Analysis Overview
SHA256
c676cfb423faf30a70613a8baebf45bf84fbc6dadcb2ecf3658ef52fda0e8b58
Threat Level: Known bad
The file 07902107b4c530865a3051ec06571c24.bin was found to be: Known bad.
Malicious Activity Summary
RedLine
SmokeLoader
Smokeloader family
Detect ZGRat V1
ZGRat
RedLine payload
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-12 01:02
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-12 01:02
Reported
2023-12-12 01:05
Platform
win7-20231020-en
Max time kernel
39s
Max time network
70s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B903.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FC79.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 2904 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B903.exe |
| PID 1264 wrote to memory of 2904 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B903.exe |
| PID 1264 wrote to memory of 2904 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B903.exe |
| PID 1264 wrote to memory of 2904 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B903.exe |
| PID 1264 wrote to memory of 2488 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FC79.exe |
| PID 1264 wrote to memory of 2488 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FC79.exe |
| PID 1264 wrote to memory of 2488 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FC79.exe |
| PID 1264 wrote to memory of 2488 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FC79.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe
"C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe"
C:\Users\Admin\AppData\Local\Temp\B903.exe
C:\Users\Admin\AppData\Local\Temp\B903.exe
C:\Users\Admin\AppData\Local\Temp\FC79.exe
C:\Users\Admin\AppData\Local\Temp\FC79.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\CEE.exe
C:\Users\Admin\AppData\Local\Temp\CEE.exe
C:\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp" /SL5="$9011E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\1799.exe
C:\Users\Admin\AppData\Local\Temp\1799.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/2968-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1264-1-0x00000000029F0000-0x0000000002A06000-memory.dmp
memory/2968-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B903.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
memory/2904-12-0x0000000000160000-0x000000000019C000-memory.dmp
memory/2904-17-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/2904-18-0x0000000007550000-0x0000000007590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FC79.exe
| MD5 | 0d8e2fa98cf4a9b526a5e1051dfb830a |
| SHA1 | a562ebb7cf29fc8a0bba30f3079c2c51662ee834 |
| SHA256 | dc02654786525e52038cde2d6f8a3c5fc2ffde7fb7d90b4c85eff6705120991a |
| SHA512 | 412018b479a79e63233e39c76ca9c668d4014be032b6614cb347a8101c9492ef71bb023f01978d3332e38ed2ff1a3455737ac9487f8ebb3b8faea6c8981aef80 |
C:\Users\Admin\AppData\Local\Temp\FC79.exe
| MD5 | 696499f331e4ca49bfdcc867d5b64d35 |
| SHA1 | 298e7dedbe4631d1da331bc653a3c25eaeed37ce |
| SHA256 | 62eb32a3bdcd900b30915de88c6e1fa9d492a373b00b002c343c251aafa58a3e |
| SHA512 | e609c7d824ec75e0fbf90a4fbae929ff1519703754b4e7781b56bb7016630471263151cf0d78ff52e2b82b752b3879f3385971fa6d714416f13acd9b8b64a309 |
memory/2488-26-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/2488-27-0x0000000000FB0000-0x0000000002466000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 953f45892981196ba988d4666c7a7e15 |
| SHA1 | 8dff535d73051afeb6b529de1a11d9a6aaab1f9c |
| SHA256 | 3f0858a5c142eb7a709bd0af5ec3fe01082290c09acfc4684b1d9570493cdcb0 |
| SHA512 | 9dbd586ef8813ec509c33b5b34046dc3ccc384a59a385b7521da1663e4ddece3669eb59f6bf6254f9937d3d0a41e4b66571e3951ae45fcce1543285a2ff6890a |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 418a5b1e1c4453ea8302f08d002feefb |
| SHA1 | e08a2617af40a5e8fb5a2f778871aedd4e5a0d28 |
| SHA256 | e8072208f3e7cc2ceebf8184374c32a990bb7cb398fd1eeb66e84541782355e7 |
