Malware Analysis Report

2025-03-15 05:01

Sample ID 231212-m42ylsdch2
Target 0x0006000000015e1b-569.dat
SHA256 d9c0cc0bfc71605c5cb7c609c3de7a5544c50d2d66d049495f17d70b9ea98757
Tags
smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor dropper evasion infostealer loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9c0cc0bfc71605c5cb7c609c3de7a5544c50d2d66d049495f17d70b9ea98757

Threat Level: Known bad

The file 0x0006000000015e1b-569.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor dropper evasion infostealer loader trojan

RedLine

Glupteba payload

Smokeloader family

Glupteba

SmokeLoader

RedLine payload

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

Deletes itself

Unsigned PE

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 11:01

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 11:01

Reported

2023-12-12 11:04

Platform

win7-20231020-en

Max time kernel

69s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C4D6.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D80.exe
PID 1192 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D80.exe
PID 1192 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D80.exe
PID 1192 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D80.exe
PID 1192 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4D6.exe
PID 1192 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4D6.exe
PID 1192 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4D6.exe
PID 1192 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\C4D6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe"

C:\Users\Admin\AppData\Local\Temp\8D80.exe

C:\Users\Admin\AppData\Local\Temp\8D80.exe

C:\Users\Admin\AppData\Local\Temp\C4D6.exe

C:\Users\Admin\AppData\Local\Temp\C4D6.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-233KN.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-233KN.tmp\tuc3.tmp" /SL5="$2018E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231212110243.log C:\Windows\Logs\CBS\CbsPersist_20231212110243.cab

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3A83.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3CE4.bat" "

C:\Users\Admin\AppData\Local\Temp\403F.exe

C:\Users\Admin\AppData\Local\Temp\403F.exe

C:\Users\Admin\AppData\Local\Temp\42C0.exe

C:\Users\Admin\AppData\Local\Temp\42C0.exe

C:\Users\Admin\AppData\Local\Temp\4521.exe

C:\Users\Admin\AppData\Local\Temp\4521.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 5162cc51-6575-40b4-89fa-56223bb49692.uuid.myfastupdate.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 tcp
FR 185.221.198.96:80 tcp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
MD 176.123.7.190:32927 tcp
US 172.67.167.33:443 tcp

Files

memory/2520-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2520-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1192-1-0x00000000021A0000-0x00000000021B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8D80.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2744-12-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/2744-17-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/2744-18-0x0000000007430000-0x0000000007470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C4D6.exe

MD5 9658acbc1c32c41dc06b32bc8d1ea161
SHA1 d50dfab08214a2fbc295989261ff9ef3c7f02e99
SHA256 fe59cb233c9a55e539364f2bef67a189b737e2124b764e8073e1b80932a6c73c
SHA512 c82d9f558115089d4cc18480b8e8caa9e2de62fac72df3fa07a7422ced789f37ae57714b4a69c2f01ae6d9eaadc3f4577fe99e8712f237ae37e350d16894bfcd

C:\Users\Admin\AppData\Local\Temp\C4D6.exe

MD5 e1b131b74b6ecc9e88d74c717b15481a
SHA1 e2baba68163b551cf9815e7bcaa934c372f5e628
SHA256 ff7502a963435c594dab47627ee46e7521ae61c3261af502ef9251527616873f
SHA512 6c925cd9b3fda0bc9fb56bc58971dff6802b16be464256f4df382bae2d687ed2e33fa7abf14ce509311ba9b98c6602454c9a5e2055d72691db6f2ab8caec55aa

memory/2760-24-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/2760-25-0x00000000013D0000-0x0000000002886000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 41b1705e5ea5b1f64e1776fe5191977d
SHA1 3c420f52e836fc5338e5a14ab051dd3281745228
SHA256 45a489df34160544b6496808a06e49870053792ee07d01aceee2079660ecc0d4
SHA512 2d0a81d0583aba9ae12fd55b0d4b90c4599aef1bf43bf6b0c061e425fe938db70b228da3a7240719e9df9a66736a18438e3b2feab96efb57993331f8386b6eb6

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 0399d05cadb71f06e38a893555127dce
SHA1 a7327903f1c714eaef6c0d0d0fa595415d8abaf8
SHA256 b26aa32bc92363db54336c98db2e90da13d24cd93c79c25a1635eb77a78c8a6b
SHA512 3453dcc567a9a2716c52108ebe3376d31131fe07baf7bf19fa6f75f0d47330727f9ee509b5063140b61774e40e203b09817e45f527deb804643c490bbe5baadf

