Analysis

  • max time kernel
    300s
  • max time network
    224s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2023, 01:39

General

  • Target

    821214e489c8c2072bd1c9aae9e3e35979743876da47514dadbf751f5f547c89.exe

  • Size

    239KB

  • MD5

    a79056e7d41cb50cd9dcfbc6cdfbc4f0

  • SHA1

    0066042afccac73edff4c63d2719c752a835cb7a

  • SHA256

    821214e489c8c2072bd1c9aae9e3e35979743876da47514dadbf751f5f547c89

  • SHA512

    1174f42bfb2f0f51536c5cce521538e4c641589daaf42937f9967be72dfa8de0d91395d3e55947cf607d0fb875efc6485060a49141c746fed853c53d42b7c5cb

  • SSDEEP

    6144:/146fuYXChoQTjlFgLuCY1dRuAON4G/w8y0:/CYzXChdTbv1bu7/w8y

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\821214e489c8c2072bd1c9aae9e3e35979743876da47514dadbf751f5f547c89.exe
    "C:\Users\Admin\AppData\Local\Temp\821214e489c8c2072bd1c9aae9e3e35979743876da47514dadbf751f5f547c89.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2300
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 52
      2⤵
      • Program crash
      PID:2592
  • C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\3987.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2968

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          7286aecc8b973145a682ca1404cb80aa

          SHA1

          006350396ef43725592125011213cb51b8a67200

          SHA256

          c6474df9de34a257b2ef513ed066f7d6ea7989b01b4de400e9520428a89d9161

          SHA512

          0cf2fff29852d41af123ec487c3ef2ca4bd29c2003e85fbc5293d39a9f9ea56da9d0db74c407c8210b6f9175b1cc846116c01d81c951499bb275a99a4d1e1b70

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          4617095964c8545c1376259a58f2c745

          SHA1

          4ddd06b0272cf44f1e9b290ebb102a1449412685

          SHA256

          a13496d5afa02e921530514499e98d122eb596b37d88df9ec5b09eb9e1c5adcd

          SHA512

          0f2c13815337029bce80a0037017aa9b052fcd21c8724555153edbe81eb78771a93de60e456bfee958bf74529d9b7a48d413a39ec58fac17a0d670a1d5df239c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          e4f0fa64ccffc2147b4584675906f021

          SHA1

          bfac5f4423332360f2ad999e278148e36822e61a

          SHA256

          c85eb307c3de340c84b610bf06a25c7fe5dadcec51bd820ac7222410a0e21af6

          SHA512

          8fac673f367e6480163e32469e53d912d90faa021b3fb3324376144ac055246a5be4abb7e1b435bdda069ec1a94518b0e1d60cf6715840e996160059e63e789f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          8758f1094f57d26e1ef6c299cb0b22e0

          SHA1

          dff77d7acbe9303a41a291319927969d8971afea

          SHA256

          b1cbf372afe19b21dd3e5d45e61b7b4c3172a51f15cb63dba5f8978721febd4b

          SHA512

          d205c10b526273e5242e85d99db0b526e8ce537b7a15205d1356f33592b8369ea9b02c68137229264932c421266156d3017af9761137c35a30ffb3d2fa2dc2d2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          880bc7db2d2b3031d965d17d2ab05c04

          SHA1

          d7510d0d48dae2b683972f01b45c5133d0a50376

          SHA256

          b820cb0f4ff25541b4766a7012f155244e799a9777603c1a9bf0c1fddf4c02e1

          SHA512

          9be90f05c25248b6563867b3040635307983a6beb361536e387d2d2b10effad4ae7e074dbba1dd72ad52ebcddb4447c4e49080f9b7e5c11102abc101ff09a114

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          f92fe399e8ef4220dd775a10dc4455a4

          SHA1

          747e136f4e6bb43e3cf5f30c11a4a89beff4610c

          SHA256

          ecdbd1abd01aa04499947983c1dd89b42510f08671581443d8332038da4df072

          SHA512

          322e4adb4b655ddbce1f567c844001efaf4ba9428b1ac997c35dcac33b6a93c4fdefed1bf1b12deeff18795b422db6623d60807104ccc542d0f099d891026a59

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          dd5c458164a7830b0a34c735365a3dbc

          SHA1

          c40310a14063d9e4c9640a7d67c3743b09584648

          SHA256

          1ee0d50b4680ed70820867b1344306f8b570912a47cb5d7c6c058198e723c194

          SHA512

          4180b9baf04e3e34f67c94f8b8cb00f5fb2e97ee474ea95bc551eac959a6b5cbd4fe7bc60d1f8f7f5172711123065f83150d925fc9ceb41e87eb4c71afbe6cdd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          6a0023c9eade8bd4abedb24d6e6d88e6

