Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24/09/2023, 23:41

General

  • Target

    d8c122329477958b4851db3b3b3e5547deb5c4dd2f5f836eea04468b8e1f1d4e.exe

  • Size

    270KB

  • MD5

    890fc7f7c5e766452e6866c3fb3fb1b0

  • SHA1

    525252375a7a45d545cd3da27b198656576dada2

  • SHA256

    d8c122329477958b4851db3b3b3e5547deb5c4dd2f5f836eea04468b8e1f1d4e

  • SHA512

    4f944bcb4adc1176aa87b34c63525553753c19195f4f672f2cc9e11010a3779b6fee06d87e800b8cb12efaf399045a31041964ab690ce20dcadcdf99364a8af0

  • SSDEEP

    6144:qRnhrJ+j+5j68KsT6h/OCy5U9uAO5ANmyxg3XNqw6:qRhN+j+5+RsqGGuoNRxg3sw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8c122329477958b4851db3b3b3e5547deb5c4dd2f5f836eea04468b8e1f1d4e.exe
    "C:\Users\Admin\AppData\Local\Temp\d8c122329477958b4851db3b3b3e5547deb5c4dd2f5f836eea04468b8e1f1d4e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3976
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 212
      2⤵
      • Program crash
      PID:2216
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AB8D.bat" "
    1⤵
    • Checks computer location settings
    PID:3764
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1136
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4992
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2740
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4460
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:408
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4316
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:764
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1768
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4984

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0G1F2NWK\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\63QOCFK4\B8BxsscfVBr[1].ico

          Filesize

          1KB

          MD5

          e508eca3eafcc1fc2d7f19bafb29e06b

          SHA1

          a62fc3c2a027870d99aedc241e7d5babba9a891f

          SHA256

          e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

          SHA512

          49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\SBRV38DM\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          24be8a92460b5b7a555b1da559296958

          SHA1

          94147054e8a04e82fea1c185af30c7c90b194064

          SHA256

          77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

          SHA512

          ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          b5eda74305a01c41450e0d12777199e1

          SHA1

          36162e9e8c3a69b237d317f7c300f11927a37c12

          SHA256

          6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

          SHA512

          f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          24be8a92460b5b7a555b1da559296958

          SHA1

          94147054e8a04e82fea1c185af30c7c90b194064

          SHA256

          77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

          SHA512

          ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          724B

          MD5

          ac89a852c2aaa3d389b2d2dd312ad367

          SHA1

          8f421dd6493c61dbda6b839e2debb7b50a20c930

          SHA256

          0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

          SHA512

          c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          471B

          MD5

          3b7403306365b481a905b872a4a8fe8d

          SHA1

          848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

          SHA256

          f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

          SHA512

          bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          18244b7cc18bb54d83ec7befa3565031

          SHA1

          b9f77d0da454b288badb742cd17b020db9e824a0

          SHA256

          cc1819387067a73927a53c852ab6014dc6a9f853b0b8ef4360578a5965e3c0d9

          SHA512

          cab6a806d5a41f3dcf381b95e5578f8f5591228930ea2b1f228bf9539bb06f66f93c119758adc6538d620bea98150218b76239b2be61836c4361103b2549f242

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          302B

          MD5

          3140f9be2fb65323f22a378cab80abd2

          SHA1

          84e4b7d91fdc9b8bb289500604148af7449b659e

          SHA256

          55afbea05c2c47aeeaccf16eab7e34b4d5d6b10876f90a2db87c37ecd10e1c83

          SHA512

          2d96c640844ea457159224ec9f63fa37ab2d4374cba27cf57cbc1a05322f2be8b5e8058402042f414713854c109f26016e0411548571afdb52dd92f68ead8a20

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          392B

          MD5

          77ac0e68db9a84f55a882ee5993844c2

          SHA1

          d6b2444dda6153f9ee61c6b76b87a30a26085a5a

          SHA256

          d40ad2515acab5fbb03eb72537a22ce1c2e90d36472899247466b4619746e0bc

          SHA512

          353a7fb7952d07fc31253f98edb2f7db9158405e8575c1666a7f28121e1656f195bed3ebd6cfd0d762dc923330b0f3a05bf800f6336d9ac29b1cc34a5d9ee110

