Malware Analysis Report

2025-04-14 07:11

Sample ID 230913-sfmrnsch51
Target b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe
SHA256 b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d
Tags
smokeloader backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d

Threat Level: Known bad

The file b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 15:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 15:04

Reported

2023-09-13 15:06

Platform

win10v2004-20230831-en

Max time kernel

115s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\fvtwbde N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fvtwbde N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fvtwbde N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fvtwbde N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f7840f05f6481501b109f0800aa002f954e0000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72} N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\FFlags = "18874369" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupView = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\FFlags = "18874385" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Mode = "4" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\LogicalViewMode = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByDirection = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByKey:PID = "0" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e8005398e082303024b98265d99428e115f0000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Rev = "0" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\IconSize = "16" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000060000001800000030f125b7ef471a10a5f102608c9eebac0a000000f0000000334b179bff40d211a27e00c04fc3087102000000f0000000334b179bff40d211a27e00c04fc3087103000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fvtwbde N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe

"C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe"

C:\Users\Admin\AppData\Roaming\fvtwbde

C:\Users\Admin\AppData\Roaming\fvtwbde

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
RO 109.98.58.98:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 98.58.98.109.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
N/A 239.255.255.250:3702 udp
N/A 239.255.255.250:3702 udp

Files

memory/3084-0-0x0000000002330000-0x0000000002345000-memory.dmp

memory/3084-1-0x0000000002350000-0x0000000002359000-memory.dmp

memory/3084-2-0x0000000000400000-0x0000000002083000-memory.dmp

memory/3212-3-0x00000000010B0000-0x00000000010C6000-memory.dmp

memory/3084-4-0x0000000000400000-0x0000000002083000-memory.dmp

memory/3084-8-0x0000000002330000-0x0000000002345000-memory.dmp

memory/3084-9-0x0000000002350000-0x0000000002359000-memory.dmp

C:\Users\Admin\AppData\Roaming\fvtwbde

MD5 9a96d0e2f9c295ab676be283a7e93565
SHA1 1e39acd938959c92da53e009969da54e2b43c308
SHA256 b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d
SHA512 b917419f203ef118f13e087a7eeba4ff1925a684fe34137fe9e583cfb6836adfa0e4dc7a59ae022c2d19e03a1955ba48d7ddb97b463eae88890f86af03f4cda2

C:\Users\Admin\AppData\Roaming\fvtwbde

MD5 9a96d0e2f9c295ab676be283a7e93565
SHA1 1e39acd938959c92da53e009969da54e2b43c308
SHA256 b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d
SHA512 b917419f203ef118f13e087a7eeba4ff1925a684fe34137fe9e583cfb6836adfa0e4dc7a59ae022c2d19e03a1955ba48d7ddb97b463eae88890f86af03f4cda2

memory/3212-15-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-16-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-17-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-18-0x000000000E400000-0x000000000E410000-memory.dmp

memory/3212-20-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-21-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-22-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-24-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-26-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-28-0x000000000E490000-0x000000000E4A0000-memory.dmp

memory/3212-25-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-27-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-32-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-30-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-34-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-29-0x000000000E490000-0x000000000E4A0000-memory.dmp

memory/3212-37-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-36-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-38-0x000000000E400000-0x000000000E410000-memory.dmp

memory/3212-40-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-39-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-42-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-43-0x000000000E490000-0x000000000E4A0000-memory.dmp

memory/3212-45-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-44-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-47-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/3212-48-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

memory/1792-49-0x0000000000400000-0x0000000002083000-memory.dmp

memory/3212-50-0x000000000E3D0000-0x000000000E3E6000-memory.dmp

memory/1792-53-0x0000000000400000-0x0000000002083000-memory.dmp