smokeloader | 451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b

Analysis

max time kernel
90s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b.exe
Size

240KB
MD5

4492f57cd1aa8f886b2b4dd659a1ab38
SHA1

167a38987de5adee7f7d9115b003f6d252af528e
SHA256

451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b
SHA512

e890723fa0353739421fa8b84815587a9cf90bce0e5ceed8dfe0fbbc21c59d3be260db6b7cc36e21821371f24a1f98fdfc3f20de9eb4aeecd9d00e6280f6520d
SSDEEP

6144:iBdoNR4Dwp5UlIzZ+J1iBE3BnieZE1eGADT:goNmDwpOSA1iBE3BD/

Score

10^/10

smokeloader pub2 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5012 3040 WerFault.exe 451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b.exe

pid	pid_target	process	target process
5012	3040	WerFault.exe	451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b.exe

C:\Users\Admin\AppData\Local\Temp\451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b.exe
"C:\Users\Admin\AppData\Local\Temp\451a7cef5f5ef0c8b852538cfb1d7d5378aa4bd92df6ce95e3becb60bcd2485b.exe"
1⤵
- Checks SCSI registry key(s)
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 488
2⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3040 -ip 3040
1⤵
PID:4628

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3040-2-0x0000000004900000-0x000000000490B000-memory.dmp

Filesize
44KB

Download
memory/3040-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3040-1-0x0000000002D80000-0x0000000002E80000-memory.dmp

Filesize
1024KB

Download
memory/3040-4-0x0000000000400000-0x0000000002BF5000-memory.dmp

Filesize
40.0MB

Download