Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24/09/2023, 23:10

General

  • Target

    dc509db042f9d1bb622de9688e17dab0970f9d929dd455f76448f156d400f537.exe

  • Size

    270KB

  • MD5

    6a7e1c0bd0e40e642260fa7ada53c951

  • SHA1

    834f367e66ede76aa0a3a43dfb95a4ccc4928f8a

  • SHA256

    dc509db042f9d1bb622de9688e17dab0970f9d929dd455f76448f156d400f537

  • SHA512

    533e9d427768ecd3fe0095d9bbd0ad5e1f7253faa16328a21d54720e75d90caae28a5ff69635f2a7f4d34110923ddb59c02d093395bd4b71e837447d05b8e83b

  • SSDEEP

    6144:IRzhrJ+j+5j68KsT6h/OCy5U9uAObAWmW4+/qw6:IRdN+j+5+RsqGGuOu4w6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc509db042f9d1bb622de9688e17dab0970f9d929dd455f76448f156d400f537.exe
    "C:\Users\Admin\AppData\Local\Temp\dc509db042f9d1bb622de9688e17dab0970f9d929dd455f76448f156d400f537.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1216
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 212
      2⤵
      • Program crash
      PID:4136
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\93B0.bat" "
    1⤵
    • Checks computer location settings
    PID:3056
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5012
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4860
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1316
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2800
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1992
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:2088
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1668
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3352
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4528
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4932

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PZQ0K35H\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\FVCOVYND\B8BxsscfVBr[1].ico

          Filesize

          1KB

          MD5

          e508eca3eafcc1fc2d7f19bafb29e06b

          SHA1

          a62fc3c2a027870d99aedc241e7d5babba9a891f

          SHA256

          e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

          SHA512

          49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\JENLNLJU\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\D3NJ4I9T.cookie

          Filesize

          132B

          MD5

          ecb86b299755d476ad7872ffaba29fa1

          SHA1

          d9f769e46f55301531dc944fb7b1b27dea0ce69b

          SHA256

          6164030d265b580f79b4722e68b7c39a7ad2484d5d3b22acebb8810312a03973

          SHA512

          7acbecd28a9d32b3ae588d0a6bb0ec16168aaf7f57eb9e51ccfbfba37630a0c78beb714ef18626dd89fb61213cf83a737aaf57a31611dd4dc4bb174590065d03

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\XM47J50I.cookie

          Filesize

          132B

          MD5

          cbc7410e609c60027f56e0ddf020e68a

          SHA1

          8870d1963e2001201d3bb6e6ac1620141da737d1

          SHA256

          6a395071f727413d701e7f35ee1bc0c577e5b26bfcfdfcbf73959c05d8cd963b

          SHA512

          5ff30ff5acb2f5dba112ad274e33272861aaf5ac1e71289ac09d9a105d6b69b5aa8be92cc9ec475064d4823157dac0c3d2027bf607984d3246c61cb6bbd537fc

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          b5eda74305a01c41450e0d12777199e1

          SHA1

          36162e9e8c3a69b237d317f7c300f11927a37c12

          SHA256

          6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

          SHA512

          f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          724B

          MD5

          ac89a852c2aaa3d389b2d2dd312ad367

          SHA1

          8f421dd6493c61dbda6b839e2debb7b50a20c930

          SHA256

          0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

          SHA512

          c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          471B

          MD5

          3b7403306365b481a905b872a4a8fe8d

          SHA1

          848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

          SHA256

          f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

          SHA512

          bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          2fc1a608aeeb5dd7de5adbe727689ecf

          SHA1

          c13bb01a3e4882baa7126d5bc312000dcffcdd9d

          SHA256

          ef4479083305c9e4ae74441cd3f3d879f8b1a48b33905f6a56406d0c1961bcbb

          SHA512

          4f1ed947607d5b946aec48a0dcfa93dbcf5dd39d4064dfddd1ba61ef642ecf230a4c3184cd32d608d132d4ec271e5e2d3e88e05ea9ea4f7aa9122694aa558c5d

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          392B

          MD5

          25ade1b6204ccb1421cdc0f77b63f397

          SHA1

          ed0505f1ab9abc75f94041bde0c4a1c9b0b68bbf

          SHA256

          697286bd760887f27f78813608f8f812d7fd1746a28ec3349ddaaa1f669f3e76

          SHA512

          3c822d34b341b75fc2edbf6fa94dd8f47408c03267dbf8977d438cbf0d53370cf39fc74801b8b4f381ae5077bd8847936e102c6670614906b85545d2b32d8d33

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          406B

          MD5

          7bb97f0b122ba0572bc6963e2b550e10

          SHA1

          81994919e729e02d7b754a88331d7eba47fbdf71

          SHA256

          55ab66ee42e9bca536e8853ddf2abe0be9319e5614bbcbcaf253351da1255b42

          SHA512

          c0a89360c3e7052a2d87eedf4b0fa04ab40369b1e864ec614ed2fe70cfbdd6ed2371d8e36a887e326410f617463acbef018697ebd6a2595fb5e097e0f6fbb3d1

        • C:\Users\Admin\AppData\Local\Temp\93B0.bat

          Filesize

          79B

          MD5

          403991c4d18ac84521ba17f264fa79f2

          SHA1

          850cc068de0963854b0fe8f485d951072474fd45

          SHA256

          ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

          SHA512

          a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        • memory/1216-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/1216-6-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/1216-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/1668-463-0x00000212F20C0000-0x00000212F20E0000-memory.dmp

          Filesize

          128KB

        • memory/1668-471-0x00000212F2020000-0x00000212F20B1000-memory.dmp

          Filesize

          580KB

        • memory/1992-349-0x000002A8D9E60000-0x000002A8D9E62000-memory.dmp

          Filesize

          8KB

        • memory/1992-352-0x000002A8D9E80000-0x000002A8D9E82000-memory.dmp

          Filesize

          8KB

        • memory/1992-473-0x000002A8C8420000-0x000002A8C84B1000-memory.dmp

          Filesize

          580KB

        • memory/1992-191-0x000002A8D9100000-0x000002A8D9200000-memory.dmp

          Filesize

          1024KB

        • memory/1992-369-0x000002A8DB4F0000-0x000002A8DB4F2000-memory.dmp

          Filesize

          8KB

        • memory/1992-389-0x000002A8D9A10000-0x000002A8D9A30000-memory.dmp

          Filesize

          128KB

        • memory/1992-197-0x000002A8D97D0000-0x000002A8D97F0000-memory.dmp

          Filesize

          128KB

        • memory/1992-412-0x000002A8DB600000-0x000002A8DB700000-memory.dmp

          Filesize

          1024KB

        • memory/1992-414-0x000002A8DB600000-0x000002A8DB700000-memory.dmp

          Filesize

          1024KB

        • memory/1992-367-0x000002A8DB4E0000-0x000002A8DB4E2000-memory.dmp

          Filesize

          8KB

        • memory/1992-365-0x000002A8DA7E0000-0x000002A8DA7E2000-memory.dmp

          Filesize

          8KB

        • memory/1992-363-0x000002A8D9EA0000-0x000002A8D9EA2000-memory.dmp

          Filesize

          8KB

        • memory/1992-359-0x000002A8D9E90000-0x000002A8D9E92000-memory.dmp

          Filesize

          8KB

        • memory/1992-373-0x000002A8DBAF0000-0x000002A8DBAF2000-memory.dmp

          Filesize

          8KB

        • memory/1992-336-0x000002A8D9C60000-0x000002A8D9C62000-memory.dmp

          Filesize

          8KB

        • memory/2088-407-0x000001706F830000-0x000001706F8C1000-memory.dmp

          Filesize

          580KB

        • memory/3304-4-0x0000000001380000-0x0000000001396000-memory.dmp

          Filesize

          88KB

        • memory/4528-474-0x000001F123430000-0x000001F123432000-memory.dmp

          Filesize

          8KB

        • memory/4528-477-0x000001F123460000-0x000001F123462000-memory.dmp

          Filesize

          8KB

        • memory/4528-479-0x000001F123620000-0x000001F123622000-memory.dmp

          Filesize

          8KB

        • memory/4528-489-0x000001F134180000-0x000001F134182000-memory.dmp

          Filesize

          8KB

        • memory/5012-382-0x000002147A440000-0x000002147A441000-memory.dmp

          Filesize

          4KB

        • memory/5012-469-0x000002147A800000-0x000002147A891000-memory.dmp

          Filesize

          580KB

        • memory/5012-51-0x0000021473F00000-0x0000021473F02000-memory.dmp

          Filesize

          8KB

        • memory/5012-32-0x0000021473E00000-0x0000021473E10000-memory.dmp

          Filesize

          64KB

        • memory/5012-381-0x000002147A430000-0x000002147A431000-memory.dmp

          Filesize

          4KB

        • memory/5012-16-0x0000021473A20000-0x0000021473A30000-memory.dmp

          Filesize

          64KB