Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 01:19

General

  • Target

    d191d246491d447161ac8b6f2b3d810aa7e84ec6ab806c88419170911e4a3e5e.exe

  • Size

    270KB

  • MD5

    0836187b43b6c1ea91e145f4ba022157

  • SHA1

    7a23970a4288e7ae0ff544cd42f44eaf18587c82

  • SHA256

    d191d246491d447161ac8b6f2b3d810aa7e84ec6ab806c88419170911e4a3e5e

  • SHA512

    a02e1937d0e034ffab64d1de6cedd9e9b5df7ac40c181bf171de5e254f2c7b42bd5d37f284e2194fb084116292e8fb4f8eb02c7362f49f7689463dfe1d75a20b

  • SSDEEP

    6144:gRvhrJ+j+5j68KsT6h/OCy5U9uAOfALelHxqw6:gRpN+j+5+RsqGGuWLeew6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d191d246491d447161ac8b6f2b3d810aa7e84ec6ab806c88419170911e4a3e5e.exe
    "C:\Users\Admin\AppData\Local\Temp\d191d246491d447161ac8b6f2b3d810aa7e84ec6ab806c88419170911e4a3e5e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:1980
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:5072
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 228
        2⤵
        • Program crash
        PID:892
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B5ED.bat" "
      1⤵
      • Checks computer location settings
      PID:3344
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4408
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:4680
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1772
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5084
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4412
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:1324
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4136
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      PID:788
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4140
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:3100
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:3284

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9TVXN1W7\edgecompatviewlist[1].xml

            Filesize

            74KB

            MD5

            d4fc49dc14f63895d997fa4940f24378

            SHA1

            3efb1437a7c5e46034147cbbc8db017c69d02c31

            SHA256

            853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

            SHA512

            cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\N1DZAMT7\B8BxsscfVBr[1].ico

            Filesize

            1KB

            MD5

            e508eca3eafcc1fc2d7f19bafb29e06b

            SHA1

            a62fc3c2a027870d99aedc241e7d5babba9a891f

            SHA256

            e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

            SHA512

            49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\SE1IGFR5\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\EBC5KC1J.cookie

            Filesize

            132B

            MD5

            3c6cba1bb4d9344a67d4b7d3dc645e64

            SHA1

            dfe17941ef21e4eb44b88989dbf1470f76ef9c87

            SHA256

            926f3ac3720b2af218bf61c890e957529927708b26e12bf30b572412ea23ee06

            SHA512

            177a16b3ecdc90e0e8bbfcfc939ea0cebc4f09e642e0e5eacce8cff6dd9567b01feec4570ddf6402a9b0a19ace6bc0fcc985d6bfc187adcff2e328227daa0d2c

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\LPMBCKMP.cookie

            Filesize

            132B

            MD5

            05e0c237ddc0ec7a81746aa152ea7686

            SHA1

            54b8fa36c3b4e80a76fe9e98a8e1fa3ecdd61b18

            SHA256

            813002aba3861622f9057c6230452e5034967730654ad9fe53b995cccf6c1f4b

            SHA512

            43acd99ed16ba77f45d992b663d93a5609ec6c819dd992d4515d52d39e579cdafa45536f84115de2929c4663ef1d73c2a5d486a9f6c10be724036b344086384f

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            1KB

            MD5

            b5eda74305a01c41450e0d12777199e1

            SHA1

            36162e9e8c3a69b237d317f7c300f11927a37c12

            SHA256

            6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

            SHA512

            f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            724B

            MD5

            ac89a852c2aaa3d389b2d2dd312ad367

            SHA1

            8f421dd6493c61dbda6b839e2debb7b50a20c930

            SHA256

            0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

            SHA512

            c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            471B

            MD5

            3b7403306365b481a905b872a4a8fe8d

            SHA1

            848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

            SHA256

            f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

            SHA512

            bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            410B

            MD5

            cfa3b9f1f9b38bc052d7c46637e4e231

            SHA1

            5c4bae06276bffb6cd9b851029fcb1aa84033f30

            SHA256

            09a71755745fa35b3ef60ab095732f6b57779522bf2deae7bf5bb4fa8a527bad

            SHA512

            c2eafb64c7b656ff3e563192fb2ff363cb296ca686826d2bc721373a8046513a0907a4b59519d511b418e231381d0bcd4d0fcfe0f3d3c4160314412864279e6f

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            392B

            MD5

            311e176548b9fd5b62abb0f22f6c5104

            SHA1

            d171d2599e1b8f66659f467344f5bd3994178f04

            SHA256

            12913ee213fbe5622a90fbb08b5428404aa1bbc3f9f21fe66641b87b3cb44f5f

            SHA512

            ba4b843e7b8b07290b84992628872aa20884dc26a1c1a8d8a8b0563679d2ec11ee9acf5bdf20c8b6a7f40e4f140db3e01d58597dc6958c18c8dc06443f4ed04f

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            406B

            MD5

            7cfd9794881ca7901196da18a23fad00

            SHA1

            36f0a6505735ca3e38f1ed218e1b4d37988d6195

            SHA256

            d09dbe1b30924fa2c903d457d3c5b2cefb4217827d947a121faf34ebb6f66404

            SHA512

            e5588be32eef3d7d9da48bf87aa2cf6df559393f7aa79531f835f76d71395b2bd9a90d8e3249bb72e0ccbaa9880cab0b8d06bff3332c4716dee52e3990df1370

          • C:\Users\Admin\AppData\Local\Temp\B5ED.bat

            Filesize

            79B

            MD5

            403991c4d18ac84521ba17f264fa79f2

            SHA1

            850cc068de0963854b0fe8f485d951072474fd45

            SHA256

            ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

            SHA512

            a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

          • memory/788-181-0x000001567CC20000-0x000001567CC22000-memory.dmp

            Filesize

            8KB

          • memory/788-183-0x000001567CC40000-0x000001567CC42000-memory.dmp

            Filesize

            8KB

          • memory/1324-140-0x000001FC4D530000-0x000001FC4D550000-memory.dmp

            Filesize

            128KB

          • memory/1324-138-0x000001FC4D510000-0x000001FC4D512000-memory.dmp

            Filesize

            8KB

          • memory/1324-135-0x000001FC3CFA0000-0x000001FC3CFA2000-memory.dmp

            Filesize

            8KB

          • memory/1324-131-0x000001FC4D570000-0x000001FC4D572000-memory.dmp

            Filesize

            8KB

          • memory/3216-25-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-19-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-36-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-38-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-40-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-42-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-43-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-45-0x0000000003000000-0x0000000003010000-memory.dmp

            Filesize

            64KB

          • memory/3216-47-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-49-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-48-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-50-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-51-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-53-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-54-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-55-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-33-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-4-0x0000000001060000-0x0000000001076000-memory.dmp

            Filesize

            88KB

          • memory/3216-14-0x00000000011D0000-0x00000000011E0000-memory.dmp

            Filesize

            64KB

          • memory/3216-13-0x00000000011D0000-0x00000000011E0000-memory.dmp

            Filesize

            64KB

          • memory/3216-32-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-30-0x0000000003000000-0x0000000003010000-memory.dmp

            Filesize

            64KB

          • memory/3216-28-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-27-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-16-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-22-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-23-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-21-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-34-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-18-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/3216-17-0x0000000001280000-0x0000000001290000-memory.dmp

            Filesize

            64KB

          • memory/4408-96-0x000001BA894C0000-0x000001BA894C2000-memory.dmp

            Filesize

            8KB

          • memory/4408-77-0x000001BA89C00000-0x000001BA89C10000-memory.dmp

            Filesize

            64KB

          • memory/4408-61-0x000001BA89320000-0x000001BA89330000-memory.dmp

            Filesize

            64KB

          • memory/5072-0-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/5072-5-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/5072-3-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB