smokeloader | bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4

Analysis

max time kernel
300s
max time network
166s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe
Size

673KB
MD5

6a923e65041f43e9bef4d54bfe1494ea
SHA1

af71e57d4b7a9217e8b58804c620fbebbde4ed0c
SHA256

bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4
SHA512

544bcf56f6d40d0420bc8558575bdae8b25fda86d31718b7b0641aac4052ca8ba6570c925b38459813f039ca22d3867e9630527ad31272eabc385e22a697b44f
SSDEEP

12288:VXdgVz3JSUIRhiJ7ik6l1gDe85nMZstLjGzhTjdBztew17Fly1TMiwJeV1+n:VXdgWU7YlWDeqtLjWjdBhewQ15OE8n

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Missions.pif

description pid process target process

PID 2596 created 1192 2596 Missions.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Missions.pifMissions.pif

pid process

2596 Missions.pif
1492 Missions.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2984 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Missions.pif

description pid process target process

PID 2596 set thread context of 1492 2596 Missions.pif Missions.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2596 created 1192	2596	Missions.pif	Explorer.EXE

pid	process
2984	cmd.exe

description	pid	process	target process
PID 2596 set thread context of 1492	2596	Missions.pif	Missions.pif

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Missions.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Missions.pif
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Missions.pif
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Missions.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2656 tasklist.exe
2752 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1992 PING.EXE

pid	process
2656	tasklist.exe
2752	tasklist.exe

pid	process
1992	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Missions.pifMissions.pifExplorer.EXE

pid	process
2596	Missions.pif
2596	Missions.pif
2596	Missions.pif
2596	Missions.pif
1492	Missions.pif
1492	Missions.pif
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Missions.pif

pid process

1492 Missions.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2656 tasklist.exe
Token: SeDebugPrivilege 2752 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Missions.pif

pid process

2596 Missions.pif
2596 Missions.pif
2596 Missions.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Missions.pif

pid process

2596 Missions.pif
2596 Missions.pif
2596 Missions.pif

pid	process
1492	Missions.pif

description	pid	process
Token: SeDebugPrivilege	2656	tasklist.exe
Token: SeDebugPrivilege	2752	tasklist.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.execmd.exeMissions.pif

description	pid	process	target process
PID 2204 wrote to memory of 2984	2204	bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe	cmd.exe
PID 2204 wrote to memory of 2984	2204	bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe	cmd.exe
PID 2204 wrote to memory of 2984	2204	bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe	cmd.exe
PID 2204 wrote to memory of 2984	2204	bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe	cmd.exe
PID 2984 wrote to memory of 2656	2984	cmd.exe	tasklist.exe
PID 2984 wrote to memory of 2656	2984	cmd.exe	tasklist.exe
PID 2984 wrote to memory of 2656	2984	cmd.exe	tasklist.exe
PID 2984 wrote to memory of 2656	2984	cmd.exe	tasklist.exe
PID 2984 wrote to memory of 2796	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2796	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2796	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2796	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2752	2984	cmd.exe	tasklist.exe
PID 2984 wrote to memory of 2752	2984	cmd.exe	tasklist.exe
PID 2984 wrote to memory of 2752	2984	cmd.exe	tasklist.exe
PID 2984 wrote to memory of 2752	2984	cmd.exe	tasklist.exe
PID 2984 wrote to memory of 2728	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2728	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2728	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2728	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2564	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2564	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2564	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2564	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2600	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2600	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2600	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2600	2984	cmd.exe	findstr.exe
PID 2984 wrote to memory of 2456	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2456	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2456	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2456	2984	cmd.exe	cmd.exe
PID 2984 wrote to memory of 2596	2984	cmd.exe	Missions.pif
PID 2984 wrote to memory of 2596	2984	cmd.exe	Missions.pif
PID 2984 wrote to memory of 2596	2984	cmd.exe	Missions.pif
PID 2984 wrote to memory of 2596	2984	cmd.exe	Missions.pif
PID 2984 wrote to memory of 1992	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 1992	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 1992	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 1992	2984	cmd.exe	PING.EXE
PID 2596 wrote to memory of 1492	2596	Missions.pif	Missions.pif
PID 2596 wrote to memory of 1492	2596	Missions.pif	Missions.pif
PID 2596 wrote to memory of 1492	2596	Missions.pif	Missions.pif
PID 2596 wrote to memory of 1492	2596	Missions.pif	Missions.pif
PID 2596 wrote to memory of 1492	2596	Missions.pif	Missions.pif
PID 2596 wrote to memory of 1492	2596	Missions.pif	Missions.pif

