Windows Analysis Report
LH27WS7BVJ.exe

Overview

General Information

Sample name: LH27WS7BVJ.exe
renamed because original name is a hash value
Original sample name: 367c8f95ea1174ed018dcb362bd5e61d.exe
Analysis ID: 1447093
MD5: 367c8f95ea1174ed018dcb362bd5e61d
SHA1: d8228f30aff54f959bc5f6b172d4c2c97875f5b7
SHA256: 778df7488b659a15b38e07eb9ce521f48df15258eed4512b762adcf2173402f8
Tags: 32exe
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LH27WS7BVJ.exe Avira: detected
Antivirus detection for URL or domain
Source: https://summerwaterhall.com/calcroom.php Avira URL Cloud: Label: malware
Source: https://airwide-land.com/calcroom.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\wtftrbr Avira: detection malicious, Label: HEUR/AGEN.1311176
Found malware configuration
Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["https://airwide-land.com/calcroom.php", "https://summerwaterhall.com/calcroom.php"]}
Multi AV Scanner detection for domain / URL
Source: summerwaterhall.com Virustotal: Detection: 15% Perma Link
Source: airwide-land.com Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\wtftrbr ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\wtftrbr Virustotal: Detection: 42% Perma Link
Multi AV Scanner detection for submitted file
Source: LH27WS7BVJ.exe ReversingLabs: Detection: 34%
Source: LH27WS7BVJ.exe Virustotal: Detection: 42% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\wtftrbr Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LH27WS7BVJ.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LH27WS7BVJ.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 23.227.203.30 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 146.70.41.146 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://airwide-land.com/calcroom.php
Source: Malware configuration extractor URLs: https://summerwaterhall.com/calcroom.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TENET-1ZA TENET-1ZA
Source: Joe Sandbox View ASN Name: HVC-ASUS HVC-ASUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: airwide-land.com
Source: global traffic DNS traffic detected: DNS query: summerwaterhall.com
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1681678254.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1683344877.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1682067799.0000000008720000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1684715130.000000000C964000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1684715130.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680269665.0000000003700000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1682612462.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1682612462.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1684715130.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_004015A5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015A5
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_00402446 NtQueryInformationProcess, 0_2_00402446
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_00402464 NtQuerySystemInformation, 0_2_00402464
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_00402421 NtQuerySystemInformation, 0_2_00402421
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_004015CD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015CD
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_004015D1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015D1
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_004015D4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015D4
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_004015BB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015BB
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_004015BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015BF
Detected potential crypto function
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_00402141 0_2_00402141
Sample file is different than original file name gathered from version info
Source: LH27WS7BVJ.exe, 00000000.00000000.1624078836.0000000002C8C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesFilezera2 vs LH27WS7BVJ.exe
Source: LH27WS7BVJ.exe Binary or memory string: OriginalFilenamesFilezera2 vs LH27WS7BVJ.exe
Uses 32bit PE files
Source: LH27WS7BVJ.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/2@2/2
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E621B1 CreateToolhelp32Snapshot,Module32First, 0_2_02E621B1
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\wtftrbr Jump to behavior
Source: LH27WS7BVJ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LH27WS7BVJ.exe ReversingLabs: Detection: 34%
Source: LH27WS7BVJ.exe Virustotal: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\LH27WS7BVJ.exe "C:\Users\user\Desktop\LH27WS7BVJ.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\wtftrbr C:\Users\user\AppData\Roaming\wtftrbr
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: LH27WS7BVJ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Unpacked PE file: 0.2.LH27WS7BVJ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wtftrbr Unpacked PE file: 3.2.wtftrbr.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_0040284F push eax; ret 0_2_00402883
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_00403353 push eax; ret 0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_0040330C push eax; ret 0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_00403313 push eax; ret 0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_00403320 push eax; ret 0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_0040322D push eax; ret 0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_00403338 push eax; ret 0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_004032C3 push eax; ret 0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_00403388 push eax; ret 0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_0040328F push eax; ret 0_2_0040336A
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E22FA5 push esp; iretd 0_2_02E22FC0
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E228B6 push eax; ret 0_2_02E228EA
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E22F9D push esp; ret 0_2_02E22FA4
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E23000 push esp; iretd 0_2_02E22FC0
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E697CA pushfd ; retf 0_2_02E697CB
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E64AC8 push eax; ret 0_2_02E64AE9
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E64132 push eax; ret 0_2_02E64166
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E6381F push ebp; ret 0_2_02E63829
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E6471B pushad ; iretd 0_2_02E6472F
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_02CE3B8A push eax; ret 3_2_02CE3BBE
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_02CE3277 push ebp; ret 3_2_02CE3281
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_02CE4173 pushad ; iretd 3_2_02CE4187
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_02CE9222 pushfd ; retf 3_2_02CE9223
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_02CE4520 push eax; ret 3_2_02CE4541
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_048C2F9D push esp; ret 3_2_048C2FA4
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_048C2FA5 push esp; iretd 3_2_048C2FC0
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_048C28B6 push eax; ret 3_2_048C28EA
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_048C3000 push esp; iretd 3_2_048C2FC0
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\wtftrbr Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\wtftrbr Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\lh27ws7bvj.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\wtftrbr:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: LH27WS7BVJ.exe, 00000000.00000002.1694316140.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 409 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1183 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 808 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 372 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 389 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 3712 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 876 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 871 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6264 Thread sleep count: 409 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6232 Thread sleep count: 1183 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6232 Thread sleep time: -118300s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6284 Thread sleep count: 808 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6284 Thread sleep time: -80800s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1508 Thread sleep count: 281 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5900 Thread sleep count: 372 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5900 Thread sleep time: -37200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1740 Thread sleep count: 389 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1740 Thread sleep time: -38900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6232 Thread sleep count: 3712 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6232 Thread sleep time: -371200s >= -30000s Jump to behavior
Source: explorer.exe, 00000001.00000000.1683181405.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1682612462.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1680935365.00000000078A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1683181405.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1683181405.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1682612462.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1683181405.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1680935365.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1682612462.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E20D90 mov eax, dword ptr fs:[00000030h] 0_2_02E20D90
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E2092B mov eax, dword ptr fs:[00000030h] 0_2_02E2092B
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Code function: 0_2_02E61A8E push dword ptr fs:[00000030h] 0_2_02E61A8E
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_02CE14E6 push dword ptr fs:[00000030h] 3_2_02CE14E6
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_048C0D90 mov eax, dword ptr fs:[00000030h] 3_2_048C0D90
Source: C:\Users\user\AppData\Roaming\wtftrbr Code function: 3_2_048C092B mov eax, dword ptr fs:[00000030h] 3_2_048C092B

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: wtftrbr.1.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 23.227.203.30 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 146.70.41.146 443 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Thread created: C:\Windows\explorer.exe EIP: 3401970 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Thread created: unknown EIP: 3421970 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wtftrbr Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: explorer.exe, 00000001.00000000.1680806640.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1682612462.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680005074.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1680005074.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1680005074.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1680005074.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447093 Sample: LH27WS7BVJ.exe Startdate: 24/05/2024 Architecture: WINDOWS Score: 100 21 summerwaterhall.com 2->21 23 airwide-land.com 2->23 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 7 other signatures 2->35 7 LH27WS7BVJ.exe 2->7         started        10 wtftrbr 2->10         started        signatures3 process4 signatures5 37 Detected unpacking (changes PE section rights) 7->37 39 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->39 41 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->41 49 3 other signatures 7->49 12 explorer.exe 62 3 7->12 injected 43 Antivirus detection for dropped file 10->43 45 Multi AV Scanner detection for dropped file 10->45 47 Machine Learning detection for dropped file 10->47 process6 dnsIp7 25 summerwaterhall.com 146.70.41.146, 443, 49737, 49742 TENET-1ZA United Kingdom 12->25 27 airwide-land.com 23.227.203.30, 443, 49736, 49739 HVC-ASUS United States 12->27 17 C:\Users\user\AppData\Roaming\wtftrbr, PE32 12->17 dropped 19 C:\Users\user\...\wtftrbr:Zone.Identifier, ASCII 12->19 dropped 51 System process connects to network (likely due to code injection or exploit) 12->51 53 Benign windows process drops PE files 12->53 55 Deletes itself after installation 12->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->57 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
146.70.41.146
 summerwaterhall.com United Kingdom
2018 TENET-1ZA true
23.227.203.30
 airwide-land.com United States
29802 HVC-ASUS true

Contacted Domains

Name IP Active
summerwaterhall.com 146.70.41.146 true
airwide-land.com 23.227.203.30 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://summerwaterhall.com/calcroom.php true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://airwide-land.com/calcroom.php true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown