Analysis

  • max time kernel
    300s
  • max time network
    298s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 01:36

General

  • Target

    147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe

  • Size

    240KB

  • MD5

    26cfc7945d27d22acf55e6bdf270a156

  • SHA1

    937d51b0a8279b753d2b2e3cf346b88b2a7aa99b

  • SHA256

    147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3

  • SHA512

    22eca42df3db288244b6280c0d774f8d6ad0e120a3a5fc4ba80d11d69e38eeb7b4a5a4a2581d0d1db9aee7dfe10eea469f7c39c30e641f75d2c0cd0f0e6b94f1

  • SSDEEP

    6144:pU5frpxdonyq4zaG2u5AOAeKCykFVquqp:pCrp0/9u5KeNykjquqp

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe
    "C:\Users\Admin\AppData\Local\Temp\147ae4e330ccabf70491cd9a45ee2c68d92699fecfd04107c69fe249ea8884c3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3292
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 244
      2⤵
      • Program crash
      PID:1772
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\819F.bat" "
    1⤵
    • Checks computer location settings
    PID:4200
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3628
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:2728
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1796
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4676
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:600
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:428
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    PID:3572
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4624
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3436
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4760
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:1460
  • C:\Users\Admin\AppData\Roaming\udccrws
    C:\Users\Admin\AppData\Roaming\udccrws
    1⤵
    • Executes dropped EXE
    PID:1184

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0G1F2NWK\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\4RPAM05V\B8BxsscfVBr[1].ico

          Filesize

          1KB

          MD5

          e508eca3eafcc1fc2d7f19bafb29e06b

          SHA1

          a62fc3c2a027870d99aedc241e7d5babba9a891f

          SHA256

          e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

          SHA512

          49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\UCVUWTY4\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1Z33JL5K.cookie

          Filesize

          132B

          MD5

          7f14f16e8d017c3841cc2b64921cc941

          SHA1

          16a15b70725859862eec92b53d075adeebf6442d

          SHA256

          fbc2dceac34b63992b5a14ae249a47c2aeb67fb7e47e529092783fda38de0d55

          SHA512

          2ceab32044d4d4dce3ba5c536507f4d8405bb063a70ad36c58fd3613d8240b3b771514a4ceac31cae9b45ee69fc2c3a40e4e43a3a74a078523a32d2d4154ff29

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\GRBK249X.cookie

          Filesize

          132B

          MD5

          8456dce847d34a9eb167bfd1bb00784d

          SHA1

          a49714cf677c3d50fa8485c6384fb70768f4166e

          SHA256

          92f298d8b0469b5bee5abccd286aee97755756e334dfe52927849972117952bf

          SHA512

          db09907ff6118d2d6f4018a6ce32a22818c74fedfa58f847a4e919538b67e983096728b74c3b5759e9213085032fe3699d1761dfacfa205b2112fb566b9718d3

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          b5eda74305a01c41450e0d12777199e1

          SHA1

          36162e9e8c3a69b237d317f7c300f11927a37c12

          SHA256

          6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

          SHA512

          f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          724B

          MD5

          ac89a852c2aaa3d389b2d2dd312ad367

          SHA1

          8f421dd6493c61dbda6b839e2debb7b50a20c930

          SHA256

          0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

          SHA512

          c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          471B

          MD5

          3b7403306365b481a905b872a4a8fe8d

          SHA1

          848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

          SHA256

          f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

          SHA512

          bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          396ed247ec14dc5265b754b77fcbc161

          SHA1

          907317b416ec627869f9b30ff5023882f312dc42

          SHA256

          17b39f771c19176baff978630c0f9159906d706883286dee993adddcffc05054

          SHA512

          9c8fa575aa1ced181b93edd3931e887ab6f2a7aafa833d1f865546cf391f461765c1ebe5b382d8c01337c111daae08e18fecdc3fe6c68a3316afc2871d40c837

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          392B

          MD5

          3e7f66daa4f5a3b3d5ed1e5675775a22

          SHA1

          4560014e0e9f2dd1096cff9e7e43bb0c2b9f9feb

          SHA256

          532df69ce8a87411ee60793bdf8ccb1ddeee7db30cc9b7b57f324f9a1278ff98

          SHA512

          d46f45516f315de71bb6c040d7f567717b58ef11793912c6bc333f5a78e9e8f3f06f82acc4f4f86a5bcdb01d43d414cd8b4e62f58b988dc145bf538a67f77d44

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          406B

          MD5

          3669dc05c38d9e0749ef0fe45a95bd79

          SHA1

          2e5191d6d7b5e6ffaead933b90894d2471937b56

          SHA256

          04349aad3134575c97232fea64bf339edb26268c912141bb2f799bfed4578e1c

          SHA512

          c52581569d6a0aedb4e6a058942f30cdc3648e02bb20a182c4b610611a3062581e3363ca8adbaaeff851985e1d82c83dc0f9f4ff3b27ebbbd4a1a40764109b73

        • C:\Users\Admin\AppData\Local\Temp\819F.bat

          Filesize

          79B

          MD5

          403991c4d18ac84521ba17f264fa79f2

          SHA1

          850cc068de0963854b0fe8f485d951072474fd45

          SHA256

          ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

          SHA512

          a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        • C:\Users\Admin\AppData\Roaming\udccrws

          Filesize

          96KB

          MD5

          7825cad99621dd288da81d8d8ae13cf5

          SHA1

          f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

          SHA256

          529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

          SHA512

          2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

        • C:\Users\Admin\AppData\Roaming\udccrws

          Filesize

          96KB

          MD5

          7825cad99621dd288da81d8d8ae13cf5

          SHA1

          f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

          SHA256

          529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

          SHA512

          2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

        • memory/600-349-0x0000016CEB2E0000-0x0000016CEB2E2000-memory.dmp

          Filesize

          8KB

        • memory/600-209-0x0000016CEB570000-0x0000016CEB590000-memory.dmp

          Filesize

          128KB

        • memory/600-364-0x0000016CEB5F0000-0x0000016CEB5F2000-memory.dmp

          Filesize

          8KB

        • memory/600-366-0x0000016CEBDE0000-0x0000016CEBDE2000-memory.dmp

          Filesize

          8KB

        • memory/600-542-0x0000016CD9A80000-0x0000016CD9A90000-memory.dmp

          Filesize

          64KB

        • memory/600-541-0x0000016CD9A80000-0x0000016CD9A90000-memory.dmp

          Filesize

          64KB

        • memory/600-357-0x0000016CEB280000-0x0000016CEB282000-memory.dmp

          Filesize

          8KB

        • memory/600-381-0x0000016CEBDF0000-0x0000016CEBDF2000-memory.dmp

          Filesize

          8KB

        • memory/600-384-0x0000016CEC980000-0x0000016CECA80000-memory.dmp

          Filesize

          1024KB

        • memory/600-386-0x0000016CD9830000-0x0000016CD9930000-memory.dmp

          Filesize

          1024KB

        • memory/600-428-0x0000016CEA990000-0x0000016CEAA90000-memory.dmp

          Filesize

          1024KB

        • memory/600-355-0x0000016CEB260000-0x0000016CEB262000-memory.dmp

          Filesize

          8KB

        • memory/600-353-0x0000016CEB210000-0x0000016CEB212000-memory.dmp

          Filesize

          8KB

        • memory/600-540-0x0000016CD9A80000-0x0000016CD9A90000-memory.dmp

          Filesize

          64KB

        • memory/600-344-0x0000016CEB1A0000-0x0000016CEB1A2000-memory.dmp

          Filesize

          8KB

        • memory/600-361-0x0000016CEB300000-0x0000016CEB302000-memory.dmp

          Filesize

          8KB

        • memory/600-189-0x0000016CEA300000-0x0000016CEA400000-memory.dmp

          Filesize

          1024KB

        • memory/600-539-0x0000016CD9A80000-0x0000016CD9A90000-memory.dmp

          Filesize

          64KB

        • memory/3264-4-0x0000000000480000-0x0000000000496000-memory.dmp

          Filesize

          88KB

        • memory/3292-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3292-5-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3292-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3572-467-0x000002643C930000-0x000002643C950000-memory.dmp

          Filesize

          128KB

        • memory/3628-15-0x0000022C73920000-0x0000022C73930000-memory.dmp

          Filesize

          64KB

        • memory/3628-50-0x0000022C72AE0000-0x0000022C72AE2000-memory.dmp

          Filesize

          8KB

        • memory/3628-373-0x0000022C7A140000-0x0000022C7A141000-memory.dmp

          Filesize

          4KB

        • memory/3628-372-0x0000022C7A130000-0x0000022C7A131000-memory.dmp

          Filesize

          4KB

        • memory/3628-31-0x0000022C73BE0000-0x0000022C73BF0000-memory.dmp

          Filesize

          64KB

        • memory/4624-488-0x000001D3796D0000-0x000001D3796D2000-memory.dmp

          Filesize

          8KB

        • memory/4624-482-0x000001D3688E0000-0x000001D3688E2000-memory.dmp

          Filesize

          8KB

        • memory/4624-480-0x000001D3688C0000-0x000001D3688C2000-memory.dmp

          Filesize

          8KB

        • memory/4624-477-0x000001D368880000-0x000001D368882000-memory.dmp

          Filesize

          8KB