Analysis

  • max time kernel
    300s
  • max time network
    298s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 01:40

General

  • Target

    a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe

  • Size

    239KB

  • MD5

    0348be358634721b3e45577d6af48f6e

  • SHA1

    bb5058816e30a198cfb2bee310ca9f2655bb67d5

  • SHA256

    a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165

  • SHA512

    8cfb271df4e42c9c71d853c9cadd04d594da5cad5b3ec01d8ba31ae2ea9e761a45a11629c42c023d8f1958cb0cac60db370bb49a7e5098b96ea27e8294f43820

  • SSDEEP

    6144:YP46fuYXChoQTjlFgLuCY1dRuAOmVGbKw8y0:YgYzXChdTbv1buEIKw8y

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe
    "C:\Users\Admin\AppData\Local\Temp\a5fd5752cd14b2246c0de419a27c070b4546b8eb61a06da3c1e685934f353165.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 232
      2⤵
      • Program crash
      PID:4860
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E181.bat" "
    1⤵
    • Checks computer location settings
    PID:604
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3672
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:3944
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4768
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4528
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1500
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:60
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:304
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1272
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:228

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PZQ0K35H\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\JXHZHEFU\B8BxsscfVBr[1].ico

          Filesize

          1KB

          MD5

          e508eca3eafcc1fc2d7f19bafb29e06b

          SHA1

          a62fc3c2a027870d99aedc241e7d5babba9a891f

          SHA256

          e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

          SHA512

          49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\Z9HB2EZ0\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          24be8a92460b5b7a555b1da559296958

          SHA1

          94147054e8a04e82fea1c185af30c7c90b194064

          SHA256

          77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

          SHA512

          ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          24be8a92460b5b7a555b1da559296958

          SHA1

          94147054e8a04e82fea1c185af30c7c90b194064

          SHA256

          77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

          SHA512

          ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          24be8a92460b5b7a555b1da559296958

          SHA1

          94147054e8a04e82fea1c185af30c7c90b194064

          SHA256

          77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

          SHA512

          ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          342B

          MD5

          ad2098070658e513447ba3199d6128a7

          SHA1

          636a73a4583416d4e3347ee90d578dcd087dd76f

          SHA256

          6952370cdad7e6e2c26e51d3059f3d60518d629fb0d303a70c8a56ea91be837e

          SHA512

          4b8e8053f3f8658bdf2aa59c1637e305c524067595e35e9238e8fe62f5e41454f25e5bf20c525cf12e05d2928e66b58b30ad29e44dc92f8ee3e2f1895b8ac5eb

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          342B

          MD5

          ad2098070658e513447ba3199d6128a7

          SHA1

          636a73a4583416d4e3347ee90d578dcd087dd76f

          SHA256

          6952370cdad7e6e2c26e51d3059f3d60518d629fb0d303a70c8a56ea91be837e

          SHA512

          4b8e8053f3f8658bdf2aa59c1637e305c524067595e35e9238e8fe62f5e41454f25e5bf20c525cf12e05d2928e66b58b30ad29e44dc92f8ee3e2f1895b8ac5eb

        • C:\Users\Admin\AppData\Local\Temp\E181.bat

          Filesize

          79B

          MD5

          403991c4d18ac84521ba17f264fa79f2

          SHA1

          850cc068de0963854b0fe8f485d951072474fd45

          SHA256

          ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

          SHA512

          a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        • memory/1500-214-0x0000020AF2390000-0x0000020AF23B0000-memory.dmp

          Filesize

          128KB

        • memory/1500-370-0x0000020AF52F0000-0x0000020AF52F2000-memory.dmp

          Filesize

          8KB

        • memory/1500-457-0x0000020AF0AC0000-0x0000020AF0AD0000-memory.dmp

          Filesize

          64KB

        • memory/1500-168-0x0000020AF1F60000-0x0000020AF1F62000-memory.dmp

          Filesize

          8KB

        • memory/1500-174-0x0000020AF2100000-0x0000020AF2102000-memory.dmp

          Filesize

          8KB

        • memory/1500-181-0x0000020AF2120000-0x0000020AF2122000-memory.dmp

          Filesize

          8KB

        • memory/1500-185-0x0000020AF2140000-0x0000020AF2142000-memory.dmp

          Filesize

          8KB

        • memory/1500-188-0x0000020AF29E0000-0x0000020AF29E2000-memory.dmp

          Filesize

          8KB

        • memory/1500-191-0x0000020AF2DE0000-0x0000020AF2DE2000-memory.dmp

          Filesize

          8KB

        • memory/1500-194-0x0000020AF35B0000-0x0000020AF35B2000-memory.dmp

          Filesize

          8KB

        • memory/1500-205-0x0000020AF1000000-0x0000020AF1100000-memory.dmp

          Filesize

          1024KB

        • memory/1500-456-0x0000020AF0AC0000-0x0000020AF0AD0000-memory.dmp

          Filesize

          64KB

        • memory/1500-315-0x0000020AF3E20000-0x0000020AF3E22000-memory.dmp

          Filesize

          8KB

        • memory/1500-455-0x0000020AF0AC0000-0x0000020AF0AD0000-memory.dmp

          Filesize

          64KB

        • memory/1500-365-0x0000020AF37D0000-0x0000020AF37D2000-memory.dmp

          Filesize

          8KB

        • memory/1500-454-0x0000020AF0AC0000-0x0000020AF0AD0000-memory.dmp

          Filesize

          64KB

        • memory/1500-375-0x0000020AF5310000-0x0000020AF5312000-memory.dmp

          Filesize

          8KB

        • memory/1500-379-0x0000020AF5320000-0x0000020AF5322000-memory.dmp

          Filesize

          8KB

        • memory/1500-383-0x0000020AF5330000-0x0000020AF5332000-memory.dmp

          Filesize

          8KB

        • memory/1500-390-0x0000020AF5340000-0x0000020AF5342000-memory.dmp

          Filesize

          8KB

        • memory/1500-397-0x0000020AF1000000-0x0000020AF1100000-memory.dmp

          Filesize

          1024KB

        • memory/1500-445-0x0000020AF1790000-0x0000020AF1890000-memory.dmp

          Filesize

          1024KB

        • memory/1500-399-0x0000020AF4600000-0x0000020AF4700000-memory.dmp

          Filesize

          1024KB

        • memory/2816-5-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2816-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2816-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/3232-4-0x0000000000810000-0x0000000000826000-memory.dmp

          Filesize

          88KB

        • memory/3672-400-0x00000184686C0000-0x00000184686C1000-memory.dmp

          Filesize

          4KB

        • memory/3672-395-0x00000184686B0000-0x00000184686B1000-memory.dmp

          Filesize

          4KB

        • memory/3672-53-0x00000184620A0000-0x00000184620A2000-memory.dmp

          Filesize

          8KB

        • memory/3672-18-0x0000018461B00000-0x0000018461B10000-memory.dmp

          Filesize

          64KB

        • memory/3672-34-0x0000018462640000-0x0000018462650000-memory.dmp

          Filesize

          64KB