Analysis Overview
SHA256
3fda0717577158ee8900f86e513ed75353c6318a406ac58c5d65b7879416c51c
Threat Level: Known bad
The file 14fc3f7aa86e6a1d3aa9f495f655bd3c.exe was found to be: Known bad.
Malicious Activity Summary
Danabot
SmokeLoader
Detects Smokeloader packer
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Drops file in System32 directory
Program crash
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-18 07:46
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-18 07:46
Reported
2022-12-18 07:48
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Danabot
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65AF.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{15190547-C82C-4C57-A8D9-29F193681A82}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{09C66F6A-B48D-45F4-902E-BAFBBBB1022E}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\65AF.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3004 wrote to memory of 5048 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65AF.exe |
| PID 3004 wrote to memory of 5048 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65AF.exe |
| PID 3004 wrote to memory of 5048 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65AF.exe |
| PID 5048 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\65AF.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5048 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\65AF.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5048 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\65AF.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe
"C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Users\Admin\AppData\Local\Temp\65AF.exe
C:\Users\Admin\AppData\Local\Temp\65AF.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5048 -ip 5048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 488
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | dowe.at | udp |
| N/A | 91.195.240.101:80 | dowe.at | tcp |
| N/A | 8.8.8.8:53 | xisac.com | udp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 149.3.170.140:80 | 149.3.170.140 | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
| N/A | 123.140.161.243:80 | xisac.com | tcp |
Files
memory/1152-132-0x00000000004E2000-0x00000000004F3000-memory.dmp
memory/1152-133-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/1152-134-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1152-135-0x0000000000400000-0x0000000000460000-memory.dmp
memory/5048-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\65AF.exe
| MD5 | 0bb2b15ca73128dbc816ea4ed583119c |
| SHA1 | 17d05964d9208ca1a27fd007ad5f41752cfa893e |
| SHA256 | 295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8 |
| SHA512 | d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375 |
C:\Users\Admin\AppData\Local\Temp\65AF.exe
| MD5 | 0bb2b15ca73128dbc816ea4ed583119c |
| SHA1 | 17d05964d9208ca1a27fd007ad5f41752cfa893e |
| SHA256 | 295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8 |
| SHA512 | d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375 |
memory/5048-139-0x0000000000B4B000-0x0000000000D96000-memory.dmp
memory/5048-140-0x0000000002640000-0x00000000029C5000-memory.dmp
memory/5048-141-0x0000000000400000-0x0000000000791000-memory.dmp
memory/2068-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
| MD5 | 6b18b5240982a579febbbc5388999861 |
| SHA1 | 8d979e0591c95932c6d637723d8135756b545028 |
| SHA256 | d06be158ad31304b89a410ccb075eac7f2eb3877e96ffc9d5965ad8f251d7405 |
| SHA512 | 08f069a3f4b4b077e42234d70c5ee5134b8dacb5fb47e8f3d0d7607fde2eade51a2e71c0e4cd8c281cae31d6f88fe872063e004abd62d756e77a112ceefd11b7 |
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
| MD5 | 6b18b5240982a579febbbc5388999861 |
| SHA1 | 8d979e0591c95932c6d637723d8135756b545028 |
| SHA256 | d06be158ad31304b89a410ccb075eac7f2eb3877e96ffc9d5965ad8f251d7405 |
| SHA512 | 08f069a3f4b4b077e42234d70c5ee5134b8dacb5fb47e8f3d0d7607fde2eade51a2e71c0e4cd8c281cae31d6f88fe872063e004abd62d756e77a112ceefd11b7 |
memory/2068-145-0x0000000000400000-0x0000000000671000-memory.dmp
memory/5048-146-0x0000000000400000-0x0000000000791000-memory.dmp
memory/2068-147-0x0000000000400000-0x0000000000671000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-18 07:46
Reported
2022-12-18 07:48
Platform
win7-20221111-en
Max time kernel
150s
Max time network
33s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe
"C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe"
Network
Files
memory/1336-54-0x00000000005F8000-0x0000000000609000-memory.dmp
memory/1336-55-0x0000000075E81000-0x0000000075E83000-memory.dmp
memory/1336-57-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1336-56-0x00000000005F8000-0x0000000000609000-memory.dmp
memory/1336-58-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1336-59-0x0000000000400000-0x0000000000460000-memory.dmp