          SHA1

          0e00b26cc6e6be101e9eda2d562ab44d36828c18

          SHA256

          36f52f6f083663faaf328625100154f44ff299f55052e2ad57648b3eb64d9a0a

          SHA512

          3273489891294098e724220946973ec5392d512e76a31cc8d03973e5b4298434f42f819964a77bcef4cb191ea40ea0e6dc7d86f7187bcb5c77a40d452fb37b4d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b89b1d0d266263539de28086570bafb5

          SHA1

          974c9f58c84eba8e80ad9a3924ac9dd4f6736f2d

          SHA256

          8773f1118db9e465dc4b61851d6caed0886988844cab4fbb3b95956767946725

          SHA512

          a98f19f797cb3701162561f8cf726500f1c346dd0bc6d66f4a920676b7e388273a3332b6a9d15a88371bc5367d89373ad3e1cd7ab8e873b1145c5b2fe5df9d85

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          6c027a6398c604415214c204261dbc25

          SHA1

          4ee21f672bf9fc9b3d1c7261dbc1cdf744f24234

          SHA256

          69a926954c600829bc1f30ecc40a221c2d264ff4e0659c46a89390789df3e9f5

          SHA512

          59b9ebd7cf6bd6092d51645e8431f23ccd048d00db705a3f3f76534927a14c75ed09268b630196023dc297ac2d053b11ed43bde5a65200315ad9d08b6d199242

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          8137f55dba274bb6d25e3eea2b0fc9db

          SHA1

          fa6abae8eced7846d7cd9c3032de5e6eb6b7f0ce

          SHA256

          726282073a541150b30d617a73ef30c8e7c7798649e4e42b51bb82bad4ceef0c

          SHA512

          ec9ac4d117ef01d2a01cd75067d0f6c0eded84c9cf5a2324120fe45dbe3bdbb76f06488dd6a620cb181997c64857f950a484b4bc0d6eed3fc79b5e448fb5318f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          c76f380bcd9529ebb81bf38d1b5214b9

          SHA1

          25b88700a34545765c0e64f36c388124c7a49ca5

          SHA256

          2961fe0dc5972dc6cca07c8f50c36d0df23555b08975d74e0e0c3d6a97c30dfa

          SHA512

          4cfa85682243f4c8155734f14f4d9d6bbf97b462d3bac40224eb1b63c3e792241870696f4224449e0947fb2a68266d4d5014616601bf0fe628784fb75fe68511

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          1d0a4c37d14ab4df99352655f1e4ce65

          SHA1

          b54677b25662cd4e349b1e3c5f5e1c806276667b

          SHA256

          27bba7e51a0566416e35d0b4d1b5b940cfa3d9db6faa6606b2170080470a4edd

          SHA512

          b5f9239fd3b9f96240c01e1a0baac371af87655a424aeaf5a4d35b3e27d2d4356f301d7f4f6c439601ff9598d45dab074cd3d489653cce8c4693256eec176bfd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          840c94b2920ad6c6d15468e4a09a8389

          SHA1

          8fd07988888e98516db1ea5290e25c4143e7796e

          SHA256

          7173f9c57f2e9213041f642cc553d71e362155473bdc620d92e3d29e55bd1cf5

          SHA512

          5957cd3bf75489c7bff440d7720640c348144e3030cfa30b1caca068fe1691d1b4004e18cdea218c87f2c0cf665c50b6522570dff7ed477530a22fe5af4c8474

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          4b88a28066f86fdb91b42a5737c6824a

          SHA1

          5a424b0f1a9c352ed6a6069e34ea2e86e8a5abdb

          SHA256

          3a23b48820a80899c1b01a11282155c725ba1c3cb0af002bbb55ad0d6be7832f

          SHA512

          a4410fd697fe896829d7455fcc177de54be5bc133bc567897816ef9b5dd192f31db9ca8d4567fb7a12c723af96bae5ec243065d58d035c6e3565f149fa757688

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          eae774b3ebab10c4c749cda62a681282

          SHA1

          ef311362067cd89b04a6588a0e76241e3e3d9022

          SHA256

          2537f48521b4fd9f802fbbb492f2abea8fbc082222071b68a85be10c812dbf67

          SHA512

          cabc6355a08fa79d44a5387033a81ff91c995ea23d5bb318af6f674e2c184c63dfccfef0a604907c04d8a6eb1dd7465a8cec42af14bd7d39d30835fe02c09974

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          5d35517767e1044e1c06e52e315e7aa7

          SHA1

          330bacc21dcbd6cd45ef9724a24e058b39bcbcc1

          SHA256

          9587cb7cccb6040abb7b062b48beb93094a4fa4e346638a0039830d96a274538

          SHA512

          0c0badb4df58a9636e528472133b71457991b7982a2eb47c0ca22dac673301d5a852f177d9a540ff8dc0b7744cba710023c6310dca68624788792bec420a90b6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          5c4bdde1647c75b72ad849fffab6edd0

          SHA1

          0eb4b36991a9f7540a2cb682bf7f0965dca42d1c

          SHA256

          03a2b0c8299073ed3c258ddd77c4e6268bc623efa21b5d5aa98c7599ad1e7345

          SHA512

          8eb3a5e5ffa3435965b0320367ed9cee4c5537d5ffe46b033d19de5969f422ced66b0b1c83c2e9a0d0ffad8de838d4336d17b112aacd4196783b332a97439f00

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          1f4f8da332fe857e7f5dcae78bf627f7

          SHA1

          d57a4e421dc77ab650585c0fb98728cd8c7e4192

          SHA256

          e37929ed2517d50e87ac833b87e82ccbfbe53eecb695fc05135cc73e390e0e46

          SHA512

          7bab1a359a004db45535066c0643f1d17217058cc2fba7f43f16dac451371a857bb2bce4a14598cd47b22cd5f840ad757bed621b29792d07be148eca922e229b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          a81636b72d7a27dac063011baa5f9840

          SHA1

          6bb7441a992b17fb67348c215270788753884cd0

          SHA256

          9c7ca65feb89feb5f450efd54598f90ab3be54e20b42e19128beae9c91067361

          SHA512

          1701d82f870bec9b717f37c307e17bebfe6ec0a05a6142c3d5fb14c326bd5913dd6dfcfb20eb6a39430190549c897e9ee5753fd205ebfc869fb96186011cfce7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          f49ca307be4457020b6a1b08ec5a54af

          SHA1

          b5f0be5247fd43d91f2c4a31f33838e1e45897ea

          SHA256

          e4a9972a9e6fc838035780b98512ce7578a29653ff7fb1dfe68be01857781a26

          SHA512

          06bba790e0cc7ec0ce7d9fdc89be88f4844bedef75d989538245293e02ab33308a32ade7d99252df624439a259ca6898febeb5d85c722e8675a72a3212917b83

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5h7y85m\imagestore.dat

          Filesize

          4KB

          MD5

          647a4bcad48060b8254aa4b3df798900

          SHA1

          8ebf5f4bf00ffbe4c1b0b9c63449a9988ef77b29

          SHA256

          39c5d30063702b31823934d6b4159b4b4aede035c15e23d5b7e1b3da5c800a20

          SHA512

          61eba849b4e68e2e95e8dd39ef233cdc91aa874dd426fb99a8a7307ef246774f26110271b60b531d431b393f37946f5101151c66565b63533bfe61fbeedaba24

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ABGWT92S\hLRJ1GG_y0J[1].ico

          Filesize

          4KB

          MD5

          8cddca427dae9b925e73432f8733e05a

          SHA1

          1999a6f624a25cfd938eef6492d34fdc4f55dedc

          SHA256

          89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62

          SHA512

          20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

        • C:\Users\Admin\AppData\Local\Temp\3987.bat

          Filesize

          79B

          MD5

          403991c4d18ac84521ba17f264fa79f2

          SHA1

          850cc068de0963854b0fe8f485d951072474fd45

          SHA256

          ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

          SHA512

          a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        • C:\Users\Admin\AppData\Local\Temp\3987.bat

          Filesize

          79B

          MD5

          403991c4d18ac84521ba17f264fa79f2

          SHA1

          850cc068de0963854b0fe8f485d951072474fd45

          SHA256

          ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

          SHA512

          a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        • C:\Users\Admin\AppData\Local\Temp\Cab3E49.tmp

          Filesize

          61KB

          MD5

          f3441b8572aae8801c04f3060b550443

          SHA1

          4ef0a35436125d6821831ef36c28ffaf196cda15

          SHA256

          6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

          SHA512

          5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

        • C:\Users\Admin\AppData\Local\Temp\Tar3F08.tmp

          Filesize

          163KB

          MD5

          9441737383d21192400eca82fda910ec

          SHA1

          725e0d606a4fc9ba44aa8ffde65bed15e65367e4

          SHA256

          bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

          SHA512

          7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

        • memory/1260-5-0x0000000002D40000-0x0000000002D56000-memory.dmp

          Filesize

          88KB

        • memory/2300-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2300-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2300-4-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2300-6-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2300-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

        • memory/2300-1-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB