pif

description pid process target process

PID 3136 set thread context of 4752 3136 Labs.pif Labs.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3136 created 3416	3136	Labs.pif	Explorer.EXE

pid	process
3136	Labs.pif
4752	Labs.pif

description	pid	process	target process
PID 3136 set thread context of 4752	3136	Labs.pif	Labs.pif

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Labs.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Labs.pif
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Labs.pif
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Labs.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2084 tasklist.exe
3808 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4272 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Labs.pif

pid process

3136 Labs.pif
3136 Labs.pif
3136 Labs.pif
3136 Labs.pif
3136 Labs.pif
3136 Labs.pif
3136 Labs.pif
3136 Labs.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2084 tasklist.exe
Token: SeDebugPrivilege 3808 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Labs.pif

pid process

3136 Labs.pif
3136 Labs.pif
3136 Labs.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Labs.pif

pid process

3136 Labs.pif
3136 Labs.pif
3136 Labs.pif

pid	process
2084	tasklist.exe
3808	tasklist.exe

pid	process
4272	PING.EXE

pid	process
3136	Labs.pif
3136	Labs.pif
3136	Labs.pif
3136	Labs.pif
3136	Labs.pif
3136	Labs.pif
3136	Labs.pif
3136	Labs.pif

description	pid	process
Token: SeDebugPrivilege	2084	tasklist.exe
Token: SeDebugPrivilege	3808	tasklist.exe

pid	process
3136	Labs.pif
3136	Labs.pif
3136	Labs.pif

pid	process
3136	Labs.pif
3136	Labs.pif
3136	Labs.pif

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.execmd.exeLabs.pif

description	pid	process	target process
PID 5060 wrote to memory of 2880	5060	538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe	cmd.exe
PID 5060 wrote to memory of 2880	5060	538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe	cmd.exe
PID 5060 wrote to memory of 2880	5060	538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe	cmd.exe
PID 2880 wrote to memory of 2084	2880	cmd.exe	tasklist.exe
PID 2880 wrote to memory of 2084	2880	cmd.exe	tasklist.exe
PID 2880 wrote to memory of 2084	2880	cmd.exe	tasklist.exe
PID 2880 wrote to memory of 3056	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 3056	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 3056	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 3808	2880	cmd.exe	tasklist.exe
PID 2880 wrote to memory of 3808	2880	cmd.exe	tasklist.exe
PID 2880 wrote to memory of 3808	2880	cmd.exe	tasklist.exe
PID 2880 wrote to memory of 4584	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 4584	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 4584	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 3384	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 3384	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 3384	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 4612	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 4612	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 4612	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 684	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 684	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 684	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 3136	2880	cmd.exe	Labs.pif
PID 2880 wrote to memory of 3136	2880	cmd.exe	Labs.pif
PID 2880 wrote to memory of 3136	2880	cmd.exe	Labs.pif
PID 2880 wrote to memory of 4272	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 4272	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 4272	2880	cmd.exe	PING.EXE
PID 3136 wrote to memory of 4752	3136	Labs.pif	Labs.pif
PID 3136 wrote to memory of 4752	3136	Labs.pif	Labs.pif
PID 3136 wrote to memory of 4752	3136	Labs.pif	Labs.pif
PID 3136 wrote to memory of 4752	3136	Labs.pif	Labs.pif
PID 3136 wrote to memory of 4752	3136	Labs.pif	Labs.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe
"C:\Users\Admin\AppData\Local\Temp\538af0e39f24f16e4e52cad03295a359304d8f458c1fe18d0681e884112f2185.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Origins Origins.cmd & Origins.cmd & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:3056

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
cmd /c md 55115725
4⤵
PID:3384

C:\Windows\SysWOW64\findstr.exe
findstr /V "SlutSteLouisTranslation" Cyprus
4⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Breeding + Fuji + Weather 55115725\s
4⤵
PID:684

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55115725\Labs.pif
55115725\Labs.pif 55115725\s
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:4272

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55115725\Labs.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55115725\Labs.pif
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55115725\Labs.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55115725\s
Filesize
242KB

MD5
832180873e27da9b7a218ec02099691a

SHA1
09a26d9ac5619df11650bf11e41c5dd96ea371d2

SHA256
19e0ed3240d70f9ac0602c8507cdcb12b448d8f4aea26f5f0a6913f9517f1a3f

SHA512
2abe2fd0d9e423b75d1d49d28711402c12c20ba7a88aa0c5360ddded3bac92f7f07b4fca874232e8f8c108427f3264e179a1a2f6f96f79aab1f8f07736f92ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Advocacy
Filesize
40KB

MD5
3e0a5939f55f64dc128ec03642f09392

SHA1
74fc5265b92bf9b807e023e968f94528904918e6

SHA256
4b0c83524efd0db079aba2519aaf676b784207ac84a7de69918e56c698d81a91

SHA512
ea6eb18fb83dfb46c5461e518a33e4a2279c803931e13fd5dd9d962eb4af35637c2011708b32f1d0457798bdad40f59dfb35ee770aa472cab2ef4901eddb0082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Breeding
Filesize
75KB

