Analysis Overview
SHA256
d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c
Threat Level: Known bad
The file d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 08:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 08:35
Reported
2024-04-09 11:03
Platform
win7-20240221-en
Max time kernel
1800s
Max time network
1565s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wtdgdub | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe
"C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {409EE9A6-CA0B-4093-947E-BA5052B554C3} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\wtdgdub
C:\Users\Admin\AppData\Roaming\wtdgdub
C:\Windows\system32\taskeng.exe
taskeng.exe {77DB79CC-833C-4D60-B86B-75DAEEAB0959} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\wtdgdub
C:\Users\Admin\AppData\Roaming\wtdgdub
C:\Windows\system32\taskeng.exe
taskeng.exe {8485F79C-9C34-44F5-A276-DA843C1D2B9F} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\wtdgdub
C:\Users\Admin\AppData\Roaming\wtdgdub
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
Files
memory/1356-1-0x00000000008F0000-0x00000000009F0000-memory.dmp
memory/1356-2-0x0000000000230000-0x000000000023B000-memory.dmp
memory/1356-3-0x0000000000400000-0x0000000000819000-memory.dmp
memory/1224-4-0x0000000002BA0000-0x0000000002BB6000-memory.dmp
memory/1356-5-0x0000000000400000-0x0000000000819000-memory.dmp
C:\Users\Admin\AppData\Roaming\wtdgdub
| MD5 | 3151d44dd03886e5f64f34481b116c81 |
| SHA1 | ebef87d5fd54925493385fbff5ba4d175c046fbc |
| SHA256 | d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c |
| SHA512 | 6ebcb293583a6858a023bf71a347783b788064f9415421503155e2f87426ff52d7881f2a680331d4332e4062153901295f4b92771a1afd527624bb15230bbcc6 |
memory/1336-14-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/1336-15-0x0000000000400000-0x0000000000819000-memory.dmp
memory/1224-16-0x0000000002100000-0x0000000002116000-memory.dmp
memory/1336-17-0x0000000000400000-0x0000000000819000-memory.dmp
memory/1804-23-0x00000000009D0000-0x0000000000AD0000-memory.dmp
memory/1804-24-0x0000000000400000-0x0000000000819000-memory.dmp
memory/1224-25-0x0000000002140000-0x0000000002156000-memory.dmp
memory/1804-26-0x0000000000400000-0x0000000000819000-memory.dmp
memory/1660-32-0x0000000000270000-0x0000000000370000-memory.dmp
memory/1660-33-0x0000000000400000-0x0000000000819000-memory.dmp
memory/1224-34-0x0000000002A20000-0x0000000002A36000-memory.dmp
memory/1660-35-0x0000000000400000-0x0000000000819000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 08:35
Reported
2024-04-09 11:03
Platform
win10-20240404-en
Max time kernel
1790s
Max time network
1596s
Command Line
Signatures
SmokeLoader
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe
"C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 500
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/4520-1-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/4520-2-0x0000000000880000-0x000000000088B000-memory.dmp
memory/4520-3-0x0000000000400000-0x0000000000819000-memory.dmp
memory/4520-6-0x0000000000940000-0x0000000000A40000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-09 08:35
Reported
2024-04-09 11:04
Platform
win10v2004-20240226-en
Max time kernel
1800s
Max time network
1804s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hciegbu | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe
"C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1292 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Roaming\hciegbu
C:\Users\Admin\AppData\Roaming\hciegbu
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Roaming\hciegbu
C:\Users\Admin\AppData\Roaming\hciegbu
C:\Users\Admin\AppData\Roaming\hciegbu
C:\Users\Admin\AppData\Roaming\hciegbu
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
Files
memory/780-1-0x0000000000AD0000-0x0000000000BD0000-memory.dmp
memory/780-2-0x0000000000AC0000-0x0000000000ACB000-memory.dmp
memory/780-3-0x0000000000400000-0x0000000000819000-memory.dmp
memory/780-5-0x0000000000400000-0x0000000000819000-memory.dmp
memory/3408-4-0x0000000002F30000-0x0000000002F46000-memory.dmp
memory/780-8-0x0000000000AC0000-0x0000000000ACB000-memory.dmp
C:\Users\Admin\AppData\Roaming\hciegbu
| MD5 | 3151d44dd03886e5f64f34481b116c81 |
| SHA1 | ebef87d5fd54925493385fbff5ba4d175c046fbc |
| SHA256 | d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c |
| SHA512 | 6ebcb293583a6858a023bf71a347783b788064f9415421503155e2f87426ff52d7881f2a680331d4332e4062153901295f4b92771a1afd527624bb15230bbcc6 |
memory/2180-15-0x0000000000830000-0x0000000000930000-memory.dmp
memory/2180-16-0x0000000000400000-0x0000000000819000-memory.dmp
memory/3408-17-0x0000000003070000-0x0000000003086000-memory.dmp
memory/2180-20-0x0000000000400000-0x0000000000819000-memory.dmp
memory/2592-24-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/2592-25-0x0000000000400000-0x0000000000819000-memory.dmp
memory/3408-26-0x0000000002E60000-0x0000000002E76000-memory.dmp
memory/2592-29-0x0000000000400000-0x0000000000819000-memory.dmp
memory/3748-33-0x00000000009D0000-0x0000000000AD0000-memory.dmp
memory/3748-34-0x0000000000400000-0x0000000000819000-memory.dmp
memory/3408-35-0x0000000001120000-0x0000000001136000-memory.dmp
memory/3748-38-0x0000000000400000-0x0000000000819000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-09 08:35
Reported
2024-04-09 11:04
Platform
win11-20240221-en
Max time kernel
1800s
Max time network
1309s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tatjuws | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe
"C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe"
C:\Users\Admin\AppData\Roaming\tatjuws
C:\Users\Admin\AppData\Roaming\tatjuws
C:\Users\Admin\AppData\Roaming\tatjuws
C:\Users\Admin\AppData\Roaming\tatjuws
C:\Users\Admin\AppData\Roaming\tatjuws
C:\Users\Admin\AppData\Roaming\tatjuws
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
Files
memory/3372-1-0x0000000000950000-0x0000000000A50000-memory.dmp
memory/3372-2-0x0000000000930000-0x000000000093B000-memory.dmp
memory/3372-3-0x0000000000400000-0x0000000000819000-memory.dmp
memory/3180-4-0x00000000023E0000-0x00000000023F6000-memory.dmp
memory/3372-5-0x0000000000400000-0x0000000000819000-memory.dmp
C:\Users\Admin\AppData\Roaming\tatjuws
| MD5 | 3151d44dd03886e5f64f34481b116c81 |
| SHA1 | ebef87d5fd54925493385fbff5ba4d175c046fbc |
| SHA256 | d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c |
| SHA512 | 6ebcb293583a6858a023bf71a347783b788064f9415421503155e2f87426ff52d7881f2a680331d4332e4062153901295f4b92771a1afd527624bb15230bbcc6 |
memory/4568-14-0x0000000000A40000-0x0000000000B40000-memory.dmp
memory/4568-15-0x0000000000400000-0x0000000000819000-memory.dmp
memory/3180-16-0x0000000001E90000-0x0000000001EA6000-memory.dmp
memory/4568-19-0x0000000000400000-0x0000000000819000-memory.dmp
memory/1840-23-0x0000000000A20000-0x0000000000B20000-memory.dmp
memory/1840-24-0x0000000000400000-0x0000000000819000-memory.dmp
memory/3180-25-0x0000000001EB0000-0x0000000001EC6000-memory.dmp
memory/1840-28-0x0000000000400000-0x0000000000819000-memory.dmp
memory/4488-32-0x00000000008F0000-0x00000000009F0000-memory.dmp
memory/4488-33-0x0000000000400000-0x0000000000819000-memory.dmp
memory/3180-34-0x0000000001F40000-0x0000000001F56000-memory.dmp
memory/4488-35-0x0000000000400000-0x0000000000819000-memory.dmp