smokeloader | cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548

Analysis

max time kernel
134s
max time network
287s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-05-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.exe
Size

651KB
MD5

292883544ecb6516789ac22f40fb3fb2
SHA1

29dd18c9388ff86eed94d6b75716b2600df5e280
SHA256

cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548
SHA512

08313e51d65175a7c93bf81da3b568bec104b610aedab69e2bc49cbc3bad46838e559846e879a0e9965531a4d5704fb492f01ffc70172b9a261c54fff314000b
SSDEEP

12288:fXi+JKgD3+EB4yuBnJvI+aXM8Kz13SjZIBa0deoPdoYn9clL1:fXi+hj4y+JSMBz1CjD0d56jd1

Score

10^/10

smokeloader pub3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Edt.pif

description pid process target process

PID 4192 created 2808 4192 Edt.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Edt.pifEdt.pif

pid process

4192 Edt.pif
3236 Edt.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Edt.pif

description pid process target process

PID 4192 set thread context of 3236 4192 Edt.pif Edt.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4192 created 2808	4192	Edt.pif	Explorer.EXE

pid	process
4192	Edt.pif
3236	Edt.pif

description	pid	process	target process
PID 4192 set thread context of 3236	4192	Edt.pif	Edt.pif

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Edt.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Edt.pif
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Edt.pif
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Edt.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4468 tasklist.exe
2076 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1880 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Edt.pif

pid process

4192 Edt.pif
4192 Edt.pif
4192 Edt.pif
4192 Edt.pif
4192 Edt.pif
4192 Edt.pif
4192 Edt.pif
4192 Edt.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4468 tasklist.exe
Token: SeDebugPrivilege 2076 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Edt.pif

pid process

4192 Edt.pif
4192 Edt.pif
4192 Edt.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Edt.pif

pid process

4192 Edt.pif
4192 Edt.pif
4192 Edt.pif

pid	process
4468	tasklist.exe
2076	tasklist.exe

pid	process
1880	PING.EXE

pid	process
4192	Edt.pif
4192	Edt.pif
4192	Edt.pif
4192	Edt.pif
4192	Edt.pif
4192	Edt.pif
4192	Edt.pif
4192	Edt.pif

description	pid	process
Token: SeDebugPrivilege	4468	tasklist.exe
Token: SeDebugPrivilege	2076	tasklist.exe

pid	process
4192	Edt.pif
4192	Edt.pif
4192	Edt.pif

pid	process
4192	Edt.pif
4192	Edt.pif
4192	Edt.pif

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.execmd.exeEdt.pif

description	pid	process	target process
PID 5044 wrote to memory of 4692	5044	cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.exe	cmd.exe
PID 5044 wrote to memory of 4692	5044	cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.exe	cmd.exe
PID 5044 wrote to memory of 4692	5044	cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.exe	cmd.exe
PID 4692 wrote to memory of 4468	4692	cmd.exe	tasklist.exe
PID 4692 wrote to memory of 4468	4692	cmd.exe	tasklist.exe
PID 4692 wrote to memory of 4468	4692	cmd.exe	tasklist.exe
PID 4692 wrote to memory of 3308	4692	cmd.exe	findstr.exe
PID 4692 wrote to memory of 3308	4692	cmd.exe	findstr.exe
PID 4692 wrote to memory of 3308	4692	cmd.exe	findstr.exe
PID 4692 wrote to memory of 2076	4692	cmd.exe	tasklist.exe
PID 4692 wrote to memory of 2076	4692	cmd.exe	tasklist.exe
PID 4692 wrote to memory of 2076	4692	cmd.exe	tasklist.exe
PID 4692 wrote to memory of 1680	4692	cmd.exe	findstr.exe
PID 4692 wrote to memory of 1680	4692	cmd.exe	findstr.exe
PID 4692 wrote to memory of 1680	4692	cmd.exe	findstr.exe
PID 4692 wrote to memory of 780	4692	cmd.exe	cmd.exe
PID 4692 wrote to memory of 780	4692	cmd.exe	cmd.exe
PID 4692 wrote to memory of 780	4692	cmd.exe	cmd.exe
PID 4692 wrote to memory of 2312	4692	cmd.exe	findstr.exe
PID 4692 wrote to memory of 2312	4692	cmd.exe	findstr.exe
PID 4692 wrote to memory of 2312	4692	cmd.exe	findstr.exe
PID 4692 wrote to memory of 3760	4692	cmd.exe	cmd.exe
PID 4692 wrote to memory of 3760	4692	cmd.exe	cmd.exe
PID 4692 wrote to memory of 3760	4692	cmd.exe	cmd.exe
PID 4692 wrote to memory of 4192	4692	cmd.exe	Edt.pif
PID 4692 wrote to memory of 4192	4692	cmd.exe	Edt.pif
PID 4692 wrote to memory of 4192	4692	cmd.exe	Edt.pif
PID 4692 wrote to memory of 1880	4692	cmd.exe	PING.EXE
PID 4692 wrote to memory of 1880	4692	cmd.exe	PING.EXE
PID 4692 wrote to memory of 1880	4692	cmd.exe	PING.EXE
PID 4192 wrote to memory of 3236	4192	Edt.pif	Edt.pif
PID 4192 wrote to memory of 3236	4192	Edt.pif	Edt.pif
PID 4192 wrote to memory of 3236	4192	Edt.pif	Edt.pif
PID 4192 wrote to memory of 3236	4192	Edt.pif	Edt.pif
PID 4192 wrote to memory of 3236	4192	Edt.pif	Edt.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.exe
"C:\Users\Admin\AppData\Local\Temp\cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Thunder Thunder.cmd & Thunder.cmd & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:3308

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c md 22432
4⤵
PID:780

C:\Windows\SysWOW64\findstr.exe
findstr /V "DATINGHAPPENEDTOKYOCHICAGO" Zen
4⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Rain + Johnny + Its + Warrant 22432\i
4⤵
PID:3760

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22432\Edt.pif
22432\Edt.pif 22432\i
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:1880

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22432\Edt.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22432\Edt.pif
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3236

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22432\Edt.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22432\i
Filesize
201KB

MD5
5708e8f2c81ab33fd33465ccf6e62b00

SHA1
51e525c14907d02a1602329e4ed1e94cc808c275

SHA256
06b15e863b9677e358f4b2304f80237d89ef079720e4414db45da64b3de6e482

SHA512
03be1d1a5f76d418754adef92916d026f3884d0b02fd298dd8f412fe6151a92002509a3c040354516d54cfb9663dfa1f748d61f73f986461d5f48f314d5915b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Approval
Filesize
245KB

MD5
309fa7a25eb9f8fb80421abe1e098a0f

SHA1
a587fbaecef72c6f01e90ec1757f8fcf6c93e674

SHA256
580a21a85eb75e83d68f7d23f85b667cea33c2af3c4f26f2bd81cb57460c81c2

SHA512
b10df3ee30f9bc9a00eff9ded2cac4f91cadebdda00d3dd4ebaa130ede6f6aeb4abc5f03571c9c8ded0c97a3c60283662bac383de02896c3bead115f7d12ca39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cornwall
Filesize
63KB

MD5
b4ce1424373882862c38402b8fa4293f

SHA1
a1208bdde8ed47c40d14de07fd7f5132e7efe21d

SHA256
78b0982fa8183fce64fc4784d7ad03bd7fc8089132759a27587d0714c00c99b5

SHA512
f4cb465e5792f2e27ac5f8890c1a902ea35b11feeaa8ed07dc06cad38e0d6a0a240007ef9b0a6a30574f72e816f28e0500c870121bdbf0cd4a2848154a3e5b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Its
Filesize
30KB

MD5
8a6bf71b7a2bfbd99d55d309ad86801d

SHA1
a4ab1e830dca05abf7e9a32adbc659b5b882b8c0

SHA256
f3e58127e58956ca8fed35733fe24b9533c16783126cd769a87aa4bfe4d581dc

SHA512
b17c9f529ba2200d85fda2487554eb254baca5ab673de1a7a1b779b4c4c7af03f0c7c0afa9e6ee4e1847ab4c2e7be789228c774bd954932582ca3672748e02b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Johnny
Filesize
45KB

