Analysis Overview
SHA256
a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078
Threat Level: Known bad
The file a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-23 00:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-23 00:37
Reported
2023-09-23 00:43
Platform
win7-20230831-en
Max time kernel
318s
Max time network
321s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wcahhgd | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wcahhgd | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wcahhgd | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wcahhgd | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wcahhgd | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 2712 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\wcahhgd |
| PID 2280 wrote to memory of 2712 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\wcahhgd |
| PID 2280 wrote to memory of 2712 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\wcahhgd |
| PID 2280 wrote to memory of 2712 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\wcahhgd |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe
"C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {0BCF8B0D-90A8-4F13-943D-19D31C8F9F15} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\wcahhgd
C:\Users\Admin\AppData\Roaming\wcahhgd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gudintas.at | udp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
| AR | 190.224.203.37:80 | gudintas.at | tcp |
Files
memory/2248-0-0x0000000000230000-0x0000000000245000-memory.dmp
memory/2248-1-0x0000000000250000-0x0000000000259000-memory.dmp
memory/2248-2-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2248-5-0x0000000000250000-0x0000000000259000-memory.dmp
memory/2248-4-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1264-3-0x0000000002A40000-0x0000000002A56000-memory.dmp
memory/2248-8-0x0000000000230000-0x0000000000245000-memory.dmp
C:\Users\Admin\AppData\Roaming\wcahhgd
| MD5 | 5e24e3e53137efe701b18e01b83cde73 |
| SHA1 | c2561797a85b99d192a09c479f6dabd88baaaae4 |
| SHA256 | a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078 |
| SHA512 | e96e8d998b97e6520041f0502da2d2e14e398a0e7dfa41515d30f3d5f12a92c84e7d5f608d9d82f830cf7347cb9e44244ead88fb0338428e60e24f8199b9f701 |
C:\Users\Admin\AppData\Roaming\wcahhgd
| MD5 | 5e24e3e53137efe701b18e01b83cde73 |
| SHA1 | c2561797a85b99d192a09c479f6dabd88baaaae4 |
| SHA256 | a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078 |
| SHA512 | e96e8d998b97e6520041f0502da2d2e14e398a0e7dfa41515d30f3d5f12a92c84e7d5f608d9d82f830cf7347cb9e44244ead88fb0338428e60e24f8199b9f701 |
memory/2712-14-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1264-15-0x0000000002C40000-0x0000000002C56000-memory.dmp
memory/2712-18-0x0000000000400000-0x000000000043C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-23 00:37
Reported
2023-09-23 00:42
Platform
win10-20230915-en
Max time kernel
300s
Max time network
282s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rurbccw | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rurbccw | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rurbccw | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rurbccw | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rurbccw | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe
"C:\Users\Admin\AppData\Local\Temp\a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078.exe"
C:\Users\Admin\AppData\Roaming\rurbccw
C:\Users\Admin\AppData\Roaming\rurbccw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gudintas.at | udp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 79.216.224.84.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
Files
memory/1512-0-0x0000000001F00000-0x0000000001F15000-memory.dmp
memory/1512-1-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/1512-2-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3300-3-0x0000000000E70000-0x0000000000E86000-memory.dmp
memory/1512-4-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1512-7-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/1512-8-0x0000000001F00000-0x0000000001F15000-memory.dmp
C:\Users\Admin\AppData\Roaming\rurbccw
| MD5 | 5e24e3e53137efe701b18e01b83cde73 |
| SHA1 | c2561797a85b99d192a09c479f6dabd88baaaae4 |
| SHA256 | a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078 |
| SHA512 | e96e8d998b97e6520041f0502da2d2e14e398a0e7dfa41515d30f3d5f12a92c84e7d5f608d9d82f830cf7347cb9e44244ead88fb0338428e60e24f8199b9f701 |
C:\Users\Admin\AppData\Roaming\rurbccw
| MD5 | 5e24e3e53137efe701b18e01b83cde73 |
| SHA1 | c2561797a85b99d192a09c479f6dabd88baaaae4 |
| SHA256 | a5a107e890080f3642ebe97a41abdecab2113fe981569361e9ebb4f96ab5d078 |
| SHA512 | e96e8d998b97e6520041f0502da2d2e14e398a0e7dfa41515d30f3d5f12a92c84e7d5f608d9d82f830cf7347cb9e44244ead88fb0338428e60e24f8199b9f701 |
memory/2824-14-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3300-15-0x0000000002CA0000-0x0000000002CB6000-memory.dmp
memory/2824-18-0x0000000000400000-0x000000000043C000-memory.dmp