Analysis Overview
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
Threat Level: Known bad
The file 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Executes dropped EXE
Deletes itself
Program crash
Unsigned PE
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of UnmapMainImage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 12:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-09 12:36
Reported
2024-04-09 13:14
Platform
win10v2004-20240226-en
Max time kernel
1800s
Max time network
1322s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hfesddc | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"
C:\Users\Admin\AppData\Roaming\hfesddc
C:\Users\Admin\AppData\Roaming\hfesddc
C:\Users\Admin\AppData\Roaming\hfesddc
C:\Users\Admin\AppData\Roaming\hfesddc
C:\Users\Admin\AppData\Roaming\hfesddc
C:\Users\Admin\AppData\Roaming\hfesddc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.250.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
Files
memory/4416-1-0x0000000002470000-0x0000000002570000-memory.dmp
memory/4416-2-0x0000000004020000-0x000000000402B000-memory.dmp
memory/4416-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3352-4-0x00000000026E0000-0x00000000026F6000-memory.dmp
memory/4416-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\hfesddc
| MD5 | 5cddaacf9782c030db128e3ebfd8f301 |
| SHA1 | 71bae291b66ecfad6ee79ab150c9b4bdc676f06c |
| SHA256 | 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23 |
| SHA512 | bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797 |
memory/3712-14-0x0000000002300000-0x0000000002400000-memory.dmp
memory/3712-15-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3352-16-0x00000000023A0000-0x00000000023B6000-memory.dmp
memory/3712-19-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1780-23-0x0000000002520000-0x0000000002620000-memory.dmp
memory/1780-24-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3352-25-0x00000000023D0000-0x00000000023E6000-memory.dmp
memory/1780-26-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/4688-32-0x0000000002540000-0x0000000002640000-memory.dmp
memory/4688-33-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3352-34-0x00000000024B0000-0x00000000024C6000-memory.dmp
memory/4688-35-0x0000000000400000-0x00000000022D1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-09 12:36
Reported
2024-04-09 13:14
Platform
win11-20240221-en
Max time kernel
1800s
Max time network
1500s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\siidswd | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"
C:\Users\Admin\AppData\Roaming\siidswd
C:\Users\Admin\AppData\Roaming\siidswd
C:\Users\Admin\AppData\Roaming\siidswd
C:\Users\Admin\AppData\Roaming\siidswd
C:\Users\Admin\AppData\Roaming\siidswd
C:\Users\Admin\AppData\Roaming\siidswd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1000-1-0x0000000002630000-0x0000000002730000-memory.dmp
memory/1000-2-0x0000000003FF0000-0x0000000003FFB000-memory.dmp
memory/1000-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3412-4-0x0000000000680000-0x0000000000696000-memory.dmp
memory/1000-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\siidswd
| MD5 | 5cddaacf9782c030db128e3ebfd8f301 |
| SHA1 | 71bae291b66ecfad6ee79ab150c9b4bdc676f06c |
| SHA256 | 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23 |
| SHA512 | bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797 |
memory/2328-14-0x00000000024B0000-0x00000000025B0000-memory.dmp
memory/2328-15-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3412-16-0x0000000000650000-0x0000000000666000-memory.dmp
memory/2328-19-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1212-23-0x0000000002540000-0x0000000002640000-memory.dmp
memory/1212-24-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3412-25-0x0000000002550000-0x0000000002566000-memory.dmp
memory/1212-28-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/2024-32-0x0000000002560000-0x0000000002660000-memory.dmp
memory/2024-33-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3412-34-0x0000000002580000-0x0000000002596000-memory.dmp
memory/2024-37-0x0000000000400000-0x00000000022D1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 12:36
Reported
2024-04-09 13:11
Platform
win7-20240221-en
Max time kernel
1801s
Max time network
1570s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vaeujfv | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {430EA39B-1B8C-472E-A778-246BB16156F0} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\vaeujfv
C:\Users\Admin\AppData\Roaming\vaeujfv
C:\Windows\system32\taskeng.exe
taskeng.exe {769D8620-F4CB-4BDC-9C5C-9AE7DCB3772F} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\vaeujfv
C:\Users\Admin\AppData\Roaming\vaeujfv
C:\Windows\system32\taskeng.exe
taskeng.exe {D6B21841-797F-4EC7-B8F2-5B96A300C494} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\vaeujfv
C:\Users\Admin\AppData\Roaming\vaeujfv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
Files
memory/896-1-0x0000000000270000-0x0000000000370000-memory.dmp
memory/896-2-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/896-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1292-4-0x0000000002120000-0x0000000002136000-memory.dmp
memory/896-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\vaeujfv
| MD5 | 5cddaacf9782c030db128e3ebfd8f301 |
| SHA1 | 71bae291b66ecfad6ee79ab150c9b4bdc676f06c |
| SHA256 | 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23 |
| SHA512 | bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797 |
memory/1744-14-0x00000000024B0000-0x00000000025B0000-memory.dmp
memory/1744-15-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1292-16-0x0000000002B10000-0x0000000002B26000-memory.dmp
memory/1744-19-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3060-23-0x00000000023D0000-0x00000000024D0000-memory.dmp
memory/3060-24-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1292-25-0x0000000002B40000-0x0000000002B56000-memory.dmp
memory/3060-28-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/928-32-0x0000000000290000-0x0000000000390000-memory.dmp
memory/928-33-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1292-34-0x0000000002B60000-0x0000000002B76000-memory.dmp
memory/928-37-0x0000000000400000-0x00000000022D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 12:36
Reported
2024-04-09 13:11
Platform
win10-20240404-en
Max time kernel
1792s
Max time network
1592s
Command Line
Signatures
SmokeLoader
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 492
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 225.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
Files
memory/4532-1-0x00000000025D0000-0x00000000026D0000-memory.dmp
memory/4532-2-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/4532-3-0x00000000023D0000-0x00000000023DB000-memory.dmp
memory/4532-6-0x00000000025D0000-0x00000000026D0000-memory.dmp