Malware Analysis Report

2025-08-06 03:42

Sample ID 230922-ev43lsch2y
Target 40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65
SHA256 40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65
Tags
smokeloader pub1 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65

Threat Level: Known bad

The file 40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65 was found to be: Known bad.

Malicious Activity Summary

smokeloader pub1 backdoor trojan

SmokeLoader

Executes dropped EXE

Deletes itself

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-22 04:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-22 04:16

Reported

2023-09-22 04:21

Platform

win10-20230831-en

Max time kernel

300s

Max time network

263s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe

"C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gudintas.at udp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
US 8.8.8.8:53 251.39.40.211.in-addr.arpa udp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
AR 186.182.55.44:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
US 8.8.8.8:53 44.55.182.186.in-addr.arpa udp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
AR 186.182.55.44:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
AR 186.182.55.44:80 gudintas.at tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
AR 186.182.55.44:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
AR 186.182.55.44:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
AR 186.182.55.44:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
KR 211.40.39.251:80 gudintas.at tcp
US 8.8.8.8:53 gudintas.at udp
KR 14.33.209.147:80 gudintas.at tcp
US 8.8.8.8:53 147.209.33.14.in-addr.arpa udp

Files

memory/5080-1-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/5080-2-0x0000000000400000-0x0000000000718000-memory.dmp

memory/5080-3-0x0000000000860000-0x0000000000869000-memory.dmp

memory/3184-4-0x0000000002730000-0x0000000002746000-memory.dmp

memory/5080-5-0x0000000000400000-0x0000000000718000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-22 04:16

Reported

2023-09-22 04:21

Platform

win7-20230831-en

Max time kernel

300s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wjwceub N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wjwceub N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wjwceub N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wjwceub N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wjwceub N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wjwceub
PID 2204 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wjwceub
PID 2204 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wjwceub
PID 2204 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wjwceub

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe

"C:\Users\Admin\AppData\Local\Temp\40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {87102147-F08A-41D2-BA4F-08EBAA4C7441} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\wjwceub

C:\Users\Admin\AppData\Roaming\wjwceub

Network

Country Destination Domain Proto
US 8.8.8.8:53 gudintas.at udp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
KR 211.168.53.110:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
KR 211.168.53.110:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
KR 211.168.53.110:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
BA 185.12.79.25:80 gudintas.at tcp
KR 211.168.53.110:80 gudintas.at tcp
US 8.8.8.8:53 gudintas.at udp
AR 186.182.55.44:80 gudintas.at tcp
AR 186.182.55.44:80 gudintas.at tcp

Files

memory/1976-1-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/1976-2-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1976-3-0x0000000000400000-0x0000000000718000-memory.dmp

memory/1976-5-0x0000000000400000-0x0000000000718000-memory.dmp

memory/1232-4-0x0000000002910000-0x0000000002926000-memory.dmp

memory/1976-8-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1232-13-0x000007FF511F0000-0x000007FF511FA000-memory.dmp

memory/1232-12-0x000007FEF5AA0000-0x000007FEF5BE3000-memory.dmp

C:\Users\Admin\AppData\Roaming\wjwceub

MD5 a2d237a8dcda5047bb9e612825ebc499
SHA1 d4f6d2707f5fc415ec85dcea2b318e1c3d97209c
SHA256 40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65
SHA512 8e789640a564baa078db349483844acc6f8004d1338bf61c643a9f48a358e75b382b98f991b95901a9a29cf0075962ee312bab8f26492dddd8c183d37d160f14

C:\Users\Admin\AppData\Roaming\wjwceub

MD5 a2d237a8dcda5047bb9e612825ebc499
SHA1 d4f6d2707f5fc415ec85dcea2b318e1c3d97209c
SHA256 40c624a1492477b0ed0e5c704447d95f728dfe41b7e857cd1c5018e8d3b3df65
SHA512 8e789640a564baa078db349483844acc6f8004d1338bf61c643a9f48a358e75b382b98f991b95901a9a29cf0075962ee312bab8f26492dddd8c183d37d160f14

memory/2520-17-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2520-18-0x0000000000400000-0x0000000000718000-memory.dmp

memory/1232-19-0x0000000002A10000-0x0000000002A26000-memory.dmp

memory/2520-20-0x0000000000400000-0x0000000000718000-memory.dmp