| SHA512 | 0b0b8fa38a070e92c8f2092e6626b896979da1ce2b6cc37deba3be17cfb5f9c3d042d0203c92a64f6c4181a7b9a0d59feaa90d50fdb8e69465e2f25a35f9c83a |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 97667ef0cba48669183044d8b050e506 |
| SHA1 | 677a82d436fa0eff5e593d787e929bdd042f42e2 |
| SHA256 | eb078c989d202b0526374ccaa51bac900bb10687ef1969875a199c3c4af5dfb7 |
| SHA512 | 9a25c5773ab0e5f83354bfade0ddedfa84f505fad5cffb736313a36f388f5fb6f6c93e55dcec80572e5c8412affffab398042f8b54872b5647633bbc034fb524 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 0b53809016d2b7b406271bc117197d0a |
| SHA1 | 73be214a02d10ca5243b7de799071f81081eb6a3 |
| SHA256 | 2a6bd9c2e1549686bec6a013251c966518dbc35f6a66d7849d4a9cb71becf99e |
| SHA512 | da6c63c9719d07ada1ddf05ffae4dece4fcd535d548b0116c67ce68aa6844213ebf174d52d2965530a941bc43e44c947ed7037f6743fc90be48afbfac7a5d4cc |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 248d50f34541f73ca7f4ff407f6e2751 |
| SHA1 | 16bd3e2dd8e4e401b505970d2c1e0f083c381c19 |
| SHA256 | 6d25d9172831801942c90bee62507e74ae8f348d953cc3ff53d026987365392f |
| SHA512 | bfd255c96ecb3611a82e6c6e0f106653b8f59507dae93e16541359e9195962168ba887e46c0c192b173fe534acf676dff5e4ad572aecf0f7b41cc62d9037bf63 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 105970e6e7615516ca684307a04ab03b |
| SHA1 | 38b223eba68ebb4b7cc718e83b7449feff05c5a4 |
| SHA256 | 3197eb2f26060490aa88c196cd641afe1edb77923eb2ff1ab702b49f22fa9c8b |
| SHA512 | e7d8433e881b8290f42a325121215501a1dc92f7aa6e52dbf9f9fa7be2c4626b59557b95f1ced73fea1f8b9bc27b436d7d025668ad3c62954ab1665abe1f890f |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 19da9689a1e6da7ea3a2222672d8a3de |
| SHA1 | 3de455f20afa2698a4784d1bc217daa8c19e1a72 |
| SHA256 | 20af66005e123bd0202eed058849d7b7d37e81d0cb243accbfe4aae531ccf6eb |
| SHA512 | f72c367d5a6720d51ec61cd5675adde667616fae14fba5a2432ee4690b6084be6a12f48ca5d38dbef8fe414e42386a379fc53b077212e78429418c7bf4c5f750 |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 7f2986ef5d51d8138a2d6c3fc7dc652b |
| SHA1 | 96f94095ab30b884af8f5e92ade59f251ab79d0a |
| SHA256 | 38f094a8ba201cc6fddc7d0506d6a781f3dda14428ea31caf0eaecb98a4fcac1 |
| SHA512 | 60ed6990c1431bcc830b132ec6866d605a7bfcf20bc23e7c526be920be85f023ead5c35cda7ca9d24139c7ae7144cb09a25d970498de03933d5196c1196fa62d |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 056fd9f857cbbce2cebf439c74b9dadc |
| SHA1 | c7636c0d1af84b2abee794b495f272c649317c21 |
| SHA256 | 179f1c5c3b89a69fcd5ad855e577d5d197ce5678cc9aaa7f4516f97385bb620e |
| SHA512 | a234c111f6a369b976487edf9a88344bc1c6a986214e1bb8018852398c8ac2ee7e9573648faa7a9c3a176d7a9a64442738d1bb9685974b08d86c7f930582ffb8 |
memory/696-60-0x0000000002530000-0x0000000002928000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | af5508739fdcc8f0b27bd95c219813ef |
| SHA1 | cc1115f087cd8072c8e603da68627811e86b873e |
| SHA256 | 8455d9a0b255a5df7a10e88adb092621dcb80671369b953fe4dd48b7fa44a6ea |
| SHA512 | d7b6a96edb0addac94bb3d620bbbc0231ae4628e6e0e947422542acfc06c14c07ccf5eba22ba05ee9444e5ea419689925f0034516dfd6f2c4925d3d8d28bca30 |
memory/2832-63-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 7ffcaf98d3c3af0405fda04e4d9cf949 |
| SHA1 | 07fc4a66b9c23e3761df6f1f6fad9a852fffe450 |
| SHA256 | 133e0ea0146a04d272047d085401821e0cfdfe7bea7463a0b2cd3a0ab33ec8da |
| SHA512 | 76c55495e9f19ba89fd8bbac520f8a72d5d9f9f95fefd5a5c3afa108b1e76d2aba8aed2a0323e72ba0b12f00e04408a1af406f05adeb444e8f8fc9edfed6a2ec |
memory/2208-66-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp
| MD5 | 1e8e16ce27e0631387da22c5d7092ed3 |
| SHA1 | 78a83823723ce6177aa19709ecfc1ed4dad78b4e |
| SHA256 | 9b8abd659d4c64695f535ebad2012bcc8f7496f4c00f653a1120d7467e529f21 |
| SHA512 | 4d24156c34d943fff8682049061b3766ce482e8a495a37951cb34526377a6af99f96ec774ada7afe6fd74890c7da22ab16f63f8168e6e8b40abed9ec87fb38ea |
memory/1896-96-0x00000000000C0000-0x00000000005B4000-memory.dmp
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 37566c9b167843d7f6b5f57065fb3e7a |
| SHA1 | 60fc6f267924cd8a847f9018dbf0df627200bb01 |
