smokeloader | bd2aa867c518317f44672fde38ad46f05a12ccc8a90e9db3cd71a3589044b93d

Analysis

max time kernel
95s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ebb73bc0229e738f770ab5cf7cbb96ba0bb0069.exe
Size

222KB
MD5

19ef8e6702959d3d326bdf7e2ffce2eb
SHA1

1ebb73bc0229e738f770ab5cf7cbb96ba0bb0069
SHA256

bd2aa867c518317f44672fde38ad46f05a12ccc8a90e9db3cd71a3589044b93d
SHA512

2db4e14c3b066e85e5d735548a42509d2979ad119464f6256a8b5846dc7d1e1bd01a0596917d65df971a24ac773f1aca86d496a96d69d6a13f6ee393db18a983
SSDEEP

3072:xKnNR99Rq8Sv3UBLt7uwXB6Mx5c/w7zLRWEGewslPhsfmFN89e2K:xKX9/OEBLt1XBxUw7z1WERwe+mFN8It

Score

10^/10

smokeloader backdoor discovery trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3208	2660	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ebb73bc0229e738f770ab5cf7cbb96ba0bb0069.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ebb73bc0229e738f770ab5cf7cbb96ba0bb0069.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ebb73bc0229e738f770ab5cf7cbb96ba0bb0069.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ebb73bc0229e738f770ab5cf7cbb96ba0bb0069.exe

C:\Users\Admin\AppData\Local\Temp\1ebb73bc0229e738f770ab5cf7cbb96ba0bb0069.exe
"C:\Users\Admin\AppData\Local\Temp\1ebb73bc0229e738f770ab5cf7cbb96ba0bb0069.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:2660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 352
  2⤵
  - Program crash
  PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2660 -ip 2660
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2660-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/2660-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2660-3-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2660-4-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2660-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download