Malware Analysis Report

2025-03-15 05:14

Sample ID 231212-m1enxabfgq
Target 0x00080000000153cf-137.dat
SHA256 f09b9d6206fc123d33ecb35df6953a76895e19b0ece09be5978a14a2f948c4d2
Tags
smokeloader redline @oleh_ps livetraffic backdoor infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f09b9d6206fc123d33ecb35df6953a76895e19b0ece09be5978a14a2f948c4d2

Threat Level: Known bad

The file 0x00080000000153cf-137.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader redline @oleh_ps livetraffic backdoor infostealer trojan

Smokeloader family

RedLine payload

SmokeLoader

RedLine

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 10:55

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 10:55

Reported

2023-12-12 10:58

Platform

win7-20231023-en

Max time kernel

38s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\99CF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D99E.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\99CF.exe
PID 1268 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\99CF.exe
PID 1268 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\99CF.exe
PID 1268 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\99CF.exe
PID 1268 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\D99E.exe
PID 1268 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\D99E.exe
PID 1268 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\D99E.exe
PID 1268 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\D99E.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe

"C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe"

C:\Users\Admin\AppData\Local\Temp\99CF.exe

C:\Users\Admin\AppData\Local\Temp\99CF.exe

C:\Users\Admin\AppData\Local\Temp\D99E.exe

C:\Users\Admin\AppData\Local\Temp\D99E.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-2MQGA.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2MQGA.tmp\tuc3.tmp" /SL5="$501A0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\EE18.exe

C:\Users\Admin\AppData\Local\Temp\EE18.exe

C:\Users\Admin\AppData\Local\Temp\F2CB.exe

C:\Users\Admin\AppData\Local\Temp\F2CB.exe

C:\Users\Admin\AppData\Local\Temp\F635.exe

C:\Users\Admin\AppData\Local\Temp\F635.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

memory/3052-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3052-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1268-1-0x00000000026B0000-0x00000000026C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99CF.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2300-12-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/2300-17-0x0000000074020000-0x000000007470E000-memory.dmp

memory/2300-18-0x00000000073F0000-0x0000000007430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D99E.exe

MD5 abd7ec14aeccbd62affd11f3ca5ef4c4
SHA1 46062165324d1f9d0edcaf8a47316b55d2018a0f
SHA256 d3dfa8831a6c95e342fbf9fced9d11b7ddbd9042227017de3aff67588c460e05
SHA512 7ca648ba9dd33ec87ab84647b1b4e27d661374829a25fbdff6db3e880cfa43d87d80e3e97bb1a17bdd8fd80eecb43be772191dd880cd8ddf10c084042e652a84

C:\Users\Admin\AppData\Local\Temp\D99E.exe

MD5 b0270b0b5746bd1579f9ef88ec748fcb
SHA1 f449b01510fa36eaf20aec0b3e408e6da76ae3d3
SHA256 13d5f9ab2a21aad3c088ba7d714b5f8b33e9d27fd4e1b9f83f8bbd5f592bb0ea
SHA512 d079f3bec18c612dfd752ffbfd1fb80e88652291233bff7d4bd8b6408892c9de6e9d7c6acb7f4d14136cac7afb57a86aac19bab048e261eceb277c63c114f53f

memory/1404-26-0x0000000074020000-0x000000007470E000-memory.dmp

memory/1404-27-0x0000000000E10000-0x00000000022C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d2a804f3f5d79ea3a0bcb7a78657bd10
SHA1 4542d8b97e58fb200ae370117235d82e8ab45865
SHA256 d066cdfc6195b33b47a9b19479f9f6e14f65d9ca47965b2c77b0568f86cd92fe
SHA512 8eba6dd72b559b48b78402a8071cf4a6cdd71c61c20daf48c4d9d21fc051549e077fb2b57fc3ffcfdc0e8c742920a866937d56f525be8189c27afb5beae90c21

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 37ce4ba0d5619b9105edfbadf656e414
SHA1 36e558e86e0f85c13954ec24900f4f611e497f1e
SHA256 8b9c60cfc229ea843113bf064f3f137133ed2652fd9b11f9e2174027f01a745a
SHA512 a1f9394f4189ec34e7576c1e4ee2eba8d716685b2573e3d6c796196e2e0876f301f3a53989cb8c7fd897dcb3522abaaeece23d59e72e46ec253cd684ef6b601d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 badd32bc92c6c09a87edb6c872bd3ffa
SHA1 772259bea82fce724665d6be16d5fb35bbbc15e3
SHA256 7cf94305cde5e08e5adf1796ee9f510bf31ff5439fdfec445de45ee747a16a4e
SHA512 491ddee4e7c89491ba45b500f811e0365a637ae1a8d71609bdcc5bc261abf68fc940454f849f800447e74f2b7d88f873ad6decd85568985a2f63cc8dcde8969b

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0b14cfe9a5d104f45ab31766b1d9bed0
SHA1 ac771eaa9d5a70db113548705f95b1099c9794c8
SHA256 a9f3302dd2aacc5683565030e338c8c339eabfb519a022ac02880499a8f75fcb
SHA512 cfec70f62755e4886ebeaebaba25a942970d25c71ae1445613cfe9f0e1bf7d5e163e206247831ad770d2c9278aaf084de38e8d23544114360994bd7ab10bea73

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 4d2a839a183bd1f0def76f77fa8ee504
SHA1 0900a2bc2b7db65ee137a4c2733271e110ea4212
SHA256 e7350b556a0b3213866c6c082a645c07efd9a6dd7290369364104ee6fcab57c7
SHA512 66cd2d24643753ebf6bbaaa6ab720e2a3c683930a18446a1f2929e83e4fa54727d3df6c8ba88ce1c2a295c015a34729624810643fac6c27c476b7736ddb7947e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 530db26ae169149e535e17594d2523a5
SHA1 67e34f542933ebb30a820ded8ee49541d4bf354b
SHA256 b8dfc2034701f5e2e7750763321a46faf44d42bdcfcfe938e6aa06781c958b64
SHA512 aceb34393786b3a205a9b7679b0c8cbff7cf1c0b8a12b8a2ef6fada220cc12497d5d04c561b402d61d898744461505f079f10dacaab7d82a269f19da4cd9ac9e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6a9698454c816b4551acc22661d3d32e
SHA1 5e8792731341871e8dae265a6d4b6f91b90cebe0
SHA256 b0cc719b8c585ce1b9b11e0a5d2a2165352a374183b1c6d18b1d14f4ab0ba323
SHA512 2e24ae4ea24e3fefa4f8739a39d76ada880cf6cbc17d26e5ccaf9271fb6dbd0adfe7cf1f5246b24000995afedd1501266c9cb48f3f6e7dbd57eb0bb97eb03f63

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 d6da89c859e0c10273f8182bca1a4fcc
SHA1 5eeeffad3aafc03b89888963d943cdb44b60cd51
SHA256 5b7fa33ad7dcde7593ff86fe71d014b1d6c2ce5b254e3aae1676c323b33f97c8
SHA512 1d2de43f3a56e808f9106bda495d87c2276705899dd66fe8ddd8566651ae5ccbb33dfdc10e7546bb586b25570e6285a6ccc20e7d7f1f5787c8a45e1da6969d97

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 be571ea100fb079ecf5f7dbf2b34b636
SHA1 f361ce37e9508d57948edbd8b6a3d83524eb0f8a
SHA256 43d20232624c0f0e9843e910deccc4e7f2040deb098c0c1ddf66344d5ac76a0c
SHA512 88359626e449dc066799c9a661c0364c918e0292e41abe59ad41604348c8fbbd0c017a8c4169fda105bc8b7a25b3c442a581c310e0a2f3ce3bc61d1c833ea117

memory/1100-60-0x0000000000230000-0x0000000000231000-memory.dmp

memory/472-61-0x00000000025C0000-0x00000000029B8000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 df5dfc67daa14d0fb30d4b2e4193bd2d
SHA1 8ab837661f393e3949c5dd0647c0dc68767aa4a5
SHA256 171db0491441ac4c9e5a966a52e3e5ad578ee999548cc4a02b5968dad5afb58e
SHA512 09152a498f6079ef0961dd7865be386dc5e68844fbe11e1e5f8905f2557e3184d7b4fd1020d84b6b3cfa0d55b3c97f439c37941fc1ffa125dd5678a38158a316

