Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 01:40

General

  • Target

    8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe

  • Size

    270KB

  • MD5

    3df2709ef694ba38a66b20cbe634510b

  • SHA1

    db47729b37a425900d1432e34c810508ce14a85c

  • SHA256

    8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab

  • SHA512

    43d47b3c6da393aae286b656ec7d64d708eeaf476bdf446850908b96d8388d4040e1f0de6123aba827b9389306beae7b441cd0dd5edf109ef6fd96737f888a1d

  • SSDEEP

    6144:lR0hrJ+j+5j68KsT6h/OCy5U9uAOkAZP0iuqw6:lRaN+j+5+RsqGGu7ZMyw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe
    "C:\Users\Admin\AppData\Local\Temp\8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:3840
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2988
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 244
        2⤵
        • Program crash
        PID:3308
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83E1.bat" "
      1⤵
      • Checks computer location settings
      PID:1168
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2292
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:5052
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4808
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:312
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:2160
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:820
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4264
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:2316
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4484
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4764
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:2344

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\7NWOFWY5\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\U3MZA09I\B8BxsscfVBr[1].ico

            Filesize

            1KB

            MD5

            e508eca3eafcc1fc2d7f19bafb29e06b

            SHA1

            a62fc3c2a027870d99aedc241e7d5babba9a891f

            SHA256

            e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

            SHA512

            49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\2KBPVWUK.cookie

            Filesize

            130B

            MD5

            fd32fed4987adfafcd79b4a019b80168

            SHA1

            2891cadbb67b8f6d4a2092a5f2de764f7c5935c6

            SHA256

            bffa7eab2316a59483510171569e9910dbf8aed862cd8fc69f78a88764e9ffe8

            SHA512

            c4edc15a3581fefe2a891993d6c2916d126cd57a0bd06e63d7e772ad67679213623ba1b8c6ee14780f4759de8821593e58ac00d5a7f2b0c9387abcbd3ab3a5af

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\5S3A8ZDX.cookie

            Filesize

            130B

            MD5

            50d52df330ee0adbfab01e301dba8fc1

            SHA1

            1ec5c3a78c93e792fef49e918ed3cfc385ce40c7

            SHA256

            fa53c0797af5873d89e4146155a4eafd6deda616612a4f30bc44d8ec0b06c4c3

            SHA512

            6d150735bb04c6739491144a27eb3fa245eb97f76969e198a2f79c7dfd00e2f7515618c63aa01bb5f5029e566aabed05159b98dd49b22674c142e375b054787d

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            1KB

            MD5

            b5eda74305a01c41450e0d12777199e1

            SHA1

            36162e9e8c3a69b237d317f7c300f11927a37c12

            SHA256

            6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

            SHA512

            f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            724B

            MD5

            ac89a852c2aaa3d389b2d2dd312ad367

            SHA1

            8f421dd6493c61dbda6b839e2debb7b50a20c930

            SHA256

            0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

            SHA512

            c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            471B

            MD5

            3b7403306365b481a905b872a4a8fe8d

            SHA1

            848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

            SHA256

            f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

            SHA512

            bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            410B

            MD5

            bddb3c4cd657f29bb35c63a9cc896dfc

            SHA1

            fa2605654adfe12a6195e8a589a0309cfdeeaa82

            SHA256

            04dbcf6fb16c7a34de722e51222e5227fe324de581a38d30bc61da76c8aaa5cf

            SHA512

            65f4db2791cbbeb2c607eb1d4eed7d291341a2ee0e6658b332c2416e99233cffd9562417e257eefe0ad91c9b2b6deddffb1c72855529ef6bfef89742fa4c4769

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            392B

            MD5

            e557c5bdc02d0c3699b7943b4fd53460

            SHA1

            d2dfa72af80250d9e312a96ca53b855aff8785ac

            SHA256

            434e36422c5d33e3cde4fe8599e60f4db29ae430b90976870177564de2abb017

            SHA512

            a3cbc1bb673dc9696feafa0320e9d35c3f3322708b4210fde0f8303ccccaf094bf254ed4d7e3e947dd4b83889dc418e1c38a1cd377725bce337ce73ea98c693d

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            406B

            MD5

            a787d148cf11e9d70cdad0316970f99f

            SHA1

            0875be40e461f60b404ff832e6ce7c221bbe3f32

            SHA256

            401c49863cae33c28efeced1d16553aa70ac411a6b7e6feca3bfc71996204f72

            SHA512

            3713935320b8d7c3fa7b1da88dd50e18520483914a43cf373591b949e76f432acada0e1afcacf38dc8c0a07899f32b8c407f1d9fb64cd3da70d8c7b918dffa6f

          • C:\Users\Admin\AppData\Local\Temp\83E1.bat

            Filesize

            79B

            MD5

            403991c4d18ac84521ba17f264fa79f2

            SHA1

            850cc068de0963854b0fe8f485d951072474fd45

            SHA256

            ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

            SHA512

            a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

          • memory/820-147-0x000001C2F8660000-0x000001C2F8680000-memory.dmp

            Filesize

            128KB

          • memory/820-141-0x000001C2F8440000-0x000001C2F8540000-memory.dmp

            Filesize

            1024KB

          • memory/2160-184-0x0000029ED9500000-0x0000029ED9600000-memory.dmp

            Filesize

            1024KB

          • memory/2160-395-0x0000029EEBD00000-0x0000029EEBE00000-memory.dmp

            Filesize

            1024KB

          • memory/2160-205-0x0000029EEA720000-0x0000029EEA740000-memory.dmp

            Filesize

            128KB

          • memory/2160-288-0x0000029EEB100000-0x0000029EEB200000-memory.dmp

            Filesize

            1024KB

          • memory/2160-349-0x0000029EEA490000-0x0000029EEA492000-memory.dmp

            Filesize

            8KB

          • memory/2160-338-0x0000029EEA430000-0x0000029EEA432000-memory.dmp

            Filesize

            8KB

          • memory/2160-359-0x0000029EEA4B0000-0x0000029EEA4B2000-memory.dmp

            Filesize

            8KB

          • memory/2160-364-0x0000029EEADE0000-0x0000029EEADE2000-memory.dmp

            Filesize

            8KB

          • memory/2160-366-0x0000029EEADF0000-0x0000029EEADF2000-memory.dmp

            Filesize

            8KB

          • memory/2160-368-0x0000029EEBFE0000-0x0000029EEBFE2000-memory.dmp

            Filesize

            8KB

          • memory/2160-370-0x0000029EEC2E0000-0x0000029EEC2E2000-memory.dmp

            Filesize

            8KB

          • memory/2160-372-0x0000029EEC750000-0x0000029EEC752000-memory.dmp

            Filesize

            8KB

          • memory/2160-374-0x0000029EEC760000-0x0000029EEC762000-memory.dmp

            Filesize

            8KB

          • memory/2160-379-0x0000029ED8DA0000-0x0000029ED8DC0000-memory.dmp

            Filesize

            128KB

          • memory/2160-381-0x0000029EEB100000-0x0000029EEB200000-memory.dmp

            Filesize

            1024KB

          • memory/2160-343-0x0000029EEBAE0000-0x0000029EEBBE0000-memory.dmp

            Filesize

            1024KB

          • memory/2292-16-0x0000021A89B20000-0x0000021A89B30000-memory.dmp

            Filesize

            64KB

          • memory/2292-346-0x0000021A90350000-0x0000021A90351000-memory.dmp

            Filesize

            4KB

          • memory/2292-348-0x0000021A90360000-0x0000021A90361000-memory.dmp

            Filesize

            4KB

          • memory/2292-51-0x0000021A8E410000-0x0000021A8E412000-memory.dmp

            Filesize

            8KB

          • memory/2292-32-0x0000021A89D20000-0x0000021A89D30000-memory.dmp

            Filesize

            64KB

          • memory/2316-467-0x00000279228C0000-0x00000279228C2000-memory.dmp

            Filesize

            8KB

          • memory/2316-469-0x00000279228E0000-0x00000279228E2000-memory.dmp

            Filesize

            8KB

          • memory/2316-471-0x0000027922AA0000-0x0000027922AA2000-memory.dmp

            Filesize

            8KB

          • memory/2316-473-0x0000027922AC0000-0x0000027922AC2000-memory.dmp

            Filesize

            8KB

          • memory/2988-6-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/2988-0-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/2988-3-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/3248-4-0x0000000000A70000-0x0000000000A86000-memory.dmp

            Filesize

            88KB