Malware Analysis Report

2024-12-08 00:44

Sample ID 240201-fn57rsbha5
Target ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe
SHA256 ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe
Tags
smokeloader pub3 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe

Threat Level: Known bad

The file ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe was found to be: Known bad.

Malicious Activity Summary

smokeloader pub3 backdoor trojan

SmokeLoader

Downloads MZ/PE file

Drops startup file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 05:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 05:02

Reported

2024-02-01 05:07

Platform

win7-20231215-en

Max time kernel

300s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\DD35.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1996 set thread context of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1348 set thread context of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1256 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1256 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1256 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 1996 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Local\Temp\DD35.exe
PID 2264 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2264 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2264 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2264 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\DD35.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1348 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe

"C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe"

C:\Users\Admin\AppData\Local\Temp\DD35.exe

C:\Users\Admin\AppData\Local\Temp\DD35.exe

C:\Users\Admin\AppData\Local\Temp\DD35.exe

C:\Users\Admin\AppData\Local\Temp\DD35.exe

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjyey.com udp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
KR 211.181.24.133:80 emgvod.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp
PE 190.12.87.61:80 sjyey.com tcp

Files

memory/2060-1-0x0000000000500000-0x0000000000600000-memory.dmp

memory/2060-3-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2060-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2060-5-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1256-4-0x00000000029F0000-0x0000000002A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD35.exe

MD5 cf1a67650c020537c07838743ebe6a7a
SHA1 42d191e8def32428357388f2b200f6fa04496811
SHA256 70fa2c68e183898a0795d708cb87dd5a7104c45a535fbe445448c64fe2717450
SHA512 f0c11fc7c303144ceacbf3decbf3940d6d08841c76d6e8cc974605d7342a67d09240e1e33e57561793b48377dfe7a1048d4bab4808a4aefef116020a8a39efb7

memory/1996-17-0x0000000000220000-0x00000000002A0000-memory.dmp

memory/1996-18-0x0000000000220000-0x00000000002A0000-memory.dmp

memory/1996-19-0x00000000004D0000-0x0000000000562000-memory.dmp

memory/2264-27-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2264-29-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2264-24-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2264-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2264-41-0x0000000000400000-0x0000000000493000-memory.dmp

memory/1348-43-0x0000000000220000-0x00000000002A0000-memory.dmp

memory/2472-53-0x0000000000400000-0x0000000000493000-memory.dmp

memory/1348-45-0x0000000000220000-0x00000000002A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

MD5 84536a34c3630e7f783c39bc7a1d2b81
SHA1 9056b7f2b22630689aafcb930db5c0eb1e6f017a
SHA256 3ae62634b4106f267f43274e32a4eeff8d2430dcc357bf1f8fa0df7f3d409e0c
SHA512 a5b174df0c39a7d7f19a20ead8d6392deeef5b078a2a199df1ac2fbaee8e60316f99a23bcccb885ff1cdb16d15d8d63064a9ba1ba52e4c803daf951202be928a

memory/1996-55-0x00000000004D0000-0x0000000000562000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 05:02

Reported

2024-02-01 05:07

Platform

win10-20231215-en

Max time kernel

177s

Max time network

293s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\1FF7.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3320 set thread context of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 2976 set thread context of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 3320 N/A N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3216 wrote to memory of 3320 N/A N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3216 wrote to memory of 3320 N/A N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 3320 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Local\Temp\1FF7.exe
PID 876 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 876 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 876 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\1FF7.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2976 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe

"C:\Users\Admin\AppData\Local\Temp\ed1d83d1de27fb4255166c51989afa961508d8205cf89657f9066658b9e93abe.exe"

C:\Users\Admin\AppData\Local\Temp\1FF7.exe

C:\Users\Admin\AppData\Local\Temp\1FF7.exe

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Users\Admin\AppData\Local\Temp\1FF7.exe

C:\Users\Admin\AppData\Local\Temp\1FF7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjyey.com udp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
US 8.8.8.8:53 90.148.151.58.in-addr.arpa udp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
KR 211.168.53.110:80 emgvod.com tcp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
KR 58.151.148.90:80 tcp
KR 58.151.148.90:80 tcp

Files

memory/292-3-0x0000000000400000-0x0000000000455000-memory.dmp

memory/292-2-0x00000000005A0000-0x00000000005AB000-memory.dmp

memory/292-1-0x0000000000630000-0x0000000000730000-memory.dmp

memory/292-5-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3216-4-0x00000000008F0000-0x0000000000906000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1FF7.exe

MD5 0a21007666f58495fdad3addab848ec0
SHA1 3be245a9a4e14a167fd3f38b87054f454a330356
SHA256 86714673a5e96b2208419b16f0ff345cc054e3d107903b0da78efabbca6de5ef
SHA512 de192af4c4a5d6f89c3eb3f0215bf0318a931b824938988e4fc53881ed7af72da8eee6e9c3417ae5c29764bdcc12d8a66f3da37a7718ae06386b49a65f76cb4a

memory/876-19-0x0000000000400000-0x0000000000493000-memory.dmp

memory/876-23-0x0000000000400000-0x0000000000493000-memory.dmp

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 7f28d665f03f54b1e37c39c2d28ad802
SHA1 fc9000abc3e536b67e2a3d6e23d3ad65bfc9d16a
SHA256 d2bd07ee8fee4c987460a9755a2648e6087397d3cc3c73bcbd600fa736c9b577
SHA512 e14ebd868e45a3b6b3159550315b7563adede166706fdc5b804ca935eb2898181462af05440c04a14a9aed1a3cb7bf1ed3cc176976a84afaf12bcf375e96bd5b

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1904-38-0x0000000000400000-0x0000000000493000-memory.dmp

memory/1904-37-0x0000000000400000-0x0000000000493000-memory.dmp

memory/1904-36-0x0000000000400000-0x0000000000493000-memory.dmp

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 d2f9ce4b049d79df63448ffe92998062
SHA1 460b782de4fdf71570a4462204c7ffcc79e26f0a
SHA256 74f8f16e72bb3893fd94d818c1d06d8e0143af9aa3ecef874fb79e250fa133a0
SHA512 aa0d009ade7800593d333a4d8397360f86b699934e53b0311d1f56df8da23b86ae5975ffe87ea979a53fa272b0c154d326a369b77e1eecfde14bb32fb4a4d2d0

memory/2976-33-0x0000000002010000-0x0000000002092000-memory.dmp

memory/876-29-0x0000000000400000-0x0000000000493000-memory.dmp

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 36d22f47b7d6d0a9304962504d116b1f
SHA1 a5c9914767f5b6d252ea2e2af5c22255cc2657db
SHA256 5c2a45ecf26472ab2a48b4d124a265215c54786c49b8d9899364e1561a3e84e7
SHA512 ca556050661d0bd24b37b4aca04c826cb05d66b45b4468e25e876971087379c5b5ec3fb6b22df609d2c29def41a1c59e299591e982113d598450006373ee536e

memory/3320-22-0x00000000021A0000-0x0000000002232000-memory.dmp

memory/3320-20-0x0000000002110000-0x0000000002193000-memory.dmp

memory/876-18-0x0000000000400000-0x0000000000493000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1FF7.exe

MD5 1b009c0f428c44ee9c30f0d74c403b8a
SHA1 24dcace750733899bf43df2a9911fb9f27eac967
SHA256 c6efec6ae131b0e6e7350274206a1f19f4df44c34b29d3fc8ab17357e7694fdc
SHA512 4b5416768cd03c5e7731bd958478585d8dfabaa13f58730dc7656590f9800860ccdb5ec807427e0575a493c77789f92f167aacaa2749ae513d577034d9549bea

memory/876-16-0x0000000000400000-0x0000000000493000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1FF7.exe

MD5 e31ed3f4e878f7c5b93c699b053cbbf4
SHA1 62f935f9da3d2bb4bf1fe83d2209e5e4d2ff0c06
SHA256 4a7b225b123153c6b9ebf6f0324a7a40f9e847eaeea69cd511cb0c4b9e5c4586
SHA512 23483d70e8c42534c2fc729397064124ec6d809ac419cfe704f4cbeb83ffa8e6aadf01d48b9847b74301a3b62d4d1c53ae27668f658c6d8453152383f2350546

memory/3320-40-0x00000000021A0000-0x0000000002232000-memory.dmp