Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 01:09

General

  • Target

    e964fd30675cf0e0666166c68f54a4e8708c52e2513efab945a8085d68ae3d5d.exe

  • Size

    270KB

  • MD5

    7838fd0e9cd9fe1de44722a2e1e31a85

  • SHA1

    53179a8d88bb0596b1dc54d5332cf9aa238b0dee

  • SHA256

    e964fd30675cf0e0666166c68f54a4e8708c52e2513efab945a8085d68ae3d5d

  • SHA512

    0b6aadf703e4dd449d45066e03f62cbc789aa69fa078e6f381b9af12c414136fb54146a13398b2c02668da8e86ac0a4fc36894f569b9c92dc3b09061361aa2a9

  • SSDEEP

    6144:kRdhrJ+j+5j68KsT6h/OCy5U9uAOPAt4qw6:kRzN+j+5+RsqGGuqTw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e964fd30675cf0e0666166c68f54a4e8708c52e2513efab945a8085d68ae3d5d.exe
    "C:\Users\Admin\AppData\Local\Temp\e964fd30675cf0e0666166c68f54a4e8708c52e2513efab945a8085d68ae3d5d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4764
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 212
      2⤵
      • Program crash
      PID:4468
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B3EA.bat" "
    1⤵
    • Checks computer location settings
    PID:4632
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3320
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4180
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4956
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2168
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4132
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:596
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:3724
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:2408
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:304
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:624
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
      PID:4496

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DXFPCU0G\edgecompatviewlist[1].xml

            Filesize

            74KB

            MD5

            d4fc49dc14f63895d997fa4940f24378

            SHA1

            3efb1437a7c5e46034147cbbc8db017c69d02c31

            SHA256

            853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

            SHA512

            cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\M1X5SGUC\B8BxsscfVBr[1].ico

            Filesize

            1KB

            MD5

            e508eca3eafcc1fc2d7f19bafb29e06b

            SHA1

            a62fc3c2a027870d99aedc241e7d5babba9a891f

            SHA256

            e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

            SHA512

            49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\Q5UV0HZQ\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\P2I9CKWX.cookie

            Filesize

            130B

            MD5

            045e2b9eb0c69dff01ce3aff5f6652f2

            SHA1

            b5244d7e1b662992e179415c0305a22291562273

            SHA256

            8fa94838c6d0a7b9cfd7da6a932581dc5f2c0915edec8a42bd5a8ceb2fd00804

            SHA512

            6328fcec278045f2fd05c424c88cb76a93718ed31c9190337d9c7309c4be1e10e4e41619f5add79340058aeef50b400368fa1086d71896844e9de339363f1fb5

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\SDD7J7C1.cookie

            Filesize

            130B

            MD5

            b7c5b65d9cfa1a4d19b597320b429387

            SHA1

            c17f95241c2634a86c5adc59b7f6a06026e398ea

            SHA256

            0ef5d8f8324b8399e538cb1653acdc429accb1933f5c35f4be91928070b93048

            SHA512

            834676a2b6fac0bee10738efe5b88f18c5d48254801f43d5774fcc5965400300f7099341d6cbf558905fbca43706dd853d88c4e888e893f9546b6ad7d18b16cf

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            1KB

            MD5

            b5eda74305a01c41450e0d12777199e1

            SHA1

            36162e9e8c3a69b237d317f7c300f11927a37c12

            SHA256

            6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

            SHA512

            f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            724B

            MD5

            ac89a852c2aaa3d389b2d2dd312ad367

            SHA1

            8f421dd6493c61dbda6b839e2debb7b50a20c930

            SHA256

            0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

            SHA512

            c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            471B

            MD5

            3b7403306365b481a905b872a4a8fe8d

            SHA1

            848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

            SHA256

            f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

            SHA512

            bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            410B

            MD5

            e8f23dda192d2fe86c98f143f35f53ea

            SHA1

            72f3500574c1a40e62a53c6f669fa82d76ecc2a6

            SHA256

            becae8287e952e3c56a364410516222bdddce38056c1e5a3432ccb2e42806204

            SHA512

            d438dafc8bf457de71eb1836325d347022ef81d1aa699bcb65bdf36ec419e3f113624e5b58cadc084fc8d8675986e31578a915a25a5b56e265262aab56848433

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            392B

            MD5

            90be2b3ce2eb3fb8231ab668897eb462

            SHA1

            69c17a7a09175a27eb494cbe03ee0e13510b78a3

            SHA256

            fccb9e08e0a57132baaf0122fc47a78170f5e989c40e2da75a261f29849f5d6a

            SHA512

            a4023852ba779d502c5bcd17b407a53584061c10ea88a270a94cc156eb2e5effeb37e725ac7c630e8d07cb607c91d12ec002c2fea7440876c4acefae534a051e

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            406B

            MD5

            c85677c9543b0f4ce036b169240ae3a0

            SHA1

            8b1f629d1dc90110ee6e39829435e2f40fdc3ad0

            SHA256

            35263c0724a111527b924f3119797ecbc75ac24470347ab0b6ba87a4977ec9d7

            SHA512

            1a29e996628e12f7fc693f1f0137fc3391471079ae87df3dcdcd863f77c626f674428574de89f77996e7aa10f9e30332343d8a7133c4b2a5b3f545e0ea3414da

          • C:\Users\Admin\AppData\Local\Temp\B3EA.bat

            Filesize

            79B

            MD5

            403991c4d18ac84521ba17f264fa79f2

            SHA1

            850cc068de0963854b0fe8f485d951072474fd45

            SHA256

            ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

            SHA512

            a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

          • memory/596-97-0x000002A5E6A60000-0x000002A5E6A80000-memory.dmp

            Filesize

            128KB

          • memory/2408-481-0x000002BACFB10000-0x000002BACFB12000-memory.dmp

            Filesize

            8KB

          • memory/2408-484-0x000002BACFB30000-0x000002BACFB32000-memory.dmp

            Filesize

            8KB

          • memory/2408-486-0x000002BACFB50000-0x000002BACFB52000-memory.dmp

            Filesize

            8KB

          • memory/2408-492-0x000002BAE0630000-0x000002BAE0632000-memory.dmp

            Filesize

            8KB

          • memory/3268-4-0x0000000002DF0000-0x0000000002E06000-memory.dmp

            Filesize

            88KB

          • memory/3320-377-0x000001F730A90000-0x000001F730A91000-memory.dmp

            Filesize

            4KB

          • memory/3320-378-0x000001F730AA0000-0x000001F730AA1000-memory.dmp

            Filesize

            4KB

          • memory/3320-16-0x000001F729A20000-0x000001F729A30000-memory.dmp

            Filesize

            64KB

          • memory/3320-32-0x000001F72A000000-0x000001F72A010000-memory.dmp

            Filesize

            64KB

          • memory/3320-51-0x000001F729E40000-0x000001F729E42000-memory.dmp

            Filesize

            8KB

          • memory/4132-428-0x000001F377360000-0x000001F377460000-memory.dmp

            Filesize

            1024KB

          • memory/4132-344-0x000001F37A780000-0x000001F37A782000-memory.dmp

            Filesize

            8KB

          • memory/4132-363-0x000001F37B570000-0x000001F37B572000-memory.dmp

            Filesize

            8KB

          • memory/4132-359-0x000001F37B560000-0x000001F37B562000-memory.dmp

            Filesize

            8KB

          • memory/4132-356-0x000001F37B550000-0x000001F37B552000-memory.dmp

            Filesize

            8KB

          • memory/4132-349-0x000001F37A7D0000-0x000001F37A7D2000-memory.dmp

            Filesize

            8KB

          • memory/4132-352-0x000001F37A7F0000-0x000001F37A7F2000-memory.dmp

            Filesize

            8KB

          • memory/4132-393-0x000001F379500000-0x000001F379600000-memory.dmp

            Filesize

            1024KB

          • memory/4132-336-0x000001F37AE10000-0x000001F37AE12000-memory.dmp

            Filesize

            8KB

          • memory/4132-331-0x000001F37ADD0000-0x000001F37ADD2000-memory.dmp

            Filesize

            8KB

          • memory/4132-212-0x000001F379090000-0x000001F3790B0000-memory.dmp

            Filesize

            128KB

          • memory/4132-390-0x000001F37A100000-0x000001F37A200000-memory.dmp

            Filesize

            1024KB

          • memory/4132-386-0x000001F378E10000-0x000001F378E12000-memory.dmp

            Filesize

            8KB

          • memory/4764-0-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/4764-5-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/4764-3-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB