smokeloader | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

General

Target

241105-dtxrgatbpg_pw_infected.zip
Size

132.7MB
MD5

136b5aad00be845ec166ae8f6343b335
SHA1

e51860dfb734c9715b6c9b74d9c582abe03ca90c
SHA256

38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
SHA512

ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
SSDEEP

3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz

Score

10^/10

smokeloader backdoor discovery execution trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader

Executes dropped EXE 4 IoCs

Processes:

0di3x.exef28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exef28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exef28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe

pid	process
2792	0di3x.exe
2776	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
1540	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
812	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe

Loads dropped DLL 1 IoCs

Processes:

0di3x.exe

pid process

2792 0di3x.exe

Drops file in Windows directory 3 IoCs

Processes:

f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exef28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exef28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe

description	ioc	process
File opened for modification	C:\Windows\notepad.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
File opened for modification	C:\Windows\notepad.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
File opened for modification	C:\Windows\notepad.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4044 2792 WerFault.exe 0di3x.exe

pid	pid_target	process	target process
4044	2792	WerFault.exe	0di3x.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exef28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exef28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe0di3x.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0di3x.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0di3x.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0di3x.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0di3x.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0di3x.exe

Modifies registry class 1 IoCs

Processes:

7zFM.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 7zFM.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

7zFM.exe

pid process

1716 7zFM.exe
1716 7zFM.exe
1716 7zFM.exe
1716 7zFM.exe
1716 7zFM.exe
1716 7zFM.exe
1716 7zFM.exe
1716 7zFM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1716 7zFM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	1716	7zFM.exe
Token: 35	1716	7zFM.exe
Token: SeSecurityPrivilege	1716	7zFM.exe
Token: SeSecurityPrivilege	1716	7zFM.exe
Token: SeSecurityPrivilege	1716	7zFM.exe
Token: SeSecurityPrivilege	1716	7zFM.exe
Token: SeSecurityPrivilege	1716	7zFM.exe
Token: SeSecurityPrivilege	1716	7zFM.exe
Token: SeSecurityPrivilege	1716	7zFM.exe
Token: SeSecurityPrivilege	1716	7zFM.exe
Token: SeSecurityPrivilege	1716	7zFM.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

7zFM.exe

pid	process
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe
1716	7zFM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exef28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exef28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe

pid	process
2776	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
1540	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
812	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7zFM.exe

description	pid	process	target process
PID 1716 wrote to memory of 2792	1716	7zFM.exe	0di3x.exe
PID 1716 wrote to memory of 2792	1716	7zFM.exe	0di3x.exe
PID 1716 wrote to memory of 2792	1716	7zFM.exe	0di3x.exe
PID 1716 wrote to memory of 1400	1716	7zFM.exe	WScript.exe
PID 1716 wrote to memory of 1400	1716	7zFM.exe	WScript.exe
PID 1716 wrote to memory of 2776	1716	7zFM.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
PID 1716 wrote to memory of 2776	1716	7zFM.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
PID 1716 wrote to memory of 2776	1716	7zFM.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
PID 1716 wrote to memory of 1540	1716	7zFM.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
PID 1716 wrote to memory of 1540	1716	7zFM.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
PID 1716 wrote to memory of 1540	1716	7zFM.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
PID 1716 wrote to memory of 812	1716	7zFM.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
PID 1716 wrote to memory of 812	1716	7zFM.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
PID 1716 wrote to memory of 812	1716	7zFM.exe	f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241105-dtxrgatbpg_pw_infected.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\7zO4B6FB5CA\0di3x.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B6FB5CA\0di3x.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  PID:2792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 392
    3⤵
    - Program crash
    PID:4044
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zO4B6567EA\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js"
  2⤵
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\7zO4B697C0B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B697C0B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\7zO4B6FA83B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B6FA83B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\7zO4B68B0AC\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B68B0AC\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2792 -ip 2792
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F6.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4B6567EA\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

Filesize
920KB

MD5
4339e3b6d6cf2603cc780e8e032e82f6

SHA1
195c244a037815ec13d469e3b28e62a0e10bed56

SHA256
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4

SHA512
a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4B697C0B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe

Filesize
248KB

MD5
8b273f919ea075cff8c652c51a301bbb

SHA1
917baa65532900d1dbd0a3925a898ecf0b4cd569

SHA256
f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a

SHA512
b71c4aa7259535889126742045c820f703a5a9caa49b8496620d4566da22f65706e7e617d34ac08e741d96da0f98e617daac2ca02882ab887a4f98fe432d699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4B6FB5CA\0di3x.exe

Filesize
111KB

MD5
bd97f762750d0e38e38d5e8f7363f66a

SHA1
9ae3d7053246289ff908758f9d60d79586f7fc9f

SHA256
d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158

SHA512
d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39

Download Submit
memory/2792-10-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2792-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-16-0x0000000000400000-0x0000000002FA6000-memory.dmp

Filesize
43.6MB

Download
memory/2792-17-0x0000000000400000-0x0000000002FA6000-memory.dmp

Filesize
43.6MB

Download
memory/2792-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads