Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 01:14

General

  • Target

    854ae58bef87dc1853ca7f6554e098d0781f858474f911b857749d6006559219.exe

  • Size

    270KB

  • MD5

    d8829d56fb8bdadfea4a3f2ed90a54e3

  • SHA1

    4e9ceaf5b1bed8e3d41385eefb76f419e8d7a0fe

  • SHA256

    854ae58bef87dc1853ca7f6554e098d0781f858474f911b857749d6006559219

  • SHA512

    9782dd018c0b36bbffd1d030237e8e41e6143ee2f86ebd7b01cd27a9859ed77cf23b46ade0e8f2feed685a49ca5c46e4c196798fae8b9e158b9ca9ab7d0044bf

  • SSDEEP

    6144:aRrhrJ+j+5j68KsT6h/OCy5U9uAO5ASqw6:aRVN+j+5+RsqGGu0fw6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\854ae58bef87dc1853ca7f6554e098d0781f858474f911b857749d6006559219.exe
    "C:\Users\Admin\AppData\Local\Temp\854ae58bef87dc1853ca7f6554e098d0781f858474f911b857749d6006559219.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2340
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 212
      2⤵
      • Program crash
      PID:4652
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8335.bat" "
    1⤵
    • Checks computer location settings
    PID:4784
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4464
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:220
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4808
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4128
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:652
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:5048
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:3020
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2692
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4432
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:2920
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4460

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\21IBGF3O\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\2IOD32C8\B8BxsscfVBr[1].ico

          Filesize

          1KB

          MD5

          e508eca3eafcc1fc2d7f19bafb29e06b

          SHA1

          a62fc3c2a027870d99aedc241e7d5babba9a891f

          SHA256

          e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

          SHA512

          49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\6N7RW31A.cookie

          Filesize

          132B

          MD5

          ed94d72eeffee16ff27f24a0f985115a

          SHA1

          f96b372c4cc3a12b556dae1d3c426dd4681580ed

          SHA256

          03cc4e1bee491761085496226ac49e542140f5c30642f5afd1a1a911997f314b

          SHA512

          0b43723bbc82a27d143dfe64d69bcf6a9aff73eaac906e55311c3c0761de0d6272e578b73a59b0fa3fc1353776c80743a443827b44c5b1a751f1d8f182e3707d

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\VZATTOWY.cookie

          Filesize

          132B

          MD5

          89d2e2bfb6c4a51a8d9a17e904ec4c35

          SHA1

          758c3a0ab5c36cdcbaf5d1b38eb2da6d5b134102

          SHA256

          6e1719117304ef7eb2c91ccc1e85e1dd9bc55ed05a29aac65cc7da10273e79be

          SHA512

          2a0971a8a51451f5b3f9de5cb4968e25eeeb172e8fc0325d13497bd17ea483d244bf88e0104c7319c0bf4a2940cef1e82646000f13f65385cc8f681c43385b3f

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          b5eda74305a01c41450e0d12777199e1

          SHA1

          36162e9e8c3a69b237d317f7c300f11927a37c12

          SHA256

          6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

          SHA512

          f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          724B

          MD5

          ac89a852c2aaa3d389b2d2dd312ad367

          SHA1

          8f421dd6493c61dbda6b839e2debb7b50a20c930

          SHA256

          0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

          SHA512

          c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          471B

          MD5

          3b7403306365b481a905b872a4a8fe8d

          SHA1

          848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

          SHA256

          f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

          SHA512

          bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          79bbbb050c59e6e007488044dcc653ed

          SHA1

          5397e8ca39f781652b4c7da85c97c903e3daae49

          SHA256

          2df713cc320b9bd20b1b619043739047f1d5300618b59257949493ab33c9dd50

          SHA512

          9b4e5199ae69698b5f29d0176f1b2de71a4104e8e851ec5473b1f7616323d23adf1b827a69d69d4cccba3767fb5f68673483832951e5267d764dd67b33b5b4f0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          392B

