smokeloader | 1cd6d30ac1f36d9de8cbc4f38685aeed80628d47694cb9b199f455855202e7d9

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cd6d30ac1f36d9de8cbc4f38685aeed80628d47694cb9b199f455855202e7d9.exe
Size

267KB
MD5

57dcf9e07d0e1c811fa7d1386466d832
SHA1

6d5dee42935f4ecff0a10de2c8aacce3ec4f986f
SHA256

1cd6d30ac1f36d9de8cbc4f38685aeed80628d47694cb9b199f455855202e7d9
SHA512

9aa70a4bf250b4b8309ac170f6b8f7a56ade8c2ee8ac3c8785f49de02809e2612948aefd1e5557b0afab96926d914126386ac12a85c9f9788d4e6445849e6cd7
SSDEEP

6144:fhaKS7XKusTiWb8PtdWic0IKxIQ+17LWT:f0B6uVIExIna

Score

10^/10

smokeloader pub4 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	4444	WerFault.exe	83

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1cd6d30ac1f36d9de8cbc4f38685aeed80628d47694cb9b199f455855202e7d9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1cd6d30ac1f36d9de8cbc4f38685aeed80628d47694cb9b199f455855202e7d9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1cd6d30ac1f36d9de8cbc4f38685aeed80628d47694cb9b199f455855202e7d9.exe

C:\Users\Admin\AppData\Local\Temp\1cd6d30ac1f36d9de8cbc4f38685aeed80628d47694cb9b199f455855202e7d9.exe
"C:\Users\Admin\AppData\Local\Temp\1cd6d30ac1f36d9de8cbc4f38685aeed80628d47694cb9b199f455855202e7d9.exe"
1⤵
- Checks SCSI registry key(s)
PID:4444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 352
  2⤵
  - Program crash
  PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4444 -ip 4444
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4444-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4444-1-0x0000000003050000-0x0000000003150000-memory.dmp

Filesize
1024KB

Download
memory/4444-3-0x0000000000400000-0x0000000002CA1000-memory.dmp

Filesize
40.6MB

Download
memory/4444-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download