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 0275d6714e8056269fa66105618f16a9
SHA1 eb83126aa2b3a4d8d0e1d498905dd6621cfb8023
SHA256 2de301ebd802b908b28a96014092e847decbcfde075f14693398d3a52268bea9
SHA512 bfa044f49b5290016d5c08982879c1f6158d0fe07f52cac9dca079a24615f80e7386912a7575f280013ce28f36893337575120a5dfccfc36648c5e80e94f5bad

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 26b06e083a36c28794be094af367d58d
SHA1 6261df9855cec8c7f3c2fde9dc54038fbba5a31e
SHA256 7390b2e8c9fd6dbeabad47b6a29d93effe8b55aceea1a38d405f7b67b1b405f0
SHA512 6933e034e37ef9c6ca1db73d92778ce084f248f662744005b91b4781ffa1a4d25777345ef62efadd939bb1719e543322b1a4510ec1866e045653d123622f8ace

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5c0bc89048f11747da27971c13525a94
SHA1 89776a40c0713ddc61a2119cf4227ab40fa0b5d9
SHA256 82658f019e340311d6e11f425aca47c472bb843fa04b48ae5d42692df8be8ffb
SHA512 27ccf4814ac8f6a8ddfcd8a057613b0b17811badd7887cb29616295bbe55d951c950316af2e286ad1e5730e7ae55522450d5eb6f7ed09b82cb4608ef567f3303

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8c294ea2c6fce31d4327b84ac4c26d33
SHA1 ba63d97719666d9035ade2ce1c5fe2d3bdff82b3
SHA256 f415b33f228ea833406a7b6bed1c1c22db0870db0f6da1b18f7598d0e6ff7334
SHA512 0dd6a470598b76049400633491bcaa2139a4a81db624d8c20166d68d0ba5e9f53b74b914e2b7c87339e7b5bb0ff3807fe8f0a2f0b75e4f7959b003fe64593ed2

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2e2604f9e8dfc937c0c974517b0e5b97
SHA1 5ca8d399b4a70d395002d860e13653db57effe5c
SHA256 49d11dd2f7b4e96f05891e95f80cf79126a8a115cb03a35645e67e46a1cb49d4
SHA512 12cd2428ef55bf590588bdfe17e4c4b179067cf6b07ac44a6eb471c0f4506e364656b46a7bacc591b371707c0c75b5305ecd919886507257e041a669b532184b

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 56915d57a3a391ea234db2d087129d72
SHA1 036215e0969f11b99946096fe24b979e304b1a7c
SHA256 fb059aecfbb181a1d1661ab94972075ff9c7dd2b3df47d62a751791083d7217b
SHA512 3688ca3ed3ea24077e740bc45d766952f1f324b8059e6ecdcffdb7494950b1860a057dac27b60abe2d227bdd1a960e9f671bd3f51d29e2a43c412f7ae180df21

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 8ec1c011a20c97ea298c24adf9d6e80a
SHA1 dafcd16e8a8252b7258e532c5190def2a29a8661
SHA256 958fe2bc03e7d63f30b4fe5d866760c6615fe94e247ed2890719623db24691ad
SHA512 b3f8f1c31cdbe838c136e79993c95ea695593b665912cbecc2138d0947cabcbf951ed7ff2cb7bd20a66a5c05346ab1aef184610ba79ff8ab84c8421b3009abec

memory/852-59-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/1976-60-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 9fe1de21dfd6360ba89e92d81a1cf776
SHA1 0cb789db8665aca085ba1b3261cf8c7befa1880a
SHA256 dbe8385d61dffe53a75e82f4f96f7f47d6fcd26067b4a168f45ffd3ab31eec27
SHA512 d6405ca408c87b4980f2711ee761bfe2b41c2d9bb28c77ae28de48898e3e63129d1adc2286ddb9f67ad7205613a63cdf30b6a464ae12cdb90ed8de6165da7d37

