Analysis Overview
SHA256
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd
Threat Level: Known bad
The file e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-19 00:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-19 00:05
Reported
2024-02-19 00:10
Platform
win7-20231215-en
Max time kernel
300s
Max time network
119s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ciifgtu | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ciifgtu | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ciifgtu | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ciifgtu | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ciifgtu | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2952 wrote to memory of 1716 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\ciifgtu |
| PID 2952 wrote to memory of 1716 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\ciifgtu |
| PID 2952 wrote to memory of 1716 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\ciifgtu |
| PID 2952 wrote to memory of 1716 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\ciifgtu |
Processes
C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe
"C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {189493B3-9750-4FF3-BE8C-0572A1BBBE27} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\ciifgtu
C:\Users\Admin\AppData\Roaming\ciifgtu
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 175.119.10.231:80 | sjyey.com | tcp |
| KR | 175.119.10.231:80 | sjyey.com | tcp |
| KR | 175.119.10.231:80 | sjyey.com | tcp |
| KR | 175.119.10.231:80 | sjyey.com | tcp |
| KR | 175.119.10.231:80 | sjyey.com | tcp |
| KR | 175.119.10.231:80 | sjyey.com | tcp |
| KR | 175.119.10.231:80 | sjyey.com | tcp |
Files
memory/2052-1-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2052-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2052-3-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2052-5-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1188-4-0x0000000002D40000-0x0000000002D56000-memory.dmp
C:\Users\Admin\AppData\Roaming\ciifgtu
| MD5 | 7c376aee2b6cbf0e428d06ddcfca9b07 |
| SHA1 | da5068dc6f5b6e72b4c440c0b6213fc4aaca9c70 |
| SHA256 | e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd |
| SHA512 | f49cbe26ff3ab729914071aa736f7673e2423e4f78d76f0e2617e8c276e8b4fca955213b9280859bc4f91ac4683845fc03ac9b4421d8fdbf233ccfad14a1bc33 |
memory/1716-14-0x0000000000270000-0x0000000000370000-memory.dmp
memory/1716-15-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1188-16-0x0000000002490000-0x00000000024A6000-memory.dmp
memory/1716-19-0x0000000000400000-0x000000000044A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-19 00:05
Reported
2024-02-19 00:10
Platform
win10-20240214-en
Max time kernel
300s
Max time network
294s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cftgviw | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\cftgviw | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\cftgviw | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\cftgviw | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cftgviw | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe
"C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe"
C:\Users\Admin\AppData\Roaming\cftgviw
C:\Users\Admin\AppData\Roaming\cftgviw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 110.53.168.211.in-addr.arpa | udp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
Files
memory/2536-1-0x00000000006D0000-0x00000000007D0000-memory.dmp
memory/2536-2-0x00000000004B0000-0x00000000004BB000-memory.dmp
memory/2536-3-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3404-4-0x0000000000B30000-0x0000000000B46000-memory.dmp
memory/2536-5-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Roaming\cftgviw
| MD5 | 7c376aee2b6cbf0e428d06ddcfca9b07 |
| SHA1 | da5068dc6f5b6e72b4c440c0b6213fc4aaca9c70 |
| SHA256 | e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd |
| SHA512 | f49cbe26ff3ab729914071aa736f7673e2423e4f78d76f0e2617e8c276e8b4fca955213b9280859bc4f91ac4683845fc03ac9b4421d8fdbf233ccfad14a1bc33 |
memory/3264-14-0x00000000006D0000-0x00000000007D0000-memory.dmp
memory/3264-15-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3404-16-0x0000000002910000-0x0000000002926000-memory.dmp
memory/3264-17-0x0000000000400000-0x000000000044A000-memory.dmp