Analysis Overview
SHA256
85fd0d293f29d7846d05f287a36ccf3306dde237d6da30afd89d9f04609bced0
Threat Level: Known bad
The file c75b4dca6b8b6a0dc76cd086ebce080c was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Loads dropped DLL
Deletes itself
Program crash
Unsigned PE
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-28 05:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-28 05:25
Reported
2024-01-08 06:40
Platform
win10v2004-20231222-en
Max time kernel
81s
Max time network
149s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\wbcctbf |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe
"C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1584 -ip 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 392
C:\Users\Admin\AppData\Roaming\wbcctbf
C:\Users\Admin\AppData\Roaming\wbcctbf
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4804 -ip 4804
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| N/A | 40.68.123.157:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.124.78.146:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.165.164.15:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| SG | 172.104.187.4:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.124.78.146:443 | tcp | |
| N/A | 89.19.30.75:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.50:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.124.78.146:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 92.123.241.104:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 192.64.119.13:80 | tcp | |
| N/A | 52.165.164.15:443 | tcp | |
| N/A | 92.123.241.104:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.50:80 | tcp | |
| N/A | 40.68.123.157:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 91.195.240.19:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.54.110.119:443 | tcp | |
| N/A | 52.165.164.15:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.50:80 | tcp | |
| N/A | 138.91.171.81:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 87.248.205.0:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.173:80 | tcp | |
| GB | 96.17.178.173:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.173:80 | tcp | |
| NL | 20.31.169.57:443 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 20.31.169.57:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 20.31.169.57:443 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.74.47.205:443 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp |
Files
memory/1584-3-0x0000000002E20000-0x0000000002E29000-memory.dmp
memory/1584-1-0x0000000002EB0000-0x0000000002FB0000-memory.dmp
memory/1584-7-0x0000000000400000-0x0000000002B7B000-memory.dmp
memory/3472-8-0x00000000025F0000-0x0000000002605000-memory.dmp
memory/1584-11-0x0000000000400000-0x0000000002B7B000-memory.dmp
memory/4804-23-0x0000000002E70000-0x0000000002F70000-memory.dmp
memory/4804-24-0x0000000000400000-0x0000000002B7B000-memory.dmp
memory/3472-25-0x0000000002000000-0x0000000002015000-memory.dmp
memory/4804-28-0x0000000000400000-0x0000000002B7B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-28 05:25
Reported
2024-01-08 06:40
Platform
win7-20231129-en
Max time kernel
97s
Max time network
123s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\tcjvcrg |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe
"C:\Users\Admin\AppData\Local\Temp\c75b4dca6b8b6a0dc76cd086ebce080c.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {26CAE043-CB86-4B8F-963D-2C6FB5698692} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\tcjvcrg
C:\Users\Admin\AppData\Roaming\tcjvcrg
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 124
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | conceitosseg.com | udp |
| US | 8.8.8.8:53 | integrasidata.com | udp |
| SG | 172.104.187.4:80 | integrasidata.com | tcp |
| US | 8.8.8.8:53 | ozentekstil.com | udp |
| TR | 89.19.30.75:80 | ozentekstil.com | tcp |
| TR | 89.19.30.75:80 | ozentekstil.com | tcp |
| US | 8.8.8.8:53 | finbelportal.com | udp |
| US | 8.8.8.8:53 | telanganadigital.com | udp |
| US | 192.64.119.13:80 | telanganadigital.com | tcp |
| US | 8.8.8.8:53 | www.telanganadigital.com | udp |
| DE | 91.195.240.19:80 | www.telanganadigital.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\CC4F.tmp
| MD5 | 36ca5b2daa4e58c5615ac1a9a7a6b699 |
| SHA1 | 8f67423a5862010a80442cd5680bfe685cec6248 |
| SHA256 | 7c88ded1744ecd06994f0bf0301b62197bdd44be4367b9f7202c11c2f8e1c7c1 |
| SHA512 | 4a8d1f18ab11636817e3601674490fa5659b5fc0f01ef97251d53b21b780fdc0a49d1d540eca81859bd0d51a4d93b3c2f77e900313235f22f15cf23e00be4d39 |
memory/2988-3-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2988-6-0x0000000000400000-0x0000000002B7B000-memory.dmp
memory/2988-2-0x0000000002CC0000-0x0000000002DC0000-memory.dmp
memory/1216-7-0x0000000002D70000-0x0000000002D85000-memory.dmp
memory/2988-8-0x0000000000400000-0x0000000002B7B000-memory.dmp
memory/960-18-0x0000000002D40000-0x0000000002E40000-memory.dmp
memory/960-19-0x0000000000400000-0x0000000002B7B000-memory.dmp