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Users\Admin\AppData\Local\Temp\bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe
"C:\Users\Admin\AppData\Local\Temp\bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Guests Guests.cmd & Guests.cmd & exit
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:2796

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c md 330233
4⤵
PID:2564

C:\Windows\SysWOW64\findstr.exe
findstr /V "MENTIONEDTITTENSISTERSRECIPIENTS" Highly
4⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Floor + Geology + Sparc + Rid 330233\w
4⤵
PID:2456

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330233\Missions.pif
330233\Missions.pif 330233\w
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:1992

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330233\Missions.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330233\Missions.pif"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330233\w
Filesize
219KB

MD5
535c2c499dd74bd24c0d1c9893a3d8c6

SHA1
fee0787bddfa728c09d5d809742fa8d48ba94796

SHA256
e77fd5af744ba3589343ec6cacfc3276b54364eb95d3677811a49d07ad79d620

SHA512
bec422a8213b3105f6b0919e863fb65c9dad33b2bf0fa7d5dfe50df71085fce0d96f98525ae29575a1d75672b75bfed5f2cb3407af9fa07582d49e8629b4c084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Beastality
Filesize
188KB

MD5
75426c58effb683f1477bfd2236f3fc4

SHA1
3e1ac50077711f666cf9631231b9461b430d045b

SHA256
b62492b117cd03ee096c268480844b779eab66c196a483b4edcff1e97e4269f4

SHA512
7f90f6bab8b243e0ab2ffc823e95c6ab53f12d4dade4bd794276ef93daaefc8ae0869c19df8eaae2ec6d0990481813273d165b7d6223d137f4b1f49dbed4759f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Biographies
Filesize
66KB

MD5
e8061ec633d131b3112649a65ab06bc6

SHA1
36197468345f931477c4090803d3a00a94e026b8

SHA256
f8495ee4f9102351094e1d658490fcd378893ab15da351d12e718084bf856fc3

SHA512
1545a598be907876e3b61fbc016686dc02ce9fc81f3d46bb0d9007233076ab6686da7fc47db65e8373971c9e9b7a924d10870435699b3f46800775113d186efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Entirely
Filesize
41KB

MD5
39c2b02c1687db734cca8521eef23bc2

SHA1
383b22037bf678a58d672ea14d19d29c931dc2fd

SHA256
7755cad75efae7254f197a571c47cac43b711b096161017d1d3da6e1f97c37cc

SHA512
fb7fe3ff3a18c3ae7e9763e4a031d05413a325e87e64a2ef10d815ccde40391e43bc9c66c361f718d409ccb3ee8f0ede8c4ab4a6376f13b9a727dfca72a51890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ext
Filesize
124KB

MD5
d9be48527defaba81c8c0cab9bef2522

SHA1
38af8ce2c0cf557e141f4bb4059e2f66aa2ac103

SHA256
b33ca98e10854ebe6455d4c8470ed011695cc8c9021828a0c93e3783b0db5e3c

SHA512
a31da5e9c56ffd9bd29f268deead77d13db4146b096750bd2eed7c21b48928b9c3b6c1924d52d965e43c4e0f80a034f21fdde42fed681199c89e3d406e1c6495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Floor
Filesize
49KB

MD5
e9a5ae2b9a69846e46db47be63fcaa6a

SHA1
7465504be0a9a21398a4939f014f6529eaac73c3

SHA256
3a8803b1ecaf0c32439565f69df4f36b6bbf6b6286cbfc0b30ee9ad1ef66f956

SHA512
06c52f9ea2f6bb49e4726b16be255b53922ab6f09ad4ad501878c42f5f2d0c0f5048310f0f17e2d37107548791117c8fc79785b324d9c86c70a760631f5b65d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Geology
Filesize
102KB

MD5
0db80d367c5e106859d0cfa7910c7f51

SHA1
3f6041e2af43736c814c7541ec88ab1ea9a5b847

SHA256
45500971eb69ea4117a2c153b0b557470fe03f91f08d2955da4198c5dece806c

SHA512
1eeb75064bce78fd35191ab5316e4d6ba4642da857326a017b45dbec2f8ca3b4049cd82b360228c8e4d61e68dfc4cbb729906a87db28a5a9e2cc914800e785e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Guests
Filesize
26KB

