smokeloader | 7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4

Analysis

max time kernel
300s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe
Size

235KB
MD5

87a07c22cc789c5541c350b72aa81ef4
SHA1

f77a9dd5f6c1de164006fc88b736ae10a3dd93d9
SHA256

7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4
SHA512

5177cc21e886f257bf17018d1dca69e2162a0fd06a237a36ab27c86f89db36f6df733884d20f388d00974506f75694075d0f525c78398a77a0d3abab5bbe4123
SSDEEP

3072:8MyAkioD0OHfQX07YafiSH+E5lC/Utll30fmLJuDv2q0Bf5gfv7T4TbHY:+TsOHfQk7vi0XtL0fmVuD2bgfvAT

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1208

pid	process
1208

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe

pid	process
3048	7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe
3048	7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe

pid process

3048 7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1208

description	pid	process
Token: SeShutdownPrivilege	1208

C:\Users\Admin\AppData\Local\Temp\7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe
"C:\Users\Admin\AppData\Local\Temp\7eab666f0e02ccb8111c74f81d82ee65c4ed0b95107b752709a967a20d4e2ed4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-2-0x0000000002A00000-0x0000000002A16000-memory.dmp

Filesize
88KB

Download
memory/3048-1-0x0000000000400000-0x0000000002C9A000-memory.dmp

Filesize
40.6MB

Download
memory/3048-6-0x0000000000400000-0x0000000002C9A000-memory.dmp

Filesize
40.6MB

Download