MD5
c632c5d348e62fde34e6d5c723302088

SHA1
ac96ea5309e71a7048e32713887435496f36c007

SHA256
136ba9c45a6c2041dbdff3ad1c76b7fe139edf6d15de93380d0ab2c537a2936b

SHA512
fc06f07e53b4c89faa37b93e3e5dbfc2068bcfaf8329151c8599f70622d02d4792b03390b78ec720358bf65c4d093e03ba860c83e32daf2613710084a3ddab79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rain
Filesize
65KB

MD5
7d510044cc60352568da4113704c1a1d

SHA1
10a95950ea6a8f011eb1a72c89944ca8d443ee78

SHA256
aa1aa1a05461ac61ec96ccefdf31309631f4957732bd7346dc41a705af70f669

SHA512
d628e1ea1f83cc0f0a2965ddb4b11bbe720f3c0ef9b996121296fd5045d2a23cf4832b55a21415ec26b5fac4a931ace1531d60ce8ec79fa19e64f9022e2c32f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sleeping
Filesize
229KB

MD5
db9791d42af7bdea2a0c4e25a3f576fe

SHA1
c9b9ffcc6bda3161f8e0f1f9627e6c61a9e7c70e

SHA256
eb846211ac7cadd57a088c2f15ce83ec5c071de94de0d54c97085aca53195cd3

SHA512
6c5b79d8ba8ae0a8ad9b66bae6861b5e53150abddad9ed54b9175d5a12a5a2a445fb7de94388a054d3560097b265b5b785e878bedba54684023b76412dd1c2c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Thunder
Filesize
24KB

MD5
6be69de1df914e7ae5216c7bc5ff1269

SHA1
cc315aec3b591651cf3c4a5bb0f51175ea96dda4

SHA256
feca2bd2079c5c5b3bb8c87f2eef9020e98957e113fa5431f6ed9c01e1ea9f3d

SHA512
c1344d9c530e2c453995fffc06768095c8ab15605c353e5ce06259b463e8ee743d75e56eba99b2b48672637de8a0b431c5d2b4559462e3097bfa1aba32c13f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tim
Filesize
248KB

MD5
39ba71e4b05f4a469299e24b646a549a

SHA1
2751f434e4c7c89b33fc644e3c329e37e2d979ff

SHA256
b73a94a4c079f0a1ca5e774e2ec59d42506a5adb713a76a3ab458f8916481cc7

SHA512
19bcf3fc6fa1b54d84adc37dd89387c33c8af41491adb76c6bae5868cc19211a3997c629b315d6db0c74ac10b8e6fe1eafafe43d3bab788576289b758cbb572b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Warrant
Filesize
61KB

MD5
c478292445bda2b4e5c6d1ab188320fd

SHA1
cbda31144792a0f3286cf91c1420b58d6f28ce25

SHA256
2ac31510564c80349434f800c0f1e77300819c679893c652a7f7450cfcefae18

SHA512
08df6be89beb42026656e333884b22a81f15b605f9e2ae46dab54c25ef9d32d792ef40b5536ffa4457f49c29faeec4dba89372f1ce856943ce2c5530024a25a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wheat
Filesize
87KB

MD5
da888e1a14bd0d42f67aec0c6919954c

SHA1
3e8f0ba941471e1a534441ff6aefe48cb42bfd78

SHA256
a8da14cafb604cf276a6c53fc653f8f1118d4d82c37eabf9472908b9dc3280d0

SHA512
63fc99e0792b72cc4f7d0c07f027a50cdc2f5a17c74c704800e358dab8e7f82eed27f091ed7b452bae83c8578709e446795bc910748bd6962b217dd157d42298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Zen
Filesize
100B

MD5
c7b69074c06b5a3c50e198791110b59d

SHA1
79b0399e23ce2e4c57ab71f0405581e14649e55e

SHA256
573f8b52527b72cb7434d712e9df3a9d7c4b7fe73085807aa5ba299136683ffb

SHA512
41ec3584a9593bfeb1225fc55297d6c8de23a0a8aa9abf89dc7c3ce63f0d8708dcdebafd6846072ba1765941196ff3809d5f064af92e2b9ca78ff5414ea99fc2

Download Submit
memory/3236-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3236-41-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download