Analysis

  • max time kernel
    152s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 00:17

General

  • Target

    878427f36cdee4205ab163f3b92d8cdecc2336993b9591f7c6f39df4a58535a4.exe

  • Size

    270KB

  • MD5

    ed854fc642c23edec7fb08c40454c6a1

  • SHA1

    9af072a449cfe9a7fe56c0ed337680e92f1d0e9b

  • SHA256

    878427f36cdee4205ab163f3b92d8cdecc2336993b9591f7c6f39df4a58535a4

  • SHA512

    d779173b4c974e06268d90f739297af9988ed6aae329bed0f32ca791e66b9411636286464f0cbb143f0b00e543d230ae4f60e0adb8c9291501675ff94d200cf8

  • SSDEEP

    6144:URdhrJ+j+5j68KsT6h/OCy5U9uAOnA3eaOnzakqw6:URzN+j+5+RsqGGua3Xuzyw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\878427f36cdee4205ab163f3b92d8cdecc2336993b9591f7c6f39df4a58535a4.exe
    "C:\Users\Admin\AppData\Local\Temp\878427f36cdee4205ab163f3b92d8cdecc2336993b9591f7c6f39df4a58535a4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:616
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:5008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 228
        2⤵
        • Program crash
        PID:4236
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A265.bat" "
      1⤵
      • Checks computer location settings
      PID:4356
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1760
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:1564
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4820
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2908
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:2612
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4832
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4064
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4640
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4880
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4336
    • C:\Users\Admin\AppData\Roaming\uesdgfv
      C:\Users\Admin\AppData\Roaming\uesdgfv
      1⤵
      • Executes dropped EXE
      PID:3352

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PZQ0K35H\edgecompatviewlist[1].xml

            Filesize

            74KB

            MD5

            d4fc49dc14f63895d997fa4940f24378

            SHA1

            3efb1437a7c5e46034147cbbc8db017c69d02c31

            SHA256

            853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

            SHA512

            cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\WYN71CTS\B8BxsscfVBr[1].ico

            Filesize

            1KB

            MD5

            e508eca3eafcc1fc2d7f19bafb29e06b

            SHA1

            a62fc3c2a027870d99aedc241e7d5babba9a891f

            SHA256

            e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

            SHA512

            49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YO39TN1Q\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

            Filesize

            4KB

            MD5

            24be8a92460b5b7a555b1da559296958

            SHA1

            94147054e8a04e82fea1c185af30c7c90b194064

            SHA256

            77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

            SHA512

            ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\C0AV9HF3.cookie

            Filesize

            132B

            MD5

            ec979e2438086f1c21982ec273ebb3d5

            SHA1

            89ed95a947fd30a0c1cb861965d346e92644883a

            SHA256

            43a4ee3387a3ee8eebdcadfbc873ad1a9bcba601b39015f0ce8d81b45ba3170f

            SHA512

            1709ba665cc203e658eeda9cb972ece0026a520548aec6d50cfba949cb8f14000714a552f3626786c090e93738ef9166fc279ac923f26d58437fc1283af9033b

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\LSG0X0K4.cookie

            Filesize

            132B

            MD5

            a5c0be119fd944d07f2709ebb1d18b78

            SHA1

            ec4be9c73c5f1d65c8f4f98c30645ca69dd805ce

            SHA256

            d25d59663655a886b96466e7e2341a761c724f04e72ed09c006287a74e44c1be

            SHA512

            259b8b34ff756c167a5417f2b9804b68a985455c4b0f3f4262dc9d7d50b0e9b4cc84605b3d56d83a34a53e9402cadc6fa21981744ebb5a66ab5b4b03f7ef17c1

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            1KB

            MD5

            b5eda74305a01c41450e0d12777199e1

            SHA1

            36162e9e8c3a69b237d317f7c300f11927a37c12

            SHA256

            6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

            SHA512

            f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

            Filesize

            4KB

            MD5

            24be8a92460b5b7a555b1da559296958

            SHA1

            94147054e8a04e82fea1c185af30c7c90b194064

            SHA256

            77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

            SHA512

            ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            724B

            MD5

            ac89a852c2aaa3d389b2d2dd312ad367

            SHA1

            8f421dd6493c61dbda6b839e2debb7b50a20c930

            SHA256

            0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

            SHA512

            c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            471B

            MD5

            3b7403306365b481a905b872a4a8fe8d

            SHA1

            848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

            SHA256

            f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

            SHA512

            bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            410B

            MD5

            e21caa1e57215c6901c35d3814285982

            SHA1

            6ec471e7e7a56e1ba55f71dfe7461b5104f35b98

            SHA256

            bb5edf0cb74a109390b15e288b3b6149f1b77edfdee3323be6c5c264a58608e6

            SHA512

            0a81e2c5431c8338c64894cba9b7b68774cf57e7b55b0e10f4b999de3c33d6a312ecd80b644ff19d821b8a032a7ee44b18a51c02156dd8ab2f5767e7443b7231

