Analysis Overview
SHA256
abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d
Threat Level: Known bad
The file abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Adds Run key to start application
Maps connected drives based on registry
Unsigned PE
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-22 16:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-22 16:00
Reported
2024-04-22 16:03
Platform
win7-20240220-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\iwerthja\\ibrgjitg.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2088 wrote to memory of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 2088 wrote to memory of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 2088 wrote to memory of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 2088 wrote to memory of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe | C:\Windows\SysWOW64\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe
"C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.144:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 72.246.173.187:443 | www.microsoft.com | tcp |
| NL | 72.246.173.187:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | java.com | udp |
| NL | 23.62.61.137:80 | java.com | tcp |
| US | 8.8.8.8:53 | visualstudio.microsoft.com | udp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.mozilla.org | udp |
| GB | 13.224.77.115:443 | www.mozilla.org | tcp |
| US | 8.8.8.8:53 | java.com | udp |
| NL | 23.62.61.137:80 | java.com | tcp |
| US | 8.8.8.8:53 | eeaglelifeaa23ol.com | udp |
| NL | 23.62.61.137:80 | java.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 72.246.173.187:443 | www.microsoft.com | tcp |
| NL | 72.246.173.187:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | visualstudio.microsoft.com | udp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | java.com | udp |
| NL | 23.62.61.137:80 | java.com | tcp |
| US | 8.8.8.8:53 | www.videolan.org | udp |
| FR | 213.36.253.2:443 | www.videolan.org | tcp |
| NL | 23.62.61.137:80 | java.com | tcp |
| US | 8.8.8.8:53 | eeaglelifebb23ahoo.com | udp |
| US | 8.8.8.8:53 | visualstudio.microsoft.com | udp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | support.microsoft.com | udp |
| NL | 72.246.172.127:443 | support.microsoft.com | tcp |
| NL | 72.246.172.127:443 | support.microsoft.com | tcp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| BE | 104.68.69.97:443 | visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | java.com | udp |
| NL | 23.62.61.163:80 | java.com | tcp |
Files
memory/2088-1-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2088-0-0x0000000000240000-0x0000000000248000-memory.dmp
memory/2088-2-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2088-3-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2088-4-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2900-7-0x0000000000230000-0x00000000004B1000-memory.dmp
memory/2900-8-0x0000000000230000-0x00000000004B1000-memory.dmp
memory/2900-9-0x0000000000080000-0x000000000008A000-memory.dmp
memory/2900-11-0x0000000000080000-0x000000000008A000-memory.dmp
memory/2088-13-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2900-20-0x0000000000080000-0x000000000008A000-memory.dmp
memory/2900-22-0x0000000000080000-0x000000000008A000-memory.dmp
memory/2900-24-0x0000000000080000-0x000000000008A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarD927.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d09b587ebd58f160a39f48e07a11a3c |
| SHA1 | a3b1efdb1759ebd048d1a417af98e7c8666b852b |
| SHA256 | 357630b797c6ff4564d1df84a8242ad3d92855a68bc3615fe8b3a428c6de60ce |
| SHA512 | 72f2fde72a629a5b816963dd4ec69b27f55fe00c8079fe331f0ea580f02faddb7c3d7b212068919a55a537164eae90f45301215530fbd0bd1433d2c3de9aac8b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-22 16:00
Reported
2024-04-22 16:03
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe
"C:\Users\Admin\AppData\Local\Temp\abebbafd75d61bb6ac5946a2bb3d0863e7776c4820ed0cedcaba25a4381e274d.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3812 -ip 3812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 480
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3812-1-0x0000000000600000-0x0000000000601000-memory.dmp
memory/3812-0-0x0000000000550000-0x0000000000558000-memory.dmp