          MD5

          df10f10769c613bec2b13e2ab4057c78

          SHA1

          986800279e8569a0dde58b7a7baec58a9eb7f28c

          SHA256

          eba8da4352637da0b7feebfac7fffc74f1a368b3ea28c2f46d516999c3582c2d

          SHA512

          8ba2fbdca430274043ce0d5ea436eed7ff5262cdca7d162327fc488605d85b77b0c37a2164534b67c6320a8af32037df5e0c045a3cfb760bd87176075c26f81d

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          406B

          MD5

          441ee49a1d2933e20fb8e82cae94c1f5

          SHA1

          36e3ec5582daddaa828a0f7332f79b03ae236f46

          SHA256

          ad8507ffa3a97d8a41e098bd3b2c70138265bd6af020db46bfb50bf8cef01f36

          SHA512

          6a1361afeba02c71259251e27a909cff7fa160da57ccae2f73562fabf3e17defa859f9a7289c73966ce02bf322592255e70e6f3fa50eeb2738b9ab9d7c92148d

        • C:\Users\Admin\AppData\Local\Temp\8335.bat

          Filesize

          79B

          MD5

          403991c4d18ac84521ba17f264fa79f2

          SHA1

          850cc068de0963854b0fe8f485d951072474fd45

          SHA256

          ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

          SHA512

          a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        • memory/652-206-0x0000019926EA0000-0x0000019926EC0000-memory.dmp

          Filesize

          128KB

        • memory/652-383-0x0000019927600000-0x0000019927700000-memory.dmp

          Filesize

          1024KB

        • memory/652-353-0x0000019928620000-0x0000019928622000-memory.dmp

          Filesize

          8KB

        • memory/652-355-0x0000019928640000-0x0000019928642000-memory.dmp

          Filesize

          8KB

        • memory/652-357-0x0000019928DC0000-0x0000019928DC2000-memory.dmp

          Filesize

          8KB

        • memory/652-359-0x0000019928DD0000-0x0000019928DD2000-memory.dmp

          Filesize

          8KB

        • memory/652-361-0x0000019928DE0000-0x0000019928DE2000-memory.dmp

          Filesize

          8KB

        • memory/652-344-0x0000019928610000-0x0000019928612000-memory.dmp

          Filesize

          8KB

        • memory/652-330-0x00000199281F0000-0x00000199281F2000-memory.dmp

          Filesize

          8KB

        • memory/652-338-0x0000019928680000-0x0000019928682000-memory.dmp

          Filesize

          8KB

        • memory/652-381-0x0000019928400000-0x0000019928402000-memory.dmp

          Filesize

          8KB

        • memory/652-423-0x0000019927800000-0x0000019927900000-memory.dmp

          Filesize

          1024KB

        • memory/652-388-0x0000019928420000-0x0000019928520000-memory.dmp

          Filesize

          1024KB

        • memory/2340-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2340-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2340-6-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2920-482-0x0000029811340000-0x0000029811342000-memory.dmp

          Filesize

          8KB

        • memory/2920-480-0x0000029811320000-0x0000029811322000-memory.dmp

          Filesize

          8KB

        • memory/2920-478-0x0000029811260000-0x0000029811262000-memory.dmp

          Filesize

          8KB

        • memory/2920-476-0x0000029811240000-0x0000029811242000-memory.dmp

          Filesize

          8KB

        • memory/3268-4-0x00000000001C0000-0x00000000001D6000-memory.dmp

          Filesize

          88KB

        • memory/4464-371-0x00000241DFAF0000-0x00000241DFAF1000-memory.dmp

          Filesize

          4KB

        • memory/4464-16-0x00000241D8D20000-0x00000241D8D30000-memory.dmp

          Filesize

          64KB

        • memory/4464-32-0x00000241D9300000-0x00000241D9310000-memory.dmp

          Filesize

          64KB

        • memory/4464-51-0x00000241D8EE0000-0x00000241D8EE2000-memory.dmp

          Filesize

          8KB

        • memory/4464-372-0x00000241E0300000-0x00000241E0301000-memory.dmp

          Filesize

          4KB

        • memory/5048-112-0x000001F237620000-0x000001F237720000-memory.dmp

          Filesize

          1024KB