Analysis Overview
SHA256
1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2
Threat Level: Known bad
The file 1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-21 04:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-21 04:49
Reported
2024-02-21 04:54
Platform
win7-20231215-en
Max time kernel
300s
Max time network
123s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eieauga | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eieauga | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eieauga | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eieauga | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eieauga | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2772 wrote to memory of 2612 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\eieauga |
| PID 2772 wrote to memory of 2612 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\eieauga |
| PID 2772 wrote to memory of 2612 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\eieauga |
| PID 2772 wrote to memory of 2612 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\eieauga |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe
"C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {7A56E133-1CE5-4CD2-B9B3-616A7DE1379D} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\eieauga
C:\Users\Admin\AppData\Roaming\eieauga
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 123.140.161.243:80 | sjyey.com | tcp |
| KR | 123.140.161.243:80 | sjyey.com | tcp |
| KR | 123.140.161.243:80 | sjyey.com | tcp |
| KR | 123.140.161.243:80 | sjyey.com | tcp |
| KR | 123.140.161.243:80 | sjyey.com | tcp |
| KR | 123.140.161.243:80 | sjyey.com | tcp |
| KR | 123.140.161.243:80 | sjyey.com | tcp |
Files
memory/1856-1-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/1856-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1856-3-0x0000000000400000-0x0000000000817000-memory.dmp
memory/1856-5-0x0000000000400000-0x0000000000817000-memory.dmp
memory/1244-4-0x00000000038B0000-0x00000000038C6000-memory.dmp
C:\Users\Admin\AppData\Roaming\eieauga
| MD5 | f44d0f75c3746989168af456468d553c |
| SHA1 | 1bda6154c5dc86f5132fab036a30ae3b55041593 |
| SHA256 | 1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2 |
| SHA512 | 524a44375acf65cc1daf98c4ed281ca8b6e8d128b0a76a05dd2a543c78d8357ea6e81baa1ad487a8f36280a4bd2c5c757e68467359e26876ba56328927ab406f |
memory/2612-14-0x0000000000900000-0x0000000000A00000-memory.dmp
memory/2612-15-0x0000000000400000-0x0000000000817000-memory.dmp
memory/1244-16-0x00000000039D0000-0x00000000039E6000-memory.dmp
memory/2612-17-0x0000000000400000-0x0000000000817000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-21 04:49
Reported
2024-02-21 04:54
Platform
win10-20240214-en
Max time kernel
300s
Max time network
300s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ducucie | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ducucie | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ducucie | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ducucie | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ducucie | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe
"C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe"
C:\Users\Admin\AppData\Roaming\ducucie
C:\Users\Admin\AppData\Roaming\ducucie
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 251.39.40.211.in-addr.arpa | udp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3592-1-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/3592-2-0x0000000000880000-0x000000000088B000-memory.dmp
memory/3592-3-0x0000000000400000-0x0000000000817000-memory.dmp
memory/3300-4-0x00000000014F0000-0x0000000001506000-memory.dmp
memory/3592-5-0x0000000000400000-0x0000000000817000-memory.dmp
C:\Users\Admin\AppData\Roaming\ducucie
| MD5 | f44d0f75c3746989168af456468d553c |
| SHA1 | 1bda6154c5dc86f5132fab036a30ae3b55041593 |
| SHA256 | 1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2 |
| SHA512 | 524a44375acf65cc1daf98c4ed281ca8b6e8d128b0a76a05dd2a543c78d8357ea6e81baa1ad487a8f36280a4bd2c5c757e68467359e26876ba56328927ab406f |
memory/4604-14-0x0000000000B60000-0x0000000000C60000-memory.dmp
memory/4604-15-0x0000000000400000-0x0000000000817000-memory.dmp
memory/3300-16-0x0000000002D70000-0x0000000002D86000-memory.dmp
memory/4604-19-0x0000000000400000-0x0000000000817000-memory.dmp