Malware Analysis Report

2025-03-15 05:04

Sample ID 231212-bdzj1sded6
Target 07902107b4c530865a3051ec06571c24.bin
SHA256 c676cfb423faf30a70613a8baebf45bf84fbc6dadcb2ecf3658ef52fda0e8b58
Tags
smokeloader redline zgrat @oleh_ps livetraffic backdoor infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c676cfb423faf30a70613a8baebf45bf84fbc6dadcb2ecf3658ef52fda0e8b58

Threat Level: Known bad

The file 07902107b4c530865a3051ec06571c24.bin was found to be: Known bad.

Malicious Activity Summary

smokeloader redline zgrat @oleh_ps livetraffic backdoor infostealer rat trojan

RedLine

SmokeLoader

Smokeloader family

Detect ZGRat V1

ZGRat

RedLine payload

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 01:02

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 01:02

Reported

2023-12-12 01:05

Platform

win7-20231020-en

Max time kernel

39s

Max time network

70s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FC79.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\B903.exe
PID 1264 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\B903.exe
PID 1264 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\B903.exe
PID 1264 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\B903.exe
PID 1264 wrote to memory of 2488 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC79.exe
PID 1264 wrote to memory of 2488 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC79.exe
PID 1264 wrote to memory of 2488 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC79.exe
PID 1264 wrote to memory of 2488 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC79.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe

"C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe"

C:\Users\Admin\AppData\Local\Temp\B903.exe

C:\Users\Admin\AppData\Local\Temp\B903.exe

C:\Users\Admin\AppData\Local\Temp\FC79.exe

C:\Users\Admin\AppData\Local\Temp\FC79.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\CEE.exe

C:\Users\Admin\AppData\Local\Temp\CEE.exe

C:\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp" /SL5="$9011E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\1799.exe

C:\Users\Admin\AppData\Local\Temp\1799.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2968-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1264-1-0x00000000029F0000-0x0000000002A06000-memory.dmp

memory/2968-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B903.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2904-12-0x0000000000160000-0x000000000019C000-memory.dmp

memory/2904-17-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2904-18-0x0000000007550000-0x0000000007590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FC79.exe

MD5 0d8e2fa98cf4a9b526a5e1051dfb830a
SHA1 a562ebb7cf29fc8a0bba30f3079c2c51662ee834
SHA256 dc02654786525e52038cde2d6f8a3c5fc2ffde7fb7d90b4c85eff6705120991a
SHA512 412018b479a79e63233e39c76ca9c668d4014be032b6614cb347a8101c9492ef71bb023f01978d3332e38ed2ff1a3455737ac9487f8ebb3b8faea6c8981aef80

C:\Users\Admin\AppData\Local\Temp\FC79.exe

MD5 696499f331e4ca49bfdcc867d5b64d35
SHA1 298e7dedbe4631d1da331bc653a3c25eaeed37ce
SHA256 62eb32a3bdcd900b30915de88c6e1fa9d492a373b00b002c343c251aafa58a3e
SHA512 e609c7d824ec75e0fbf90a4fbae929ff1519703754b4e7781b56bb7016630471263151cf0d78ff52e2b82b752b3879f3385971fa6d714416f13acd9b8b64a309

memory/2488-26-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2488-27-0x0000000000FB0000-0x0000000002466000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 953f45892981196ba988d4666c7a7e15
SHA1 8dff535d73051afeb6b529de1a11d9a6aaab1f9c
SHA256 3f0858a5c142eb7a709bd0af5ec3fe01082290c09acfc4684b1d9570493cdcb0
SHA512 9dbd586ef8813ec509c33b5b34046dc3ccc384a59a385b7521da1663e4ddece3669eb59f6bf6254f9937d3d0a41e4b66571e3951ae45fcce1543285a2ff6890a

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 418a5b1e1c4453ea8302f08d002feefb
SHA1 e08a2617af40a5e8fb5a2f778871aedd4e5a0d28
SHA256 e8072208f3e7cc2ceebf8184374c32a990bb7cb398fd1eeb66e84541782355e7
SHA512 0b0b8fa38a070e92c8f2092e6626b896979da1ce2b6cc37deba3be17cfb5f9c3d042d0203c92a64f6c4181a7b9a0d59feaa90d50fdb8e69465e2f25a35f9c83a

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 97667ef0cba48669183044d8b050e506
SHA1 677a82d436fa0eff5e593d787e929bdd042f42e2
SHA256 eb078c989d202b0526374ccaa51bac900bb10687ef1969875a199c3c4af5dfb7
SHA512 9a25c5773ab0e5f83354bfade0ddedfa84f505fad5cffb736313a36f388f5fb6f6c93e55dcec80572e5c8412affffab398042f8b54872b5647633bbc034fb524

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 0b53809016d2b7b406271bc117197d0a
SHA1 73be214a02d10ca5243b7de799071f81081eb6a3
SHA256 2a6bd9c2e1549686bec6a013251c966518dbc35f6a66d7849d4a9cb71becf99e
SHA512 da6c63c9719d07ada1ddf05ffae4dece4fcd535d548b0116c67ce68aa6844213ebf174d52d2965530a941bc43e44c947ed7037f6743fc90be48afbfac7a5d4cc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 248d50f34541f73ca7f4ff407f6e2751
SHA1 16bd3e2dd8e4e401b505970d2c1e0f083c381c19
SHA256 6d25d9172831801942c90bee62507e74ae8f348d953cc3ff53d026987365392f
SHA512 bfd255c96ecb3611a82e6c6e0f106653b8f59507dae93e16541359e9195962168ba887e46c0c192b173fe534acf676dff5e4ad572aecf0f7b41cc62d9037bf63

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 105970e6e7615516ca684307a04ab03b
SHA1 38b223eba68ebb4b7cc718e83b7449feff05c5a4
SHA256 3197eb2f26060490aa88c196cd641afe1edb77923eb2ff1ab702b49f22fa9c8b
SHA512 e7d8433e881b8290f42a325121215501a1dc92f7aa6e52dbf9f9fa7be2c4626b59557b95f1ced73fea1f8b9bc27b436d7d025668ad3c62954ab1665abe1f890f

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 19da9689a1e6da7ea3a2222672d8a3de
SHA1 3de455f20afa2698a4784d1bc217daa8c19e1a72
SHA256 20af66005e123bd0202eed058849d7b7d37e81d0cb243accbfe4aae531ccf6eb
SHA512 f72c367d5a6720d51ec61cd5675adde667616fae14fba5a2432ee4690b6084be6a12f48ca5d38dbef8fe414e42386a379fc53b077212e78429418c7bf4c5f750

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 7f2986ef5d51d8138a2d6c3fc7dc652b
SHA1 96f94095ab30b884af8f5e92ade59f251ab79d0a
SHA256 38f094a8ba201cc6fddc7d0506d6a781f3dda14428ea31caf0eaecb98a4fcac1
SHA512 60ed6990c1431bcc830b132ec6866d605a7bfcf20bc23e7c526be920be85f023ead5c35cda7ca9d24139c7ae7144cb09a25d970498de03933d5196c1196fa62d

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 056fd9f857cbbce2cebf439c74b9dadc
SHA1 c7636c0d1af84b2abee794b495f272c649317c21
SHA256 179f1c5c3b89a69fcd5ad855e577d5d197ce5678cc9aaa7f4516f97385bb620e
SHA512 a234c111f6a369b976487edf9a88344bc1c6a986214e1bb8018852398c8ac2ee7e9573648faa7a9c3a176d7a9a64442738d1bb9685974b08d86c7f930582ffb8

memory/696-60-0x0000000002530000-0x0000000002928000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 af5508739fdcc8f0b27bd95c219813ef
SHA1 cc1115f087cd8072c8e603da68627811e86b873e
SHA256 8455d9a0b255a5df7a10e88adb092621dcb80671369b953fe4dd48b7fa44a6ea
SHA512 d7b6a96edb0addac94bb3d620bbbc0231ae4628e6e0e947422542acfc06c14c07ccf5eba22ba05ee9444e5ea419689925f0034516dfd6f2c4925d3d8d28bca30

memory/2832-63-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 7ffcaf98d3c3af0405fda04e4d9cf949
SHA1 07fc4a66b9c23e3761df6f1f6fad9a852fffe450
SHA256 133e0ea0146a04d272047d085401821e0cfdfe7bea7463a0b2cd3a0ab33ec8da
SHA512 76c55495e9f19ba89fd8bbac520f8a72d5d9f9f95fefd5a5c3afa108b1e76d2aba8aed2a0323e72ba0b12f00e04408a1af406f05adeb444e8f8fc9edfed6a2ec

memory/2208-66-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp

MD5 1e8e16ce27e0631387da22c5d7092ed3
SHA1 78a83823723ce6177aa19709ecfc1ed4dad78b4e
SHA256 9b8abd659d4c64695f535ebad2012bcc8f7496f4c00f653a1120d7467e529f21
SHA512 4d24156c34d943fff8682049061b3766ce482e8a495a37951cb34526377a6af99f96ec774ada7afe6fd74890c7da22ab16f63f8168e6e8b40abed9ec87fb38ea

memory/1896-96-0x00000000000C0000-0x00000000005B4000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 37566c9b167843d7f6b5f57065fb3e7a
SHA1 60fc6f267924cd8a847f9018dbf0df627200bb01
SHA256 bd2b6ffcb25aae0337baa22933f1f4450ba1b207e7e60f9d9b88e510ba122b0f
SHA512 032bd4481a73e5a63a73afac070dc0dfe0c69dfb64f444ef958dfb0ed14d3e5dbf8c39c80dc68b8d7f978caf9b030091cb0bb27845b94ff966874450232992ff

memory/1368-107-0x0000000000240000-0x0000000000241000-memory.dmp

memory/696-95-0x0000000002530000-0x0000000002928000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NFHSV.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-NFHSV.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-NFHSV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp

MD5 9db59f68fbf15aebf139e66dd9a390fc
SHA1 bfcae1cb795e5a948e6de914a10b706e81a1458f
SHA256 dcc164c4287aee0be64cf51e81b5a357e6536d4c402ebe2b7480ad02ecb86c87
SHA512 9accb77582c4b26e097bd982ebccb117c18ef90fd426eb8c841adb6556a1772d5866d8bb74069e9b25dd7e2cad4e68033105c09b7016a0a5424ad3aab144decd

C:\Users\Admin\AppData\Local\Temp\CEE.exe

MD5 93398c8013bb66ddf126c97d3832b32c
SHA1 7968af27a58cc14700a29daa895fa7c0c5ece888
SHA256 b780463e4343e9de943116f0a8b668708f1c9668101980ce302dc20f59769d08
SHA512 5b4bd612ff32975fcc1be72c81279f4868faf181f6fe4a8cf27631ac5d9bdd2f07f318e428380cf3f876583f6185ac1a522c4b76de4a01ffa56cf56053da081a

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 865b4bba824fd91790173d606a3a1cff
SHA1 e2e71d1ae9fa291d01f7f479113dfb9dc289b0c0
SHA256 eb10080e63685c85c99c7f6f7ab3a0a84bbce5b0c327a6b448d9ee12301f41dc
SHA512 47c32b5bbc831874369d6a57752d07c782c0137462b0bb1e97beb0a3ee0dfbfbac616d126d95265caf825fae2035ffc4762d120a2a54f61227dd8ea42f017de2

C:\Users\Admin\AppData\Local\Temp\CEE.exe

MD5 9d214697b968db889fdf34f298a2b3dc
SHA1 c89181dabf5fceb954c757e6fd7ab5606e6f42a1
SHA256 8becb5f3c4be6300a6a470a95d338f44dd42b12ef4ee9ee2de35527ba422cadf
SHA512 58d1d7790788c93d2c41b88893618d2873a639cef591c2068bf74ede24ec7340d1bab2d657c407f37ace920ef1bc8d9e11a8e91bda81a3ea6901ed7c58313f1d

memory/2488-111-0x00000000744B0000-0x0000000074B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9VGPE.tmp\tuc3.tmp

MD5 e45ae2728aa20c5ac6fc6945db271c29
SHA1 3ccf052d214e6a8f314f3cce515fcda702cc8510
SHA256 8e070075fa15ee5d98d20164b412ed657f5972f0b322582e25ac0849fe366cbc
SHA512 dbb0e687a954bf7d587c41a51886b2d007061da039998dc6dc03d6985894c039a7d509b21800040dce0064f4c1ee76d7f07084fafff989575c633cea055bf7d0

memory/696-112-0x0000000002930000-0x000000000321B000-memory.dmp

memory/1896-113-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/1896-114-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/696-115-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1799.exe

MD5 ce973ee38359d7301212c684884de31b
SHA1 5daab95ad546a1916e40eb3bc7a52b98c5ec1de9
SHA256 80b7ebd7c02ebe0a225ea55739521bba99af2458caa2c05a7220ba995c345a05
SHA512 cda720bfebc5d728bace8a895e13787867804ea3caf8d246aab011114c64413a56087a10cf3634d1497402156ad410b05daa9f302fb83befab1a346c7ec24a84

C:\Users\Admin\AppData\Local\Temp\1799.exe

MD5 f092ef2fcec98f77e00895546c6d96f1
SHA1 766996196a393ab46bf8beca04573bfb3fe4aadd
SHA256 8fe87f9e498a1b0ed9f0040e317144fd3680f4b05402c218265b8b885412ba11
SHA512 5e22f1f02ad325731c0f85cb1517ba0d16b7c369c92634fa936c662dd79cb5b4bf024484407974755576be8556da98abba1c6aef96d95536d8028afeddb0e7f6

memory/2368-122-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2368-123-0x0000000000810000-0x000000000084C000-memory.dmp

memory/2368-124-0x0000000007230000-0x0000000007270000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 01:02

Reported

2023-12-12 01:04

Platform

win10v2004-20231130-en

Max time kernel

150s

Max time network

57s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe

"C:\Users\Admin\AppData\Local\Temp\07902107b4c530865a3051ec06571c24.exe"

Network

Country Destination Domain Proto
RU 81.19.131.34:80 tcp
RU 81.19.131.34:80 tcp

Files

memory/1792-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3348-1-0x0000000002DB0000-0x0000000002DC6000-memory.dmp

memory/1792-3-0x0000000000400000-0x000000000040B000-memory.dmp