smokeloader | 645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe
Size

741KB
MD5

211dd0cc3da148c5bc61389693fd284f
SHA1

75e6bd440e37240fee4bf7ae01109093490ac5a7
SHA256

645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
SHA512

628bb927b5a85674ed1f762d4c42e8e9f55859cd626ab0f01b7d47ee4c74ff5775ceafc4a45864344d5dd13e588fe60b6a121b00dac79276689d0a9970d12e89
SSDEEP

12288:0CUIDSqmWYzAoweej5i03v54L/sYZf2J8weqNjpnB5CLMjHgGXyPGSifD:0amqmWYde1/4LiJleEd/IMjHxplr

Score

10^/10

smokeloader backdoor discovery trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe

Executes dropped EXE 2 IoCs

Processes:

Imposed.comImposed.com

pid process

932 Imposed.com
3044 Imposed.com
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

232 tasklist.exe
4984 tasklist.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Imposed.com

description pid process target process

PID 932 set thread context of 3044 932 Imposed.com Imposed.com
Drops file in Windows directory 1 IoCs

Processes:

645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe

description ioc process

File opened for modification C:\Windows\HeroesMistakes 645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
232	tasklist.exe
4984	tasklist.exe

description	pid	process	target process
PID 932 set thread context of 3044	932	Imposed.com	Imposed.com

description	ioc	process
File opened for modification	C:\Windows\HeroesMistakes	645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetasklist.exefindstr.execmd.exechoice.exeImposed.com645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exefindstr.exetasklist.exefindstr.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imposed.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Imposed.com

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Imposed.com
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Imposed.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Imposed.com

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Imposed.com

pid	process
932	Imposed.com
932	Imposed.com
932	Imposed.com
932	Imposed.com
932	Imposed.com
932	Imposed.com
932	Imposed.com
932	Imposed.com
932	Imposed.com
932	Imposed.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 232 tasklist.exe
Token: SeDebugPrivilege 4984 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Imposed.com

pid process

932 Imposed.com
932 Imposed.com
932 Imposed.com
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Imposed.com

pid process

932 Imposed.com
932 Imposed.com
932 Imposed.com

description	pid	process
Token: SeDebugPrivilege	232	tasklist.exe
Token: SeDebugPrivilege	4984	tasklist.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.execmd.exeImposed.com

description	pid	process	target process
PID 3140 wrote to memory of 4908	3140	645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe	cmd.exe
PID 3140 wrote to memory of 4908	3140	645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe	cmd.exe
PID 3140 wrote to memory of 4908	3140	645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe	cmd.exe
PID 4908 wrote to memory of 232	4908	cmd.exe	tasklist.exe
PID 4908 wrote to memory of 232	4908	cmd.exe	tasklist.exe
PID 4908 wrote to memory of 232	4908	cmd.exe	tasklist.exe
PID 4908 wrote to memory of 4068	4908	cmd.exe	findstr.exe
PID 4908 wrote to memory of 4068	4908	cmd.exe	findstr.exe
PID 4908 wrote to memory of 4068	4908	cmd.exe	findstr.exe
PID 4908 wrote to memory of 4984	4908	cmd.exe	tasklist.exe
PID 4908 wrote to memory of 4984	4908	cmd.exe	tasklist.exe
PID 4908 wrote to memory of 4984	4908	cmd.exe	tasklist.exe
PID 4908 wrote to memory of 1204	4908	cmd.exe	findstr.exe
PID 4908 wrote to memory of 1204	4908	cmd.exe	findstr.exe
PID 4908 wrote to memory of 1204	4908	cmd.exe	findstr.exe
PID 4908 wrote to memory of 2008	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 2008	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 2008	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 3284	4908	cmd.exe	findstr.exe
PID 4908 wrote to memory of 3284	4908	cmd.exe	findstr.exe
PID 4908 wrote to memory of 3284	4908	cmd.exe	findstr.exe
PID 4908 wrote to memory of 1888	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 1888	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 1888	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 932	4908	cmd.exe	Imposed.com
PID 4908 wrote to memory of 932	4908	cmd.exe	Imposed.com
PID 4908 wrote to memory of 932	4908	cmd.exe	Imposed.com
PID 4908 wrote to memory of 2628	4908	cmd.exe	choice.exe
PID 4908 wrote to memory of 2628	4908	cmd.exe	choice.exe
PID 4908 wrote to memory of 2628	4908	cmd.exe	choice.exe
PID 932 wrote to memory of 3044	932	Imposed.com	Imposed.com
PID 932 wrote to memory of 3044	932	Imposed.com	Imposed.com
PID 932 wrote to memory of 3044	932	Imposed.com	Imposed.com
PID 932 wrote to memory of 3044	932	Imposed.com	Imposed.com
PID 932 wrote to memory of 3044	932	Imposed.com	Imposed.com