| SHA256 | bd2b6ffcb25aae0337baa22933f1f4450ba1b207e7e60f9d9b88e510ba122b0f |
| SHA512 | 032bd4481a73e5a63a73afac070dc0dfe0c69dfb64f444ef958dfb0ed14d3e5dbf8c39c80dc68b8d7f978caf9b030091cb0bb27845b94ff966874450232992ff |
memory/1368-107-0x0000000000240000-0x0000000000241000-memory.dmp
memory/696-95-0x0000000002530000-0x0000000002928000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-NFHSV.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-NFHSV.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-NFHSV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp
| MD5 | 9db59f68fbf15aebf139e66dd9a390fc |
| SHA1 | bfcae1cb795e5a948e6de914a10b706e81a1458f |
| SHA256 | dcc164c4287aee0be64cf51e81b5a357e6536d4c402ebe2b7480ad02ecb86c87 |
| SHA512 | 9accb77582c4b26e097bd982ebccb117c18ef90fd426eb8c841adb6556a1772d5866d8bb74069e9b25dd7e2cad4e68033105c09b7016a0a5424ad3aab144decd |
C:\Users\Admin\AppData\Local\Temp\CEE.exe
| MD5 | 93398c8013bb66ddf126c97d3832b32c |
| SHA1 | 7968af27a58cc14700a29daa895fa7c0c5ece888 |
| SHA256 | b780463e4343e9de943116f0a8b668708f1c9668101980ce302dc20f59769d08 |
| SHA512 | 5b4bd612ff32975fcc1be72c81279f4868faf181f6fe4a8cf27631ac5d9bdd2f07f318e428380cf3f876583f6185ac1a522c4b76de4a01ffa56cf56053da081a |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 865b4bba824fd91790173d606a3a1cff |
| SHA1 | e2e71d1ae9fa291d01f7f479113dfb9dc289b0c0 |
| SHA256 | eb10080e63685c85c99c7f6f7ab3a0a84bbce5b0c327a6b448d9ee12301f41dc |
| SHA512 | 47c32b5bbc831874369d6a57752d07c782c0137462b0bb1e97beb0a3ee0dfbfbac616d126d95265caf825fae2035ffc4762d120a2a54f61227dd8ea42f017de2 |
C:\Users\Admin\AppData\Local\Temp\CEE.exe
| MD5 | 9d214697b968db889fdf34f298a2b3dc |
| SHA1 | c89181dabf5fceb954c757e6fd7ab5606e6f42a1 |
| SHA256 | 8becb5f3c4be6300a6a470a95d338f44dd42b12ef4ee9ee2de35527ba422cadf |
| SHA512 | 58d1d7790788c93d2c41b88893618d2873a639cef591c2068bf74ede24ec7340d1bab2d657c407f37ace920ef1bc8d9e11a8e91bda81a3ea6901ed7c58313f1d |
memory/2488-111-0x00000000744B0000-0x0000000074B9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp
| MD5 | e45ae2728aa20c5ac6fc6945db271c29 |
| SHA1 | 3ccf052d214e6a8f314f3cce515fcda702cc8510 |
| SHA256 | 8e070075fa15ee5d98d20164b412ed657f5972f0b322582e25ac0849fe366cbc |
| SHA512 | dbb0e687a954bf7d587c41a51886b2d007061da039998dc6dc03d6985894c039a7d509b21800040dce0064f4c1ee76d7f07084fafff989575c633cea055bf7d0 |
memory/696-112-0x0000000002930000-0x000000000321B000-memory.dmp
memory/1896-113-0x0000000004F10000-0x0000000004F50000-memory.dmp
memory/1896-114-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/696-115-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1799.exe
| MD5 | ce973ee38359d7301212c684884de31b |
| SHA1 | 5daab95ad546a1916e40eb3bc7a52b98c5ec1de9 |
| SHA256 | 80b7ebd7c02ebe0a225ea55739521bba99af2458caa2c05a7220ba995c345a05 |
| SHA512 | cda720bfebc5d728bace8a895e13787867804ea3caf8d246aab011114c64413a56087a10cf3634d1497402156ad410b05daa9f302fb83befab1a346c7ec24a84 |
C:\Users\Admin\AppData\Local\Temp\1799.exe
| MD5 | f092ef2fcec98f77e00895546c6d96f1 |
| SHA1 | 766996196a393ab46bf8beca04573bfb3fe4aadd |
| SHA256 | 8fe87f9e498a1b0ed9f0040e317144fd3680f4b05402c218265b8b885412ba11 |
| SHA512 | 5e22f1f02ad325731c0f85cb1517ba0d16b7c369c92634fa936c662dd79cb5b4bf024484407974755576be8556da98abba1c6aef96d95536d8028afeddb0e7f6 |
memory/2368-122-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/2368-123-0x0000000000810000-0x000000000084C000-memory.dmp
memory/2368-124-0x0000000007230000-0x0000000007270000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-12 01:02
Reported
2023-12-12 01:04
Platform
win10v2004-20231130-en
Max time kernel
150s
Max time network
57s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe
"C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | tcp | |
| RU | 81.19.131.34:80 | tcp |
Files
memory/1792-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3348-1-0x0000000002DB0000-0x0000000002DC6000-memory.dmp
memory/1792-3-0x0000000000400000-0x000000000040B000-memory.dmp