smokeloader | 37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f

General

Target

37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f.exe
Size

248KB
MD5

1f243595efaa54f6c37a089ec7847c6d
SHA1

83eb38d9f85bdcf12cb781fad34ceb1e31b34b5a
SHA256

37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f
SHA512

58e936e2c5b44a489c75494102228d11d6aa6d3e26e687f20923437c1d44b2e9af5533e3ea53c178c2bc70d656f913158dbc0f5cd8cdc7a3738cba8ad6cbff55
SSDEEP

3072:IDGh7pXYLE2d5+8XTQhtetONYWO9jfBU393KySv53brCTxI:RpXYLEcfXT3hRfG3kyevCFI

Score

10^/10

smokeloader backdoor credential_access discovery persistence privilege_escalation stealer trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Drops file in Windows directory 1 IoCs

Processes:

7zFM.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico 7zFM.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

7zG.exerundll32.exe7zFM.exe

pid process

396 7zG.exe
236 rundll32.exe
1060 7zFM.exe

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	7zFM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

pid	process
396	7zG.exe
236	rundll32.exe
1060	7zFM.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

AUDIODG.EXE7zG.exe7zFM.exe7zG.exe

description	pid	process
Token: 33	2996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2996	AUDIODG.EXE
Token: 33	2996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2996	AUDIODG.EXE
Token: SeRestorePrivilege	396	7zG.exe
Token: 35	396	7zG.exe
Token: SeSecurityPrivilege	396	7zG.exe
Token: SeSecurityPrivilege	396	7zG.exe
Token: SeRestorePrivilege	1060	7zFM.exe
Token: 35	1060	7zFM.exe
Token: SeRestorePrivilege	1156	7zG.exe
Token: 35	1156	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zG.exeosk.exe7zFM.exe

pid process

396 7zG.exe
1652 osk.exe
1060 7zFM.exe
1060 7zFM.exe

pid	process
396	7zG.exe
1652	osk.exe
1060	7zFM.exe
1060	7zFM.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

osk.exe

pid	process
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe
1652	osk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

utilman.exe7zFM.exe

description	pid	process	target process
PID 1088 wrote to memory of 1652	1088	utilman.exe	osk.exe
PID 1088 wrote to memory of 1652	1088	utilman.exe	osk.exe
PID 1088 wrote to memory of 1652	1088	utilman.exe	osk.exe
PID 1060 wrote to memory of 1156	1060	7zFM.exe	7zG.exe
PID 1060 wrote to memory of 1156	1060	7zFM.exe	7zG.exe
PID 1060 wrote to memory of 1156	1060	7zFM.exe	7zG.exe

C:\Users\Admin\AppData\Local\Temp\37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f.exe
"C:\Users\Admin\AppData\Local\Temp\37419d3a8a50d2e5bc0eef676a37d6757ba43a64eff868edb4af5c386900235f.exe"
1⤵
PID:2592

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap4262:32:7zEvent5868 -t7z -sae -- "C:\Users\Admin.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:396

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin.7z
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:236

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
PID:1084

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1652

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap24002:38:7zEvent14570 -ad -saa -- "C:\Users\Admin_2"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Windows Credential Manager

1

T1555.004

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1652-10-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/2592-1-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/2592-2-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2592-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2592-5-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2592-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2592-4-0x0000000000400000-0x0000000000826000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads