Analysis Overview
SHA256
8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b
Threat Level: Known bad
The file 8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-16 04:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-16 04:48
Reported
2023-09-16 04:53
Platform
win7-20230831-en
Max time kernel
300s
Max time network
122s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ghgrftc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ghgrftc | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ghgrftc | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2180 set thread context of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe |
| PID 2804 set thread context of 1964 | N/A | C:\Users\Admin\AppData\Roaming\ghgrftc | C:\Users\Admin\AppData\Roaming\ghgrftc |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ghgrftc | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ghgrftc | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ghgrftc | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ghgrftc | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe
"C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe"
C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe
"C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {B5DA244D-0FE3-4923-A8B1-03DF74BAC905} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\ghgrftc
C:\Users\Admin\AppData\Roaming\ghgrftc
C:\Users\Admin\AppData\Roaming\ghgrftc
C:\Users\Admin\AppData\Roaming\ghgrftc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
Files
memory/2180-2-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/1732-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1732-5-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2180-4-0x00000000001C0000-0x00000000001C9000-memory.dmp
memory/1732-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1732-7-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1244-8-0x0000000002CA0000-0x0000000002CB6000-memory.dmp
memory/1732-9-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Roaming\ghgrftc
| MD5 | 94bc47f91a540c7d4f293bd3208ca79d |
| SHA1 | 641aa079c31390ee951a0eb40ead4634d4180736 |
| SHA256 | 8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b |
| SHA512 | a589d56bf07e7de9a9a472766e764165789064e6c9dfb0b4bd10bdfe731d07ef994811b5b0327a4dbc3adb95d819dfa91a532b40c3646fcd748c3e5efc3f6713 |
C:\Users\Admin\AppData\Roaming\ghgrftc
| MD5 | 94bc47f91a540c7d4f293bd3208ca79d |
| SHA1 | 641aa079c31390ee951a0eb40ead4634d4180736 |
| SHA256 | 8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b |
| SHA512 | a589d56bf07e7de9a9a472766e764165789064e6c9dfb0b4bd10bdfe731d07ef994811b5b0327a4dbc3adb95d819dfa91a532b40c3646fcd748c3e5efc3f6713 |
\Users\Admin\AppData\Roaming\ghgrftc
| MD5 | 94bc47f91a540c7d4f293bd3208ca79d |
| SHA1 | 641aa079c31390ee951a0eb40ead4634d4180736 |
| SHA256 | 8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b |
| SHA512 | a589d56bf07e7de9a9a472766e764165789064e6c9dfb0b4bd10bdfe731d07ef994811b5b0327a4dbc3adb95d819dfa91a532b40c3646fcd748c3e5efc3f6713 |
memory/2804-19-0x0000000000890000-0x0000000000990000-memory.dmp
C:\Users\Admin\AppData\Roaming\ghgrftc
| MD5 | 94bc47f91a540c7d4f293bd3208ca79d |
| SHA1 | 641aa079c31390ee951a0eb40ead4634d4180736 |
| SHA256 | 8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b |
| SHA512 | a589d56bf07e7de9a9a472766e764165789064e6c9dfb0b4bd10bdfe731d07ef994811b5b0327a4dbc3adb95d819dfa91a532b40c3646fcd748c3e5efc3f6713 |
memory/1244-25-0x0000000002DE0000-0x0000000002DF6000-memory.dmp
memory/1964-28-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-16 04:48
Reported
2023-09-16 04:53
Platform
win10-20230915-en
Max time kernel
300s
Max time network
260s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gcuabfw | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gcuabfw | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 608 set thread context of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe |
| PID 4428 set thread context of 2096 | N/A | C:\Users\Admin\AppData\Roaming\gcuabfw | C:\Users\Admin\AppData\Roaming\gcuabfw |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\gcuabfw | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\gcuabfw | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\gcuabfw | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gcuabfw | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe
"C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe"
C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe
"C:\Users\Admin\AppData\Local\Temp\8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b.exe"
C:\Users\Admin\AppData\Roaming\gcuabfw
C:\Users\Admin\AppData\Roaming\gcuabfw
C:\Users\Admin\AppData\Roaming\gcuabfw
C:\Users\Admin\AppData\Roaming\gcuabfw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/608-1-0x00000000009F0000-0x0000000000AF0000-memory.dmp
memory/608-2-0x0000000000960000-0x0000000000969000-memory.dmp
memory/3936-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3936-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3936-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3164-5-0x00000000014E0000-0x00000000014F6000-memory.dmp
C:\Users\Admin\AppData\Roaming\gcuabfw
| MD5 | 94bc47f91a540c7d4f293bd3208ca79d |
| SHA1 | 641aa079c31390ee951a0eb40ead4634d4180736 |
| SHA256 | 8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b |
| SHA512 | a589d56bf07e7de9a9a472766e764165789064e6c9dfb0b4bd10bdfe731d07ef994811b5b0327a4dbc3adb95d819dfa91a532b40c3646fcd748c3e5efc3f6713 |
C:\Users\Admin\AppData\Roaming\gcuabfw
| MD5 | 94bc47f91a540c7d4f293bd3208ca79d |
| SHA1 | 641aa079c31390ee951a0eb40ead4634d4180736 |
| SHA256 | 8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b |
| SHA512 | a589d56bf07e7de9a9a472766e764165789064e6c9dfb0b4bd10bdfe731d07ef994811b5b0327a4dbc3adb95d819dfa91a532b40c3646fcd748c3e5efc3f6713 |
memory/4428-16-0x0000000000910000-0x0000000000A10000-memory.dmp
C:\Users\Admin\AppData\Roaming\gcuabfw
| MD5 | 94bc47f91a540c7d4f293bd3208ca79d |
| SHA1 | 641aa079c31390ee951a0eb40ead4634d4180736 |
| SHA256 | 8611d1e03d8fff50fd6e5c7379f1f1beccd104271b7fa09b63781055d587059b |
| SHA512 | a589d56bf07e7de9a9a472766e764165789064e6c9dfb0b4bd10bdfe731d07ef994811b5b0327a4dbc3adb95d819dfa91a532b40c3646fcd748c3e5efc3f6713 |
memory/3164-19-0x0000000001530000-0x0000000001546000-memory.dmp
memory/2096-20-0x0000000000400000-0x0000000000409000-memory.dmp