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

            Filesize

            342B

            MD5

            2e61524dc20febf1ad8ddedf6cca2153

            SHA1

            6c754afcfa7f18f1fea1e064e460c43d8277ff59

            SHA256

            d397f3233c366650a0562e80774a785191954e7b27c8bf16e9eb3909aa3c500c

            SHA512

            fc25a4959819ea80e72c030e5e3fe1f48a4728468655ea7b0868809a0f4c5eb4bcfd7a086b06a2d7890691beb73979db3b4e2cbc36cefcdc61340a860605e433

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            392B

            MD5

            08436b397ca0f22f1cf4fbd905610bb8

            SHA1

            665560a33f5b7c9d57ad97706104f20d1b68d30c

            SHA256

            1fb8113f9d0043cab84f942bfa7724a31fe411bea727c6c2693da6fc1c130819

            SHA512

            f032b07a573cd742d4bdef2b9325c2eb254d96964757a67f0ace283c679561abd829902f88c089dbbd5fbe725be66c510f2fa769707242061fa6efa067f490e1

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            406B

            MD5

            69909114f1453ef1b0685bb267644b23

            SHA1

            65a1bcbee415e83e6373cc1a6c864d6a01b505ae

            SHA256

            e9d3c06d4f81ccab24f0db2ffed66a6a731a2a44a6c650ff62fe32d8036613d5

            SHA512

            da624f17326305c72167376c8e903f680305fa9fc54e6e3ca1c5b92b31242f67f2c9461c123a8828dcab3bbf7509f1f36b31ae5aaba88049f6136ee6a28f50f5

          • C:\Users\Admin\AppData\Local\Temp\A265.bat

            Filesize

            79B

            MD5

            403991c4d18ac84521ba17f264fa79f2

            SHA1

            850cc068de0963854b0fe8f485d951072474fd45

            SHA256

            ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

            SHA512

            a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

          • C:\Users\Admin\AppData\Roaming\uesdgfv

            Filesize

            96KB

            MD5

            7825cad99621dd288da81d8d8ae13cf5

            SHA1

            f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

            SHA256

            529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

            SHA512

            2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

          • C:\Users\Admin\AppData\Roaming\uesdgfv

            Filesize

            96KB

            MD5

            7825cad99621dd288da81d8d8ae13cf5

            SHA1

            f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

            SHA256

            529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

            SHA512

            2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

          • memory/1760-51-0x000001E142210000-0x000001E142212000-memory.dmp

            Filesize

            8KB

          • memory/1760-32-0x000001E142680000-0x000001E142690000-memory.dmp

            Filesize

            64KB

          • memory/1760-398-0x000001E1486E0000-0x000001E1486E1000-memory.dmp

            Filesize

            4KB

          • memory/1760-16-0x000001E141E20000-0x000001E141E30000-memory.dmp

            Filesize

            64KB

          • memory/1760-401-0x000001E1486F0000-0x000001E1486F1000-memory.dmp

            Filesize

            4KB

          • memory/2612-221-0x000001347B0D0000-0x000001347B0F0000-memory.dmp

            Filesize

            128KB

          • memory/2612-248-0x0000013479950000-0x0000013479952000-memory.dmp

            Filesize

            8KB

          • memory/2612-371-0x000001347DA20000-0x000001347DA22000-memory.dmp

            Filesize

            8KB

          • memory/2612-374-0x000001347DA30000-0x000001347DA32000-memory.dmp

            Filesize

            8KB

          • memory/2612-380-0x000001347CCF0000-0x000001347CDF0000-memory.dmp

            Filesize

            1024KB

          • memory/2612-384-0x000001347DE00000-0x000001347DF00000-memory.dmp

            Filesize

            1024KB

          • memory/2612-361-0x000001347CFE0000-0x000001347CFE2000-memory.dmp

            Filesize

            8KB

          • memory/2612-400-0x000001347A490000-0x000001347A590000-memory.dmp

            Filesize

            1024KB

          • memory/2612-354-0x000001347A710000-0x000001347A712000-memory.dmp

            Filesize

            8KB

          • memory/2612-256-0x0000013479990000-0x0000013479992000-memory.dmp

            Filesize

            8KB

          • memory/2612-252-0x0000013479970000-0x0000013479972000-memory.dmp

            Filesize

            8KB

          • memory/2612-367-0x000001347DA10000-0x000001347DA12000-memory.dmp

            Filesize

            8KB

          • memory/2612-244-0x0000013479930000-0x0000013479932000-memory.dmp

            Filesize

            8KB

          • memory/2612-236-0x00000134799E0000-0x00000134799E2000-memory.dmp

            Filesize

            8KB

          • memory/2612-229-0x00000134799C0000-0x00000134799C2000-memory.dmp

            Filesize

            8KB

          • memory/2612-224-0x0000013479910000-0x0000013479912000-memory.dmp

            Filesize

            8KB

          • memory/2612-202-0x000001347A000000-0x000001347A100000-memory.dmp

            Filesize

            1024KB

          • memory/2612-208-0x000001347AD60000-0x000001347AD62000-memory.dmp

            Filesize

            8KB

          • memory/3292-4-0x0000000001320000-0x0000000001336000-memory.dmp

            Filesize

            88KB

          • memory/5008-0-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/5008-5-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/5008-3-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB