smokeloader | 75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe
Size

270KB
MD5

7eeca2cbaccbd7eb357bfa4f623fbf97
SHA1

67c43af2316b5b307922d952a0e48680b8270802
SHA256

0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2
SHA512

e986d779f9bc7de5c627e487ad3fa87921b2b404a25e2eec6cb85d2e7cac73660c354e0ebcb134a03fb809e8054f2f20538160343f53c315f620a8f5cbf5f401
SSDEEP

3072:VJGkimM7usspGahWcy23rT1YCj2AFnKFCWWCMLfCpBJqs6uRtNeAg0FujCn8odDh:PapK3RlYo26KFCW8m3JqxAOO8+SVT

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 1684	3988	0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4408	3988	WerFault.exe	82

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1684	3988	0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe	83
PID 3988 wrote to memory of 1684	3988	0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe	83
PID 3988 wrote to memory of 1684	3988	0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe	83
PID 3988 wrote to memory of 1684	3988	0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe	83
PID 3988 wrote to memory of 1684	3988	0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe	83
PID 3988 wrote to memory of 1684	3988	0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe	83

C:\Users\Admin\AppData\Local\Temp\0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe
"C:\Users\Admin\AppData\Local\Temp\0fd60696a37853b9112e009b88f4a66eb9d6f837b4b77cfe28e58110267409b2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Checks SCSI registry key(s)
  PID:1684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 416
  2⤵
  - Program crash
  PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3988 -ip 3988
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1684-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download