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 4c5bb2a0e56e57e457560887343d3d1b
SHA1 cbff5958ef8de9927a9533b72561c5c9e5f94b12
SHA256 69fda63afaa81beeff54fb991ec0916c84788f6429d77c51a3fbb68237cc0ca5
SHA512 16517265adc8c202001e43f345598e3ed5f5a483237c9ca9c086c55be5cd1f5dd1a1734d17b4f1e80f6cf511b4e4682a321dedd52e4bbf2f51d760ab80897d7d

memory/2848-68-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 d612a6e1ae59ac258de5ec92076ff86f
SHA1 f647e606c3924a78c87a285bf2ae17281f72ec44
SHA256 f00bbef234d71e70818a57ddfc8aef93dc28d97e73b10c40c4e5322bd0df0819
SHA512 926f5ca6d5b7e90cadeafb95875bf6e9e3943c6c6d50ea6e6c7392100e29f17b5c2c91d22fde51a9a76cd25c00dff11887e63ad9c592bea6b9224eead4fc1cff

\Users\Admin\AppData\Local\Temp\is-233KN.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 ec21583506974fb9cc0d3a4e9616181d
SHA1 ad69f281255751e4f0fd8531c79edd6e2cce01d6
SHA256 fdfd97a70194cad49bac7d8578dddd1f3345259373339e76374b1d79b1800a83
SHA512 ac84ac92c560a96cb1c7b5661b308eda2b45abf1645ce846d3fc7b8cc1b0f36eaa588b2afaecdca126c8f35c86d66d44eb104991e5dc5fd9d84ea2fbbd6b122a

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 ed86fb312e3285081695ebe7ea5cc654
SHA1 56d4cabd2b7793ba0ce697b180e51fbc72995dd5
SHA256 62997ccbe75862dc4e3cafa05a0e339bc7d341d0f5e5e9330bd57597b951d9ee
SHA512 a9cbb6bd06007d52765661045c4f00a8e6b7f00eb81c80c60e50911754a62fd45d8f8a831fc40c8c480c1ea70418c6958070da3f856c68ffdbd20a49731cebf5

\Users\Admin\AppData\Local\Temp\is-KM4HG.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/852-94-0x0000000002A40000-0x000000000332B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-KM4HG.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/1440-95-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-KM4HG.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/852-96-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/852-83-0x0000000002640000-0x0000000002A38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 fad1dd28fb731a4687d35f7ba5f25eac
SHA1 aaac2f288bdb6a9dc190955a0faa667516a8a646
SHA256 1ec2ea642a3ce8640cb313a14a9b733c0a4c541d90356aa483446d14c765d261
SHA512 5083c779c15d361aea99d663cf1bef74ec883e7d997bf953dabd2ff14d6084fc84d916ff6b093904a1986e0eacf0c6386a399bba892f0b6f6d6554b944169276

memory/2904-110-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/2904-109-0x0000000000270000-0x0000000000370000-memory.dmp

memory/1980-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 3b4bb58007f9b1b73c0a9191f27435b4
SHA1 b6be763ff53a291e4ef8c1fcedad7aa295b1f018
SHA256 af9ddaab8f139bd73386de5ee9fc70a98c2c19946a4c9dde368ff172b1027df6
SHA512 825e24aa143b3993146d38c82eba495a9ddc52e6229d928aa1908c14517b13155461eddc2f6af31f3a495455e89ddd684bc791b53a113b6ab67db7e0dc7d161c

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 5345cab15554e496a7c73daca93b8b34
SHA1 3499ee6c3b0eca7d6033baf986f25cb791f9b4fc
SHA256 4b19a3f077668241a072b2aaed306df9df1aad45d115f7c5e17ad9cc06652b4f
SHA512 c34a2cc71e3e84ffea103903698db3317090892c35adf7f4025899aa5cad51267f2815ce2e2d514c7fe188d6a6a247ec7c85b91a4f443171c2baabe759947d8a

memory/1980-115-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1980-117-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 36796a29e2f507d3d7a5bedcf0e6db12
SHA1 d237db39f5e368df13b0e75915785c14617ae681
SHA256 9054a975489aadbc16baf26dd0801440359cbd49467040b99b3bc76fb078ebc8
SHA512 d7863c5914bed0da0c91e6fb5bac903966613a31f75c372e02f895603fe51268260efcf5bd32fe46da57f11ec574c5ba6470aafbf597d34da8d27ee3fd79921d

memory/852-119-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/852-120-0x0000000002A40000-0x000000000332B000-memory.dmp

memory/852-121-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/880-122-0x0000000002750000-0x0000000002B48000-memory.dmp

memory/2744-134-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/2744-135-0x0000000007430000-0x0000000007470000-memory.dmp

memory/880-136-0x0000000002750000-0x0000000002B48000-memory.dmp

memory/2760-137-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/880-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ef1a6aa6eed4e3c19341882032f8b74c
SHA1 54096a8c5226b02bfb6fa7e13b8287076d31b428
SHA256 0150a621490585f8ca817242bd6db37efd72a8b7188acb7dc368f3785cc72371
SHA512 3d7944a9372a07252ec39f89b21c330e2c514336ab972dc1dabd079c76c9bf6f1f4c04c0c961db76cac73c9f464cfcc3a79a7e13c33f7325a5ad1a715dddcaad

\Windows\rss\csrss.exe

MD5 34afbd3a82963bd77a08dab284bfa095
SHA1 812f6249ce2f3877ac178744d7b2107e12d28cde
SHA256 3081c8f71bdb3c7c133d53b9e552b4221df3d0ea339e9a476589b4ddca337135
SHA512 567bdda2bd713fd7c9cf2482b723cabfe8ab8fe05b53f491bedbe32e69843e8bb3bdd57700c53ee3aae477667ebdb9ad9bef5582e989326f3922ce224aee957d

memory/880-147-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 d7ac5be7c9660ff9a884756ce8cc072f
SHA1 a7c0b71ef9a05dd5d8f89641f0b8e9e90d39850e
SHA256 b5ea9575d4a9c973fbf107aeaf8e252e70f14cb9b5f67dbc506a44cc311068d1
SHA512 544a5c34962161c348c5f7071124879b715f4ecadf24d80c3249716ee1f21fdef2ba3cc6a7c8287e4ca09381db9ce40bd4f323634ced770bb22a2d040f675b73

memory/1980-149-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1192-148-0x0000000002A70000-0x0000000002A86000-memory.dmp

memory/2560-153-0x0000000002840000-0x0000000002C38000-memory.dmp

memory/1976-154-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1440-156-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1976-160-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2560-159-0x0000000002840000-0x0000000002C38000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ac80064caab20bfb737476b8ae4299e4
SHA1 dd4ee31a904a25e48677ab37b11ead71f8b04d50
SHA256 0e327611d711026456e61d838ea04d6d95e0a45aecbb05cd8b5eae154a52287e
SHA512 37219e1d48d91da926bf77537be63ea889712dd3d559666a29bf341b243831e1f466a352304a8ced370f49b04af6db02233b381699acd7c7b2791bbfc9985326

memory/2920-157-0x000000013FF00000-0x00000001404A1000-memory.dmp

memory/2848-155-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2560-161-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 7279e0a4fd0a83ef580c25d77c9f4635
SHA1 694856283d53aff554c78055c96304984df205a7
SHA256 75e0e3479e7f70bf7b4cf202b70ff14ff62e5b1105e2c4e2fe43aa9a11fcea24
SHA512 81a56ee76dc23b7a82e9581c7c991cb1ddc533889013b2e156e1cb1fb115793b25177a93a73b410e876deffcbf7e4d35e577c420abdafbcf737a190f61e8006d

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2540-167-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 2ae07bb258ef60b2c646713a67317db7
SHA1 7683efb775afc7be81d021c6b51c03b38d3a65d0
SHA256 96ab42a51ffccd9f30a86a8c3e582f253423028ce95236cc854a904385777604
SHA512 455315f558475ad968ddf4de1217227f759129640e636d8394017fbbd5753d05c0c57f7d4821dd4aaf6cb6d391916868f139362ba70d4bb1da0612d9047a8d2d

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

memory/1440-181-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 cd3c8697725528ebffc71e5eda089c01
SHA1 e9fcb3332087239c66dd40c49c84f33135edeeb8
SHA256 71a0aaab0aeb0a4fbfad10b1ed18e460b9726887fd20e582b8561ce9480a1b68
SHA512 458ace9fb4c1c9d6f0ad85495a6016127ae9d47250334afd2010772b9f19fcf2fb69e461ac78dc6e50b48c3450612fe5dcc0488bd94f7b626f20ec173c4bc9cc

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 48d95e347d4fdc290a397dd5f82c44da
SHA1 a83719d5e5886b4c1800d189bb0df55b427195c7
SHA256 938734030c6f01eb16a93ef11ace1c55594be1dd425233804e72e74f1c313ce1
SHA512 7bf8819300af081a878c35f2c5d1971294f4a8f5df611b71863ba0c33c8396b0330bfda96cf1f0c14ddf0cd2d27cbdeabcdaecd1b31a4ac2a12b52ba73af86a6

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 beb42de3474e872c75c18c75ab78911f
SHA1 a1e7c40e970d898d0559b1a3960d012fbd1af2dd
SHA256 ec01f7923af4d765d0aa87cd315ab10d05d08c1c8485ccb1d7bbf0f680e585dd
SHA512 c993739f6a56aab5abc485a1072c9ddd5f2db80d763668c794c6b69e77b0b4cb009e04e2baed88b92b40d6e68e56dcc8c9aa5a5e336b6b581ce07d43f681bb52

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 96363d3f45084d481ecb368cb3ebf64c
SHA1 b4bd2ca55f24c0b839748e9398cda025b826b5a9
SHA256 51b1420602f4aad5f669f8bc7512bee4913e2a4c597891f2a873e30bed820e0e
SHA512 7471eac8c39a8b1f02632de068cc0f872ba378279a66bb302081c3c958cc10477c6d70f840e599b88887f1045e8acd59c7b9f4d6186f065810428576f823cd93

memory/2540-182-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 b1574073149ec6427f5d213e44ce0e89
SHA1 c5e46f5a4c35dd77c6806685c39be59b4e1b384b
SHA256 a20c339cd5794a98c1a946fb1c02c5735f411b7fbc1f79dda5b3bd1d44cdaa18
SHA512 296544e82bdd8e7617ded5c41ce3f2d3c26308910f2d4083e9f4bba84fd0e4769ac9e2d3fb1d6d6a08f59d5100648301b487e6256c2f103db799486100faf8e0

C:\Users\Admin\AppData\Local\Temp\Cab12E7.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2560-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2140.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\3A83.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\403F.exe

MD5 be5a98b1d406aab5441e3dc7eee2c6f5
SHA1 60ebeed2adb3b40bd7adacfb94c69952b51530f1
SHA256 2de737dbc902529c1f29185afe83d2bce4619c002c74f37b850fb26235620a36
SHA512 1fcbf5aa71c06a6381be9d3adb0d66d2d9cdf00617589d7ae03fe67b7273114e8498c81d9923ed42422033b097240b084d5962d9e71b7261c7839227e0d41873

C:\Users\Admin\AppData\Local\Temp\403F.exe

MD5 7b9e05347b770fb0d253906dcc00358c
SHA1 fc5e40d9fb4da1eccf9ac45c48c61c8a56da696b
SHA256 1f40e9c05dfdf16880c1f3113295b59f20f9baf7dfd3b317a7dcbc25395118fe
SHA512 cb86478d8a48aac85c5eddf8a09a04e037fd9810963150076d88041c66d2719dcbce73ad0a76093ac6c79ff043ad988cadc39404bdb55ea47a553a82ac6b0886

memory/2560-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1136-273-0x0000000000A20000-0x0000000000F14000-memory.dmp

memory/1136-275-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/1136-276-0x0000000004F80000-0x0000000004FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42C0.exe

MD5 a2bc386dff4548e89361b3e5c71e2277
SHA1 2de87ccdecf7fddd40db45dac995e19961a89a5f
SHA256 a7fb38c17c351a89e3c16c33b400057faa6b30a335ea5f09a76b7d6d8ff5aee5
SHA512 b2689227e291f7f62309ce1f4e174fe0e525853e62a0c0e6f915166a090ef72e9df528901fd144c33b16683d68188066aaaf6f9b50572a4c39bd994d65bbb630

memory/2560-282-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2688-283-0x0000000001300000-0x000000000133C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42C0.exe

MD5 7dd35c4b5521a854c1ddeac773e2f5b5
SHA1 851c66462c972c6d0a475506b7a2cae25ecacf0f
SHA256 c3c45ae19e7b805dc47fd5e261616868cfc1652d06d21a30015de4647a3ee60b
SHA512 ccc889723ce0abf7b5d3f1795dc226e538670b0f6d836f748a653122b0d0a7393a96ad1689071c1bbdca4acb431a0fb49c70f590536b0e830673ff355ac31253

memory/2688-285-0x0000000074B40000-0x000000007522E000-memory.dmp

memory/2688-286-0x00000000071F0000-0x0000000007230000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 11:01

Reported

2023-12-12 11:04

Platform

win10v2004-20231130-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000015e1b-569.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 81.19.131.34:80 tcp
RU 81.19.131.34:80 tcp

Files

memory/2108-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3320-1-0x0000000003230000-0x0000000003246000-memory.dmp

memory/2108-2-0x0000000000400000-0x000000000040B000-memory.dmp