MD5
3ec78865d37dba4270b52656bfcd5d51

SHA1
761877d874e583014bfe9c5f0d5ba71ba4f788a6

SHA256
7c8734f0a4571438a469037571f7ad8a7513e779fd65f3d547d1426bad7b2034

SHA512
cb7cafaa16c342f9d5e4a3c9bcebe32b1b2106ad811132be75a4c9f9222fea9ddc5ba5fb0c9cef6626c01e81215f550c060e4300e9d64d83065e806b783e80c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cyprus
Filesize
210B

MD5
e5ecf7084f37757a977cb7854faf0dd2

SHA1
6778ea5ac5ecc59171883c2aa7204373f46c5fb1

SHA256
10d22d0f44bcdf23a31d0097069e1d095a86e2113580bfc61f50b7ac3218a4d2

SHA512
7f4eef0637c68154be4341c02da291e8b81e64ecd7ed5cba5d30a2e1a2e63839c1682fdade36a9da06124321aec610efaf23b4b5fcdd1bf4c6be104e7c0d9ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Folk
Filesize
121KB

MD5
00425db818e6fd2f0eeb0cf37469b749

SHA1
d9bd6e0afca273aa8a931360c2f91c0d9d1463a1

SHA256
da879d5eb37e5c0ef62422b95adb8aa39607bb6c6d1efa817cb8353633b8d0eb

SHA512
9b8d7aa19308b7376b4933e09613bac281d0ab332bce661b7e590f6568519c66a6d307883b3274e6668ad61b4ee52e519d8a574f6202ad827b9f0a2aa8366721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fuji
Filesize
60KB

MD5
901f468eeda506282d7906687c36ef22

SHA1
0fb000fa798d648c1309cc6599692ed6ac4d4990

SHA256
2f64e2c562e065ae15a95be85d128e6f99f6d201b3b18a8cf5dbb1ab8cb87d62

SHA512
17b4768ce6075ea83b774cf37bc2c2f2b7f6b78156c883cb6fa38422513fd8e19e03556a5baf549e31b4f02de78638a3f480421440f4e38ea32e8cd014cee0e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mind
Filesize
98KB

MD5
83aeea636c54d733cc32ab493a5364d4

SHA1
545c1357944c51e9f8d2110d01dfa2076a716613

SHA256
0d5602ba1e91c3672992926d40ade260db5df228af923df30c5bf4242df2f133

SHA512
f61acfb0b7ace3331945dd1b623fed445b8e2641380861708d1146ca595bb921b81025f9e39aa8c94f7fef20635f009fd8bd4697227f61ed7b5dee56466b616a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Orders
Filesize
221KB

MD5
634d131aef5fb9666cdcaf3c8c2c4260

SHA1
87200be917ff801478dea404ef60980c45d05cde

SHA256
4536f5904c52e8e2b0b7aa3c5cf2527fe09dad507a40335473d4386eef02e0d7

SHA512
aa87118cd7cf36b567d58b0db75bf3e2058c8e3f7ace69e8be0e7f79e10ad316101bbdd3facaf9e725b75e4b755b8f674c1070a51da4dbc0720f4d1de1dbd3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Origins
Filesize
23KB

MD5
14dbb5fcfe93369164f6423ef2a9a618

SHA1
c5d414a05eecfd9ba26ede311dbe0c6addc62f79

SHA256
6cb0f1e1d71431257f46db15167cd8bf22313e6ab3425bad00c64ea918f213a5

SHA512
28e64e8d41da778cd1ba5c29667fd54f3ca5af276d87f8aa3d14ec77a1c15e04f5a58d7c0e5df8807d2c5381960f3fc25394f949365d09ebf8455a63470f2e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Titten
Filesize
104KB

MD5
237d2f88a43c21c9bc5599be91b3571b

SHA1
e94251dd329300f7c74631cdaafd5f504c4866fa

SHA256
698e3aba58edb38fb5c26cb561c65811636a18f8dd28edbe2cf9fcba87df229c

SHA512
79249b8a15e807c2af0423d2fb5615d96e95ee1a7e4e6e10fa196838194c1ee16f11c41d5580c9d40a693937fecf392e1c607439e3012bb035a99fa7a1334213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Towards
Filesize
288KB

MD5
9747e2f0863c6acee2cad8e96980658a

SHA1
3da9cfb884a513a5ecd9138d09287055a423d110

SHA256
6f47415606c5b750d66c7340f65a3fecafe28b2e7a83dadc3dc154d72b727fff

SHA512
a48acf816e1d607925a549b904a52665c5aaab37a3a9f198183e78c7ebff22806c1d74b934b01298da82b5701d553d1da4ebf1862099ed0091cedfe0571bb744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Weather
Filesize
107KB

MD5
c7980f56319f536020f8bef4bb8974c0

SHA1
adb8adf76b9add121cefbce1c58ca5510d21f671

SHA256
9e5bdbe0a3f24b4700e379f38fe40928ebfe69fc2fb2e9d2fd942b6cf7991545

SHA512
cb37715791f3e3d8c4bd30ccc8e3e8e84f4a8720467f80e742d70aa6e9755f1ecec9db8cf55d4d8f8572dce818f55ff7c3771bbacd6fa597c4db04ae56389e70

Download Submit
memory/4752-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4752-41-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download