smokeloader | 1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe
Size

227KB
MD5

31a0566dc46129543335b523e7336900
SHA1

dddeac01bd8afa707173d1a73e74707c766f16c6
SHA256

1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727
SHA512

06111add34f7fa9e1fc566442abcb8069b8525ff1eebb6dc58f8c166e9189f5e18d3e22522908e91456a0dafe7db960b590f833368511cad657e2b4baa4fe162
SSDEEP

3072:IuU8KLcZklCWZh+ramRHtLgmYT3sgehMjbr/4G2XKQGb3VqnF23MXX:wDc6CWKrBHtLNCJehMDc8zVWF23M

Score

10^/10

smokeloader pub2 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2022

http://movlat.com/tmp/

http://llcbc.org/tmp/

http://lindex24.ru/tmp/

http://qeqei.xyz/tmp/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3364
Executes dropped EXE 1 IoCs

Processes:

rsccdbv

pid process

520 rsccdbv

pid	process
3364

pid	process
520	rsccdbv

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rsccdbv1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsccdbv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsccdbv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsccdbv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe

pid	process
1972	1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe
1972	1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exersccdbv

pid process

1972 1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe
520 rsccdbv
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727_NeikiAnalytics.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3732 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:3432

C:\Users\Admin\AppData\Roaming\rsccdbv
C:\Users\Admin\AppData\Roaming\rsccdbv
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rsccdbv
Filesize
227KB

MD5
31a0566dc46129543335b523e7336900

SHA1
dddeac01bd8afa707173d1a73e74707c766f16c6

SHA256
1ebdfc9620bd08105808d59cc890bbe5c9eb5c27d6167fc19a6fa50475ba6727

SHA512
06111add34f7fa9e1fc566442abcb8069b8525ff1eebb6dc58f8c166e9189f5e18d3e22522908e91456a0dafe7db960b590f833368511cad657e2b4baa4fe162

Download Submit
memory/520-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/520-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/520-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-1-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1972-2-0x00000000005D0000-0x00000000005DB000-memory.dmp

Filesize
44KB

Download
memory/1972-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1972-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-8-0x00000000005D0000-0x00000000005DB000-memory.dmp

Filesize
44KB

Download
memory/1972-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3364-4-0x0000000002900000-0x0000000002916000-memory.dmp

Filesize
88KB

Download
memory/3364-18-0x00000000026C0000-0x00000000026D6000-memory.dmp

Filesize
88KB

Download