Analysis Overview
SHA256
a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581
Threat Level: Known bad
The file a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581 was found to be: Known bad.
Malicious Activity Summary
Detects Smokeloader packer
SmokeLoader
SystemBC
Executes dropped EXE
Downloads MZ/PE file
Deletes itself
Drops file in Windows directory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-20 13:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-20 13:55
Reported
2022-12-20 13:58
Platform
win10-20220812-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
SystemBC
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F9.exe | N/A |
| N/A | N/A | C:\ProgramData\tlrlj\wpxpdt.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\wpxpdt.job | C:\Users\Admin\AppData\Local\Temp\2F9.exe | N/A |
| File opened for modification | C:\Windows\Tasks\wpxpdt.job | C:\Users\Admin\AppData\Local\Temp\2F9.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3104 wrote to memory of 4464 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F9.exe |
| PID 3104 wrote to memory of 4464 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F9.exe |
| PID 3104 wrote to memory of 4464 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F9.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe
"C:\Users\Admin\AppData\Local\Temp\a2a56847c92e2742c52820dd151144878df54d947725c737e94332857b88c581.exe"
C:\Users\Admin\AppData\Local\Temp\2F9.exe
C:\Users\Admin\AppData\Local\Temp\2F9.exe
C:\ProgramData\tlrlj\wpxpdt.exe
C:\ProgramData\tlrlj\wpxpdt.exe start
Network
| Country | Destination | Domain | Proto |
| N/A | 168.63.250.82:80 | tcp | |
| N/A | 8.8.8.8:53 | dowe.at | udp |
| N/A | 91.195.240.101:80 | dowe.at | tcp |
| N/A | 8.8.8.8:53 | xisac.com | udp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 222.236.49.124:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 45.141.58.129:80 | tcp | |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 222.236.49.124:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 8.8.8.8:53 | bitleague.live | udp |
| N/A | 198.38.91.55:443 | bitleague.live | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 187.232.152.147:80 | xisac.com | tcp |
| N/A | 109.205.214.18:443 | tcp |
Files
memory/2404-116-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-117-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-118-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-119-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-120-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-121-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-122-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-123-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-124-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-125-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-126-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-127-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-128-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-129-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-130-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-131-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-132-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-133-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-134-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-135-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-136-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-137-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-138-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-139-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-140-0x0000000000696000-0x00000000006A7000-memory.dmp
memory/2404-141-0x00000000005D0000-0x00000000005D9000-memory.dmp
memory/2404-142-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2404-143-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-144-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-145-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-146-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-147-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-148-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-149-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-150-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-151-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/2404-152-0x0000000000696000-0x00000000006A7000-memory.dmp
memory/2404-153-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4464-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2F9.exe
| MD5 | cdc67700f25eaed1417264c4bdec03d3 |
| SHA1 | 56639e9414e6ee8394d940d62778475ddf071290 |
| SHA256 | fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100 |
| SHA512 | a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038 |
memory/4464-156-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-157-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-159-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-158-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-160-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-161-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-162-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-164-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-165-0x0000000076EF0000-0x000000007707E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2F9.exe
| MD5 | cdc67700f25eaed1417264c4bdec03d3 |
| SHA1 | 56639e9414e6ee8394d940d62778475ddf071290 |
| SHA256 | fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100 |
| SHA512 | a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038 |
memory/4464-166-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-167-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-169-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-170-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-168-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-171-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-173-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-174-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-175-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-177-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-176-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-179-0x00000000004C0000-0x000000000060A000-memory.dmp
memory/4464-180-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-178-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-182-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-181-0x00000000004C0000-0x000000000060A000-memory.dmp
memory/4464-183-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-184-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-185-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-187-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-186-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-188-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-189-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-190-0x0000000076EF0000-0x000000007707E000-memory.dmp
memory/4464-213-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4464-214-0x00000000004C0000-0x000000000060A000-memory.dmp
memory/4464-215-0x00000000004C0000-0x000000000060A000-memory.dmp
C:\ProgramData\tlrlj\wpxpdt.exe
| MD5 | cdc67700f25eaed1417264c4bdec03d3 |
| SHA1 | 56639e9414e6ee8394d940d62778475ddf071290 |
| SHA256 | fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100 |
| SHA512 | a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038 |
C:\ProgramData\tlrlj\wpxpdt.exe
| MD5 | cdc67700f25eaed1417264c4bdec03d3 |
| SHA1 | 56639e9414e6ee8394d940d62778475ddf071290 |
| SHA256 | fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100 |
| SHA512 | a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038 |
memory/3480-265-0x0000000000460000-0x000000000050E000-memory.dmp
memory/3480-266-0x0000000000460000-0x000000000050E000-memory.dmp
memory/3480-267-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3480-269-0x0000000000460000-0x000000000050E000-memory.dmp
memory/3480-270-0x0000000000460000-0x000000000050E000-memory.dmp