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          406B

          MD5

          b7f0504dc7d9ee4c1c5424d9eba51313

          SHA1

          421b817f47a52418d2eb63f2af0d961dd7831c3b

          SHA256

          d020420fab2170d9bcee83d83cd99e2779e7acd2c9d77a8acec4374f8b5b7e9e

          SHA512

          5ae188b9f5387598b3ca5f13ddb5eafe41a0b132e085e89bc0e517fcab94bec9fb463ac74604e8d1593f6a947ed4c7c8d1c80bfb19b38160b9495f79502ca623

        • C:\Users\Admin\AppData\Local\Temp\AB8D.bat

          Filesize

          79B

          MD5

          403991c4d18ac84521ba17f264fa79f2

          SHA1

          850cc068de0963854b0fe8f485d951072474fd45

          SHA256

          ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

          SHA512

          a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        • memory/408-406-0x000001D81C6C0000-0x000001D81C6C2000-memory.dmp

          Filesize

          8KB

        • memory/408-395-0x000001D81CBF0000-0x000001D81CBF2000-memory.dmp

          Filesize

          8KB

        • memory/408-392-0x000001D81CBD0000-0x000001D81CBD2000-memory.dmp

          Filesize

          8KB

        • memory/408-402-0x000001D81C6B0000-0x000001D81C6B2000-memory.dmp

          Filesize

          8KB

        • memory/408-272-0x000001D81A600000-0x000001D81A700000-memory.dmp

          Filesize

          1024KB

        • memory/408-268-0x000001D81B260000-0x000001D81B280000-memory.dmp

          Filesize

          128KB

        • memory/408-258-0x000001D81A300000-0x000001D81A400000-memory.dmp

          Filesize

          1024KB

        • memory/408-410-0x000001D81C6E0000-0x000001D81C6E2000-memory.dmp

          Filesize

          8KB

        • memory/408-412-0x000001D81D350000-0x000001D81D352000-memory.dmp

          Filesize

          8KB

        • memory/1136-100-0x0000023D519A0000-0x0000023D519A2000-memory.dmp

          Filesize

          8KB

        • memory/1136-81-0x0000023D4D400000-0x0000023D4D410000-memory.dmp

          Filesize

          64KB

        • memory/1136-65-0x0000023D4D020000-0x0000023D4D030000-memory.dmp

          Filesize

          64KB

        • memory/3240-30-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-35-0x0000000001530000-0x0000000001540000-memory.dmp

          Filesize

          64KB

        • memory/3240-48-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-49-0x0000000001530000-0x0000000001540000-memory.dmp

          Filesize

          64KB

        • memory/3240-51-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-53-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-52-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-55-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-54-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-57-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-58-0x0000000001530000-0x0000000001540000-memory.dmp

          Filesize

          64KB

        • memory/3240-59-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-45-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-42-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-41-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-43-0x0000000001570000-0x0000000001580000-memory.dmp

          Filesize

          64KB

        • memory/3240-39-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-37-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-4-0x00000000014B0000-0x00000000014C6000-memory.dmp

          Filesize

          88KB

        • memory/3240-46-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-34-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-32-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-31-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-13-0x0000000001510000-0x0000000001520000-memory.dmp

          Filesize

          64KB

        • memory/3240-24-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-25-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-28-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-26-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-22-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-21-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-18-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-19-0x0000000001570000-0x0000000001580000-memory.dmp

          Filesize

          64KB

        • memory/3240-16-0x0000000001560000-0x0000000001570000-memory.dmp

          Filesize

          64KB

        • memory/3240-14-0x0000000001510000-0x0000000001520000-memory.dmp

          Filesize

          64KB

        • memory/3976-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3976-5-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3976-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4316-173-0x00000209BCF20000-0x00000209BCF40000-memory.dmp

          Filesize

          128KB