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 5a518debae1cc2912892c5c384bef0ea
SHA1 55450b5f73216b9cc9c8fae5289c324d3a30b43a
SHA256 410a6e0957c79decafc3d8c3417754169141a6acb754150caf46db2c80fa7333
SHA512 02c1e7f5332c0b91bf320133253bf98262d6fcc913a3757e6ac44014cd68eaf194314199458831b343d1a25dbd8dbdc513ff3ee8793315f04c469d218c808a8e

memory/1132-67-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 8335d6613a3214463ef7b6e4e677e75b
SHA1 9ffc50191767dec85b8b5e42d20ab93bd0ff7294
SHA256 7ec6e003abdae200d11be45647958e6bd3cd3981fe5ff7167486b76095862836
SHA512 fc5a092b60d1e4b8e489d8c1fc03ecb26319a7c60c2f8a5e85a08c89e1177b329c3eba5776609d7550b19cf08c58d3aa6109d1dab2cd10790c3a6f391bef6b91

\Users\Admin\AppData\Local\Temp\is-2MQGA.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/472-79-0x00000000025C0000-0x00000000029B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 9ba5444b7e7226908d85014bba6d4921
SHA1 fc408826d15f54984c3a2ae89e44f10bc072c345
SHA256 e44c9592c057bcde05ad8c6a36d8e17503be7a770359432e253f13539f50f482
SHA512 5be864ce5be5ab1726f49396f943f5443272e9d1979fe500810a9ea4ae4ae34632024b6403949538528cbc901acaaac62fea6f63865aff43474dd9876c678ce4

memory/472-81-0x00000000029C0000-0x00000000032AB000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 44723bfa045a39954d74b08ed1cd900a
SHA1 0d55114212097cc1f8e3c3fcb116567ab29bd458
SHA256 3af7e0f26aac0c1613bafe6d6e1bfc8cc8da95d11e9b92ed76682cd8b7804c63
SHA512 fb64750979727ddf3af53df23e135116a6cb491981cde9d054894da25628b4b437f2d52a61fd6f27ce5a3eeb107507dd4984cb35ca9f37edb6d82a45813672a6

memory/472-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1404-83-0x0000000074020000-0x000000007470E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-GU2K3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-GU2K3.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-GU2K3.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1480-85-0x0000000000250000-0x0000000000251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE18.exe

MD5 71d48af4af5d4781b916266a0b80b393
SHA1 478bfa2d96531a23c2e945af8c5f19b12f3134a1
SHA256 9435582eb4bdfd8730e6c2b3501b9ae5264898e2c008a22aaa7a9aa58c110a07
SHA512 d0ff406fd10140441206ff78522948025293fd4bf37e0de09394b846ae865823375b64948df88f37ff7d1ffa2247a7c39d7f257491f2d62f08b568dc24c3d701

C:\Users\Admin\AppData\Local\Temp\EE18.exe

MD5 3086bd08c82e23c8acb6a851e65f4a2a
SHA1 12ee7394c0818a7a2549964c99d339d0f3534949
SHA256 56b0b85d92e4753dd17656921ce6c8a200fef5b6f601baf9a0806b3e8aa2a38a
SHA512 90b81896f3c76a6194c0b76bc1364187e08ab286361e7bc64b1341e713a558a90eff6b603035c331c17ef64d32c2ef3ddea859f4fbd7b47821157cc56ceef21a

memory/2300-104-0x0000000074020000-0x000000007470E000-memory.dmp

memory/2236-115-0x0000000074020000-0x000000007470E000-memory.dmp

memory/2236-116-0x00000000001E0000-0x00000000006D4000-memory.dmp

memory/2300-117-0x00000000073F0000-0x0000000007430000-memory.dmp

memory/2236-118-0x0000000000A00000-0x0000000000A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2CB.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2232-124-0x0000000074020000-0x000000007470E000-memory.dmp

memory/2232-125-0x0000000000F80000-0x0000000000FBC000-memory.dmp

memory/2232-126-0x00000000072D0000-0x0000000007310000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 10:55

Reported

2023-12-12 10:58

Platform

win10v2004-20231130-en

Max time kernel

150s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe

"C:\Users\Admin\AppData\Local\Temp\0x00080000000153cf-137.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
RU 81.19.131.34:80 tcp
RU 81.19.131.34:80 tcp

Files

memory/2556-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3232-1-0x00000000024C0000-0x00000000024D6000-memory.dmp

memory/2556-2-0x0000000000400000-0x000000000040B000-memory.dmp