smokeloader | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
130s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe
Size

269KB
MD5

7ec5ca4d34f4e800463edf4efb264e9f
SHA1

ff0a96b1b3e5f28a9fd9a288c5f6f65e1b1f26fa
SHA256

db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc
SHA512

419570d3ff5e58ef4d2fceaeb9ea2135d5b6e9835cc74bdedd0e9690fe7f5182db53fd5a0aad174ad2a8dd7a3a8bbd83e925fdae522cff8b89977818a04eab3d
SSDEEP

3072:bQTHC0ctZI6461YHBe6Itf1/iTY6ce6pn++RcNLkBHgDK6gpRnUuEeAg0FujDFzP:bQFctlMQMY6Vo++E0R6gFAOp9Z+g35

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe

description	pid	process	target process
PID 2540 set thread context of 1948	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1220 2540 WerFault.exe db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe

pid	pid_target	process	target process
1220	2540	WerFault.exe	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe

description	pid	process	target process
PID 2540 wrote to memory of 624	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 624	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 624	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 1744	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 1744	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 1744	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 1948	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 1948	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 1948	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 1948	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 1948	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe
PID 2540 wrote to memory of 1948	2540	db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe
"C:\Users\Admin\AppData\Local\Temp\db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Checks SCSI registry key(s)
  PID:1948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 252
  2⤵
  - Program crash
  PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2540 -ip 2540
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1948-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1948-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download