MD5
ae3a28ef1b26c1885df771b52a984194

SHA1
94c3e3518af42815e3104ce2c618adf1c72d8f4d

SHA256
8328b6487a7ae71001723df6ed2e35451a10ec082353f2296a963ed237ddc766

SHA512
783320c000cd61e8607602e313231ca357ec971024a9cbc8e6a69d421363dea699598fa9b49458716a205a6de64d51099314610ef4ed14f3c9e015574c76548b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Highly
Filesize
159B

MD5
1c6e7e49d74fc25189ab1a6b1831d380

SHA1
9062ae746adfe399794a2f46ebdb6b3b9058b7d8

SHA256
a9de3a073a4a9b143d188370760c112700e4e4df9636315053d1ddd492984eee

SHA512
bc96506b6e32bce560ef13a31ebee0a995ba65189d979536fa36b3fcb4cb86a42b985f35d6abf741583cfb4f71bbc4f6e389d399e2a540437666e5fd5451d1c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Introduction
Filesize
61KB

MD5
21a606a612099e9ef8508289e5cab437

SHA1
9a7cd55cce1fe388151a0f3e081626b52811a9c6

SHA256
b9fcc355124cf305bbcba68d3e39850d2a44ff31d70fe3b737558a673df26ec7

SHA512
f8f5cd955bf59d58e9ca1178f0cda0360036d4747988daf7fa9c71c2517623f4523d8eca0a21c9c0606c6883a13fb2c17e3dde500cfcf3ba45799be35e16dcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Logging
Filesize
120KB

MD5
3a287253d0f8df29c2aa4637aeaad1cb

SHA1
bf2c07119fa6d96e8077419d28828f00cf8a87fb

SHA256
d96bee12829a06fe93c01736057da0b38b5374d050501e74054718b1d02e0e55

SHA512
2ec8fff9160a819fad0f75decbcdcfc1e81d90a3d9446a5777b5f35785b3a00866bb2ec29b5431b5816516cd2ff55f3056662e74c578f6f58be09ed5f1113b82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Msn
Filesize
184KB

MD5
b94c77a9879bb478a8b4d29ee754f88d

SHA1
ef1b2892a64c5a8ce613d7cd64cca415b15db939

SHA256
32c6fd2a1499f0dc8f50731a6e3324126f048ad7d7d363ffec4f6bb0b5fda1a9

SHA512
5014ea4346ff13583f38a6a49058210d062b25fef8ebadbd300cce6dc6fb07bc8399427d38a9939b345034dc6284fd9f10c64e94d275f3b66a7bc8ca320c163c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rid
Filesize
42KB

MD5
403ea3b6f734f8d7408a7329e1777f48

SHA1
43e65e6671cb240bc1bfe9545a3f5ad621c8b3ab

SHA256
ff302d835c5f3edecf2fd3fdaeaf35bd8cec11e01d06700fcd06a2316b0ea6fd

SHA512
bc6f589fbd237a9343a6cf7273861389c4561b2ebe8e7d3c15f9eb1b1a3b103fba443d32be54571de5efafd94af5c6dc3a1aa19a027732d5b6bba000e9b3a7a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sparc
Filesize
26KB

MD5
3c93696cba68e73debd3baac6f2121cb

SHA1
35c77f349e553c8b292b2becab119c9d76a37097

SHA256
19c6e4660f57f2825ca14d58aa64b5adb64e6e117174f5a158b230478503400e

SHA512
f969291d65bd1263b55d83b3d26f4f7755a287e4e375974e2410fef2e1a9178bedd550396caf5c2649c15d0573ca996cc85ba0ee34306b1bf2a7c20a6fff792c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Trends
Filesize
88KB

MD5
03819d2f08399741f630bfe70b1844f3

SHA1
6bf125d8ad1116ef3b078595014d50a0ab871f25

SHA256
461191fae853d1ce06b22c10ca8df5a304d357fd0bf7c6e3a7931dc446652f5f

SHA512
9868bdb1ca0540b34601c026a5bd4b039632d241572351ecae9bb6b068bf91e3f269f191a6d17d4952600897f0bdf7490274169372a12750404bc66cea067d58

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\330233\Missions.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/1192-58-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download