smokeloader | 407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01

General

Target

407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe
Size

231KB
MD5

5fe2c454689339965cc76b3f474ba9f0
SHA1

132bb729590f7a9a202f5d827e1d88892cb80a75
SHA256

407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01
SHA512

6ebdd3bfe198734651200ecd7536dad7029f258941e794df76b520074d18adcb268fe4b2f09e0c1addf86c28dc36a1b2c637df9aa48ae5780a47c25ac84a94c0
SSDEEP

3072:OU6lAynH4YpRdK66A0W+pmrs5qB6wCopAsJPrtnlVARkEjscM5xaTWvK12qcD:g+SFkI0WO3paPnluGEjscyxLvK12qc

Score

10^/10

smokeloader pub1 backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

pid process

3316
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

69 drive.google.com
70 drive.google.com

pid	process
3316

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

flow	ioc
69	drive.google.com
70	drive.google.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe

Modifies registry class 9 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{0AE673B2-927D-4053-AFE2-AE65D67F55B4}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe

pid	process
1776	407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe
1776	407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe

pid process

1776 407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	1404	explorer.exe
Token: SeCreatePagefilePrivilege	1404	explorer.exe
Token: SeShutdownPrivilege	1404	explorer.exe
Token: SeCreatePagefilePrivilege	1404	explorer.exe
Token: SeShutdownPrivilege	1404	explorer.exe
Token: SeCreatePagefilePrivilege	1404	explorer.exe
Token: SeShutdownPrivilege	1404	explorer.exe
Token: SeCreatePagefilePrivilege	1404	explorer.exe
Token: SeShutdownPrivilege	1404	explorer.exe
Token: SeCreatePagefilePrivilege	1404	explorer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

explorer.exe

pid process

1404 explorer.exe
1404 explorer.exe
1404 explorer.exe
1404 explorer.exe
1404 explorer.exe
1404 explorer.exe
1404 explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

explorer.exe

pid	process
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe
1404	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 3316 wrote to memory of 1580	3316		cmd.exe
PID 3316 wrote to memory of 1580	3316		cmd.exe
PID 1580 wrote to memory of 2964	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 2964	1580	cmd.exe	reg.exe
PID 3316 wrote to memory of 1564	3316		cmd.exe
PID 3316 wrote to memory of 1564	3316		cmd.exe
PID 1564 wrote to memory of 1484	1564	cmd.exe	reg.exe
PID 1564 wrote to memory of 1484	1564	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe
"C:\Users\Admin\AppData\Local\Temp\407ac7d39aabbcbfae43375189046de28909935415f9bdc55dcd376566364f01.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\849C.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9844.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:1484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4060

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1112

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3876

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
8c5c6aee047c92e85a3d052e7cdbd790

SHA1
d4e95d361b13813a9932207f6c14e0ff053a9602

SHA256
ed30ccbd46a70c2633869dc0fe9bdb88c9d66326e62abb6c60d8938d2a83d72a

SHA512
2cc1d83a4fc1a4204e7b7ab6ebe51f04251c3b9941c8d8d8330e57d6c612413bd3399eecff2d7305a0e4dedeef6d514b6d97626fef4fb0320830ba2586fa530e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
489729b500502180e63e84b583b3f1c9

SHA1
94f3137f1cd1383793b0f8438c4a2449194ca65e

SHA256
c4d5ecd1ed49b1c6b415e5eb137ea52ac7d344192fc72d4315987b7be047480b

SHA512
5acfadc2abb8b84857f2ee72a3d58cb8bfe5749b410fa275d915aee44fdba34aaa44fe4ae06deff561aebc440949adc42528027696fb36fc22807539a1d43af6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
534751cb1aed8b6bb7a5d00f1280ae42

SHA1
388514d8b01a5fa7c56a6e2e1af337285208956b

SHA256
103530a13371600f6087450d5c8da7d30bd90ff1b37ff4b06594e0f3e62ced99

SHA512
3d20e07ac871f03a9cc3e6df615ced2ecd20f19aa898a4796987027300e3e18a6ec56cda202bcafd94a06c0ccbecad24953fa9aabe7751ebf6ab1acbcaaa5984

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml

Filesize
96B

MD5
84209e171da10686915fe7efcd51552d

SHA1
6bf96e86a533a68eba4d703833de374e18ce6113

SHA256
04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

SHA512
48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\849C.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
memory/1776-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1776-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1776-1-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/1776-2-0x00000000007A0000-0x00000000007AB000-memory.dmp

Filesize
44KB

Download
memory/1776-5-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/1776-8-0x00000000007A0000-0x00000000007AB000-memory.dmp

Filesize
44KB

Download
memory/3316-4-0x0000000002980000-0x0000000002996000-memory.dmp

Filesize
88KB

Download
memory/3316-24-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/3516-39-0x0000021F39620000-0x0000021F39640000-memory.dmp

Filesize
128KB

Download
memory/3516-70-0x0000021F399F0000-0x0000021F39A10000-memory.dmp

Filesize
128KB

Download
memory/3516-69-0x0000021F393E0000-0x0000021F39400000-memory.dmp

Filesize
128KB

Download
memory/3844-32-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3876-182-0x000002075CE00000-0x000002075CF00000-memory.dmp

Filesize
1024KB

Download
memory/3876-187-0x000002075DCD0000-0x000002075DCF0000-memory.dmp

Filesize
128KB

Download
memory/3876-210-0x000002075DC90000-0x000002075DCB0000-memory.dmp

Filesize
128KB

Download
memory/3876-219-0x000002075E2C0000-0x000002075E2E0000-memory.dmp

Filesize
128KB

Download
memory/4060-180-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads