Analysis Overview
SHA256
92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d
Threat Level: Known bad
The file 92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-21 04:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-21 04:58
Reported
2024-02-21 05:03
Platform
win7-20231215-en
Max time kernel
300s
Max time network
123s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\dftecgt | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\dftecgt | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\dftecgt | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\dftecgt | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\dftecgt | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1580 wrote to memory of 2904 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\dftecgt |
| PID 1580 wrote to memory of 2904 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\dftecgt |
| PID 1580 wrote to memory of 2904 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\dftecgt |
| PID 1580 wrote to memory of 2904 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\dftecgt |
Processes
C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe
"C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3FD893B9-8A7F-4C57-8355-E3B7805E5C98} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\dftecgt
C:\Users\Admin\AppData\Roaming\dftecgt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| BA | 109.175.29.39:80 | sjyey.com | tcp |
| BA | 109.175.29.39:80 | sjyey.com | tcp |
| BA | 109.175.29.39:80 | sjyey.com | tcp |
| BA | 109.175.29.39:80 | sjyey.com | tcp |
| BA | 109.175.29.39:80 | sjyey.com | tcp |
| BA | 109.175.29.39:80 | sjyey.com | tcp |
| BA | 109.175.29.39:80 | sjyey.com | tcp |
Files
memory/624-1-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/624-2-0x00000000001C0000-0x00000000001CB000-memory.dmp
memory/624-3-0x0000000000400000-0x0000000000818000-memory.dmp
memory/624-5-0x0000000000400000-0x0000000000818000-memory.dmp
memory/1380-4-0x0000000002560000-0x0000000002576000-memory.dmp
C:\Users\Admin\AppData\Roaming\dftecgt
| MD5 | fcb0fb8bba03aa7272d74cf4fa222889 |
| SHA1 | 15ebe4683e9dca78d430a0b3e0ea2e824d947d70 |
| SHA256 | 92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d |
| SHA512 | 0bebaa1ffad0fa62b99e3aea8e853d3fbe8c02af15661524db2bb2df0639343ae7d124e2464f098f0472cd1a65ee3bb0b54703b34703b17453c59550300fcfca |
memory/2904-14-0x0000000000950000-0x0000000000A50000-memory.dmp
memory/2904-15-0x0000000000400000-0x0000000000818000-memory.dmp
memory/1380-16-0x0000000003B30000-0x0000000003B46000-memory.dmp
memory/2904-19-0x0000000000400000-0x0000000000818000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-21 04:58
Reported
2024-02-21 05:03
Platform
win10-20240214-en
Max time kernel
300s
Max time network
298s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rggiwcf | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rggiwcf | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rggiwcf | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rggiwcf | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rggiwcf | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe
"C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe"
C:\Users\Admin\AppData\Roaming\rggiwcf
C:\Users\Admin\AppData\Roaming\rggiwcf
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 67.230.53.211.in-addr.arpa | udp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/2360-1-0x0000000000990000-0x0000000000A90000-memory.dmp
memory/2360-3-0x0000000000400000-0x0000000000818000-memory.dmp
memory/2360-2-0x0000000000880000-0x000000000088B000-memory.dmp
memory/3496-4-0x0000000001070000-0x0000000001086000-memory.dmp
memory/2360-5-0x0000000000400000-0x0000000000818000-memory.dmp
C:\Users\Admin\AppData\Roaming\rggiwcf
| MD5 | fcb0fb8bba03aa7272d74cf4fa222889 |
| SHA1 | 15ebe4683e9dca78d430a0b3e0ea2e824d947d70 |
| SHA256 | 92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d |
| SHA512 | 0bebaa1ffad0fa62b99e3aea8e853d3fbe8c02af15661524db2bb2df0639343ae7d124e2464f098f0472cd1a65ee3bb0b54703b34703b17453c59550300fcfca |
memory/4884-14-0x0000000000A10000-0x0000000000B10000-memory.dmp
memory/4884-15-0x0000000000400000-0x0000000000818000-memory.dmp
memory/3496-16-0x0000000002E60000-0x0000000002E76000-memory.dmp
memory/4884-17-0x0000000000400000-0x0000000000818000-memory.dmp