C:\Users\Admin\AppData\Local\Temp\645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe
"C:\Users\Admin\AppData\Local\Temp\645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Frequently Frequently.cmd & Frequently.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4068
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 390641
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2008
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "ConventionTroopsStudiedTooth" Version
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Accessing + ..\Entire + ..\Peripherals + ..\Et B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\390641\Imposed.com
    Imposed.com B
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\390641\Imposed.com
      C:\Users\Admin\AppData\Local\Temp\390641\Imposed.com
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:3044
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\390641\B

Filesize
224KB

MD5
6aaa6156bca65c60437b9dcf21a8566e

SHA1
74c4917b5006a2af825ed9e9d3bdaff7884aa11c

SHA256
fe153e9df223598b0c2bba4c345b9680b52e1e5b1f7574d649e6af6f9d08be05

SHA512
02f8a158815b29cfbad62403b5177ea5e073d84103e640441d901e12b2fbc4f2cd113924d2b06b09cf045c99b58a5527f2c68e6a664d8015f646672c11567199

Download Submit
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\Accessing

Filesize
52KB

MD5
0487661a3be3e516ecf90432e0f1a65b

SHA1
548f56668cdfde2d71e714cd4e12e3a1419dfc31

SHA256
1dbfc503087ed424d8befd455c6554ba03aa4c4c5e77f7b388dc412b6a99a70e

SHA512
7f9027e567876bae2302652a2d63b457bc39f439ec6cd4d7d170423c5f27aa5b0479113b7d8c436cbc08ac76450b0e56c2d8dd42a219c7ad3dbbf693f935cf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blade

Filesize
919KB

MD5
c09756dea58e68a563c05c98f2ee5822

SHA1
90675ae3c1a7f575dee20ceee5cbf3d761aee432

SHA256
0d43333d98724395292ff88d573ad31c6ff65a0ec117e3a605b1009478f91ac8

SHA512
c5b0bff60c4b44f62e224a58dbd508efb20f1324c85c62de13134f909a1cfd63349402d7472940992b6447685fbb665fd28929dc6693a5f3f1222173a8c477c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Entire

Filesize
82KB

MD5
09d17ffb85794728c964c131c287c800

SHA1
a1d7a2dea5e0763de64fb28892786617d6340a86

SHA256
f913264e2aa6be78dae1261782f192ae4ef565439c5ad68a51c0397b33ee1475

SHA512
d174de399777b691443de3abff35dde5040d84ea06f252e86ec5b76bc2c02dc0c5c430f0ed9bab83a69e128a7cea989a1a24c6f579947e448db1cc393838b1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Et

Filesize
32KB

MD5
0e9173e00715288b2d6b61407a5a9154

SHA1
c7ba999483382f3c3aba56a4799113e43c3428d5

SHA256
aa4685667dd6031db9c85e93a83679051d02da5a396a1ad2ef41c0bdf91baf66

SHA512
bb13d5de52ea0a0178f8474fceb7e9fc2d633baceacb4e057b976cac9131152076544891d0959fa22fe293eeee942ae0f6a2fdd3d3a4c050a39549baa2cb5ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Frequently

Filesize
8KB

MD5
283c7e0a2d03ff8afe11a62e1869f2e5

SHA1
235da34690349f1c33cba69e77ead2b19e08dbc9

SHA256
38582d3231748a788012e4c27a5ac0f54f9cb0467d60ecc247a31ea165edeef9

SHA512
b9ba42910d150ce9e07542a501c4134fb668f9b4af70db1ed8fa402066c8fb5025cf4bb29abd91c877571361e71c582e1e7c5350b28c7bda18d6bf184e85273e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Peripherals

Filesize
58KB

MD5
6337b4a0ef79ecfc7a0e70beea5d5b5b

SHA1
904aaf86b183865a6337be71971148e4ef55d548

SHA256
024ad40c289bfdbea25aa7c319381595c700e6e9e92a951bc2e5df8a21382630

SHA512
9b88533915190062002702b2b632e648a94f086b987040d3f22f1bc718a2e58fbcb6d85a9ad17c8ee34018364cd9486d52bef91d645cfc3608aa3b592fca6b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Version

Filesize
1KB

MD5
51c0f6eff2d7e54810b653329e530404

SHA1
52aef28dab5ba3202341fe2a34f64744f268b991

SHA256
a8f5d7c5caed37fa9f6dc432c1f854f32564d6cf0fec70f4bede96ba4df4dcdd

SHA512
ae804726dabe115186e5ccaf7827912b48517a8a4dea8bafa2d35286bc60cb1203cbe71b6936cc269bfa82c7037bacd79d9dbb586e49909fcb1d84e99e6f3fe7

Download Submit
memory/3044-214-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3044-215-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download