Analysis Overview
SHA256
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9
Threat Level: Known bad
The file c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Detects Smokeloader packer
WarzoneRat, AveMaria
Downloads MZ/PE file
Blocklisted process makes network request
Deletes itself
Executes dropped EXE
Adds Run key to start application
Accesses Microsoft Outlook profiles
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-25 22:47
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-25 22:47
Reported
2023-02-25 22:53
Platform
win10-20230220-en
Max time kernel
300s
Max time network
291s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
WarzoneRat, AveMaria
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F15A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F1E7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\F15A.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F1E7.exe" | C:\Users\Admin\AppData\Local\Temp\F1E7.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F15A.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\F15A.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1836 wrote to memory of 3928 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\agent.exe |
| PID 1836 wrote to memory of 3928 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\agent.exe |
| PID 1836 wrote to memory of 3928 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\agent.exe |
| PID 3200 wrote to memory of 1896 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F15A.exe |
| PID 3200 wrote to memory of 1896 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F15A.exe |
| PID 3200 wrote to memory of 3076 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F1E7.exe |
| PID 3200 wrote to memory of 3076 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F1E7.exe |
| PID 3200 wrote to memory of 3076 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F1E7.exe |
| PID 3200 wrote to memory of 4436 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 4436 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 4436 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 4436 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 4124 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3200 wrote to memory of 4124 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3200 wrote to memory of 4124 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3200 wrote to memory of 760 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 760 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 760 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 760 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 4816 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 4816 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 4816 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 4816 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3200 wrote to memory of 3992 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3200 wrote to memory of 3992 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3200 wrote to memory of 3992 | N/A | N/A | C:\Windows\explorer.exe |
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
C:\Users\Admin\AppData\Local\Temp\agent.exe
"C:\Users\Admin\AppData\Local\Temp\agent.exe"
C:\Users\Admin\AppData\Local\Temp\F15A.exe
C:\Users\Admin\AppData\Local\Temp\F15A.exe
C:\Users\Admin\AppData\Local\Temp\F1E7.exe
C:\Users\Admin\AppData\Local\Temp\F1E7.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Roaming\F15A.exe
C:\Users\Admin\AppData\Roaming\F15A.exe
Network
| Country | Destination | Domain | Proto |
| NL | 79.110.62.167:80 | 79.110.62.167 | tcp |
| US | 8.8.8.8:53 | 167.62.110.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | simplyadvanced1.com | udp |
| NL | 79.110.62.167:80 | simplyadvanced1.com | tcp |
| NL | 79.110.62.167:80 | simplyadvanced1.com | tcp |
| NL | 212.87.204.251:5200 | tcp | |
| US | 8.8.8.8:53 | 251.204.87.212.in-addr.arpa | udp |
| NL | 20.50.201.195:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| NL | 212.87.204.251:51234 | tcp | |
| NL | 212.87.204.251:51234 | tcp |
Files
memory/1836-126-0x00000236B1150000-0x00000236B1172000-memory.dmp
memory/1836-129-0x00000236AF920000-0x00000236AF930000-memory.dmp
memory/1836-130-0x00000236AF920000-0x00000236AF930000-memory.dmp
memory/1836-131-0x00000236CA130000-0x00000236CA1A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33ocsag4.dv0.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Temp\agent.exe
| MD5 | 1496b98fe0530da47982105a87a69bce |
| SHA1 | 00719a1b168c8baa3827a161326b157713f9a07a |
| SHA256 | c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d |
| SHA512 | 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6 |
C:\Users\Admin\AppData\Local\Temp\agent.exe
| MD5 | 1496b98fe0530da47982105a87a69bce |
| SHA1 | 00719a1b168c8baa3827a161326b157713f9a07a |
| SHA256 | c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d |
| SHA512 | 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6 |
memory/3928-165-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3200-166-0x0000000000AD0000-0x0000000000AE6000-memory.dmp
memory/3928-168-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Roaming\trawtev
| MD5 | 1496b98fe0530da47982105a87a69bce |
| SHA1 | 00719a1b168c8baa3827a161326b157713f9a07a |
| SHA256 | c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d |
| SHA512 | 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6 |
C:\Users\Admin\AppData\Local\Temp\F15A.exe
| MD5 | 978efdcbc93c6c9ac15e01fda1054d7c |
| SHA1 | 23e777d93caa97b0f167f728905df31e6efaac23 |
| SHA256 | 1cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c |
| SHA512 | c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3 |
C:\Users\Admin\AppData\Local\Temp\F15A.exe
| MD5 | 978efdcbc93c6c9ac15e01fda1054d7c |
| SHA1 | 23e777d93caa97b0f167f728905df31e6efaac23 |
| SHA256 | 1cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c |
| SHA512 | c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3 |
memory/1896-181-0x0000000000950000-0x00000000009C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F1E7.exe
| MD5 | 4da855885a48a88b2b99abdaf7dbaddb |
| SHA1 | 95be38902672a4f729325f4322449fafe52791c4 |
| SHA256 | e6e5fa379b321d66c93d236eadc5c81478c821b545a7ff9ac6d07e14ed5a8983 |
| SHA512 | 4f5855573c3d08d8a11325775230544ecf79f884009a94c30c8bd4547e2ad873224ef1d34fd15b9e91423a5cf4351f22d4aa50be7c14cc2bdc2260c009e61c93 |
C:\Users\Admin\AppData\Local\Temp\F1E7.exe
| MD5 | 4da855885a48a88b2b99abdaf7dbaddb |
| SHA1 | 95be38902672a4f729325f4322449fafe52791c4 |
| SHA256 | e6e5fa379b321d66c93d236eadc5c81478c821b545a7ff9ac6d07e14ed5a8983 |
| SHA512 | 4f5855573c3d08d8a11325775230544ecf79f884009a94c30c8bd4547e2ad873224ef1d34fd15b9e91423a5cf4351f22d4aa50be7c14cc2bdc2260c009e61c93 |
memory/1896-186-0x000000001C3D0000-0x000000001C470000-memory.dmp
memory/1896-187-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-188-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-190-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-192-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-194-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-196-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/4436-197-0x0000000000830000-0x000000000089B000-memory.dmp
memory/1896-199-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-201-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-203-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-207-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/4436-206-0x00000000008A0000-0x0000000000920000-memory.dmp
memory/4436-208-0x0000000000830000-0x000000000089B000-memory.dmp
memory/1896-204-0x000000001C4E0000-0x000000001C4F0000-memory.dmp
memory/1896-210-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-212-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-214-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-216-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/4124-221-0x0000000000BD0000-0x0000000000BDC000-memory.dmp
memory/1896-222-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-224-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/4124-225-0x0000000000BD0000-0x0000000000BDC000-memory.dmp
memory/1896-233-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-238-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-240-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-242-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-244-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-246-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/4436-249-0x0000000000830000-0x000000000089B000-memory.dmp
memory/1896-248-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-251-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/760-253-0x00000000008D0000-0x00000000008D9000-memory.dmp
memory/1896-254-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-256-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-258-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-260-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-262-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/1896-264-0x000000001C3D0000-0x000000001C46C000-memory.dmp
memory/760-293-0x00000000008D0000-0x00000000008D9000-memory.dmp
memory/760-291-0x0000000000830000-0x000000000089B000-memory.dmp
memory/4816-420-0x00000000008D0000-0x00000000008D9000-memory.dmp
memory/4816-421-0x00000000005F0000-0x00000000005F9000-memory.dmp
memory/3992-565-0x00000000005F0000-0x00000000005F9000-memory.dmp
memory/3992-567-0x0000000000D80000-0x0000000000D89000-memory.dmp
memory/1896-1033-0x0000000003360000-0x00000000033B6000-memory.dmp
memory/1896-1034-0x000000001C4E0000-0x000000001C4F0000-memory.dmp
memory/760-1035-0x0000000000830000-0x000000000089B000-memory.dmp
memory/4816-1036-0x00000000008D0000-0x00000000008D9000-memory.dmp
memory/3992-1037-0x00000000005F0000-0x00000000005F9000-memory.dmp
memory/1896-1038-0x000000001C470000-0x000000001C4BC000-memory.dmp
memory/1896-1039-0x000000001D1F0000-0x000000001D244000-memory.dmp
C:\Users\Admin\AppData\Roaming\F15A.exe
| MD5 | 978efdcbc93c6c9ac15e01fda1054d7c |
| SHA1 | 23e777d93caa97b0f167f728905df31e6efaac23 |
| SHA256 | 1cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c |
| SHA512 | c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3 |
C:\Users\Admin\AppData\Roaming\F15A.exe
| MD5 | 978efdcbc93c6c9ac15e01fda1054d7c |
| SHA1 | 23e777d93caa97b0f167f728905df31e6efaac23 |
| SHA256 | 1cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c |
| SHA512 | c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\F15A.exe.log
| MD5 | 431293de3fad018871bc380403c6f53c |
| SHA1 | 935699de6ea2086cec2612f7716d147ced286768 |
| SHA256 | 1d7ced4ac3efd413157af7c0d8167ab87f1060c576dc86e5518283874df2b55f |
| SHA512 | b33b49ffb96a325da7b6d77b3c95014b2b6ff985fd6553ce80487789a8d8b56e4e24d0f819108c271146ccd188d1a7d68ba630441b065f9ddb47602297fa6c62 |
memory/4396-1045-0x000000001C6C0000-0x000000001C6D0000-memory.dmp
memory/4396-1864-0x000000001C6C0000-0x000000001C6D0000-memory.dmp
memory/4396-1866-0x000000001C6C0000-0x000000001C6D0000-memory.dmp
memory/4396-1865-0x000000001C6C0000-0x000000001C6D0000-memory.dmp
memory/4396-1867-0x000000001C6C0000-0x000000001C6D0000-memory.dmp
memory/4396-1868-0x000000001C6C0000-0x000000001C6D0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-25 22:47
Reported
2023-02-25 22:53
Platform
win7-20230220-en
Max time kernel
300s
Max time network
31s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agent.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 656 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\agent.exe |
| PID 1656 wrote to memory of 656 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\agent.exe |
| PID 1656 wrote to memory of 656 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\agent.exe |
| PID 1656 wrote to memory of 656 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\agent.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
C:\Users\Admin\AppData\Local\Temp\agent.exe
"C:\Users\Admin\AppData\Local\Temp\agent.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 79.110.62.167:80 | 79.110.62.167 | tcp |
Files
memory/1656-58-0x000000001B400000-0x000000001B6E2000-memory.dmp
memory/1656-59-0x0000000001F90000-0x0000000001F98000-memory.dmp
memory/1656-60-0x0000000002890000-0x0000000002910000-memory.dmp
memory/1656-61-0x0000000002890000-0x0000000002910000-memory.dmp
memory/1656-62-0x0000000002890000-0x0000000002910000-memory.dmp
memory/1656-63-0x0000000002890000-0x0000000002910000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\agent.exe
| MD5 | 1496b98fe0530da47982105a87a69bce |
| SHA1 | 00719a1b168c8baa3827a161326b157713f9a07a |
| SHA256 | c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d |
| SHA512 | 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6 |
C:\Users\Admin\AppData\Local\Temp\agent.exe
| MD5 | 1496b98fe0530da47982105a87a69bce |
| SHA1 | 00719a1b168c8baa3827a161326b157713f9a07a |
| SHA256 | c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d |
| SHA512 | 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6 |
memory/656-71-0x0000000000400000-0x0000000000409000-memory.dmp
memory/656-73-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1248-72-0x0000000002C00000-0x0000000002C16000-memory.dmp