Analysis Overview
SHA256
c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a
Threat Level: Known bad
The file c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-22 20:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-22 20:47
Reported
2023-09-22 20:50
Platform
win10v2004-20230915-en
Max time kernel
152s
Max time network
155s
Command Line
Signatures
SmokeLoader
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\iewucdv | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\iewucdv | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 232 set thread context of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe | C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe |
| PID 1764 set thread context of 1412 | N/A | C:\Users\Admin\AppData\Roaming\iewucdv | C:\Users\Admin\AppData\Roaming\iewucdv |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\iewucdv | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\iewucdv | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\iewucdv | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\iewucdv | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe
"C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe"
C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe
"C:\Users\Admin\AppData\Local\Temp\c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a.exe"
C:\Users\Admin\AppData\Roaming\iewucdv
C:\Users\Admin\AppData\Roaming\iewucdv
C:\Users\Admin\AppData\Roaming\iewucdv
C:\Users\Admin\AppData\Roaming\iewucdv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/232-0-0x0000000002180000-0x0000000002195000-memory.dmp
memory/232-1-0x00000000021A0000-0x00000000021A9000-memory.dmp
memory/2956-2-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2956-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/232-4-0x0000000002180000-0x0000000002195000-memory.dmp
memory/2956-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3188-5-0x0000000002200000-0x0000000002216000-memory.dmp
C:\Users\Admin\AppData\Roaming\iewucdv
| MD5 | ea676996230ba69c73e6dda4a710d36c |
| SHA1 | f2bdd794d402fe4a0f23161c3d661a6f122311f3 |
| SHA256 | c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a |
| SHA512 | 8a459903117ee60b128429d3b73818981a0c6f676e6870e6672d1b81f66949128f11419c9564d3f0796fde8e138a04cfaa99221d4b670db3f610e8aef11b0852 |
C:\Users\Admin\AppData\Roaming\iewucdv
| MD5 | ea676996230ba69c73e6dda4a710d36c |
| SHA1 | f2bdd794d402fe4a0f23161c3d661a6f122311f3 |
| SHA256 | c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a |
| SHA512 | 8a459903117ee60b128429d3b73818981a0c6f676e6870e6672d1b81f66949128f11419c9564d3f0796fde8e138a04cfaa99221d4b670db3f610e8aef11b0852 |
memory/1412-17-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Roaming\iewucdv
| MD5 | ea676996230ba69c73e6dda4a710d36c |
| SHA1 | f2bdd794d402fe4a0f23161c3d661a6f122311f3 |
| SHA256 | c76fe7e5cfe5a94cc437f360f815b6f7c7eef063c528503e27e1d27a101f282a |
| SHA512 | 8a459903117ee60b128429d3b73818981a0c6f676e6870e6672d1b81f66949128f11419c9564d3f0796fde8e138a04cfaa99221d4b670db3f610e8aef11b0852 |
memory/3188-18-0x0000000002B80000-0x0000000002B96000-memory.dmp
memory/1412-19-0x0000000000400000-0x0000000000409000-memory.dmp