smokeloader | 37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f

General

Target

37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f.exe
Size

248KB
MD5

1f243595efaa54f6c37a089ec7847c6d
SHA1

83eb38d9f85bdcf12cb781fad34ceb1e31b34b5a
SHA256

37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f
SHA512

58e936e2c5b44a489c75494102228d11d6aa6d3e26e687f20923437c1d44b2e9af5533e3ea53c178c2bc70d656f913158dbc0f5cd8cdc7a3738cba8ad6cbff55
SSDEEP

3072:IDGh7pXYLE2d5+8XTQhtetONYWO9jfBU393KySv53brCTxI:RpXYLEcfXT3hRfG3kyevCFI

Score

10^/10

smokeloader backdoor credential_access discovery persistence privilege_escalation stealer trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	7zFM.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
396	7zG.exe
236	rundll32.exe
1060	7zFM.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	2996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2996	AUDIODG.EXE
Token: 33	2996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2996	AUDIODG.EXE
Token: SeRestorePrivilege	396	7zG.exe
Token: 35	396	7zG.exe
Token: SeSecurityPrivilege	396	7zG.exe
Token: SeSecurityPrivilege	396	7zG.exe
Token: SeRestorePrivilege	1060	7zFM.exe
Token: 35	1060	7zFM.exe
Token: SeRestorePrivilege	1156	7zG.exe
Token: 35	1156	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
396	7zG.exe
1652	osk.exe
1060	7zFM.exe
1060	7zFM.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1652	1088	utilman.exe	41
PID 1088 wrote to memory of 1652	1088	utilman.exe	41
PID 1088 wrote to memory of 1652	1088	utilman.exe	41
PID 1060 wrote to memory of 1156	1060	7zFM.exe	43
PID 1060 wrote to memory of 1156	1060	7zFM.exe	43
PID 1060 wrote to memory of 1156	1060	7zFM.exe	43

C:\Users\Admin\AppData\Local\Temp\37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f.exe
"C:\Users\Admin\AppData\Local\Temp\37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f.exe"
1⤵
PID:2592

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap4262:32:7zEvent5868 -t7z -sae -- "C:\Users\Admin.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:396

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin.7z
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:236

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
PID:1084

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1652

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap24002:38:7zEvent14570 -ad -saa -- "C:\Users\Admin_2"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Windows Credential Manager

1

T1555.004

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-10-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/2592-1-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/2592-2-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2592-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2592-5-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2592-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2592-4-0x0000000000400000-0x0000000000826000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing