Windows Analysis Report
2Qvkmk7HGr.exe

Overview

General Information

Sample name: 2Qvkmk7HGr.exe
renamed because original name is a hash value
Original sample name: 4bb69f9fad0620ecb64971676b9f2cbc.exe
Analysis ID: 1538071
MD5: 4bb69f9fad0620ecb64971676b9f2cbc
SHA1: 519d65503d586d0442ea411d03e790d52b564eee
SHA256: 6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311
Tags: exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 2Qvkmk7HGr.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\tcgiwaf Avira: detection malicious, Label: HEUR/AGEN.1306978
Found malware configuration
Source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://tnc-corp.ru/tmp/index.php", "http://volisc.biz/tmp/index.php", "http://livbev.online/tmp/index.php", "http://liverds.at/tmp/index.php"]}
Multi AV Scanner detection for domain / URL
Source: liverds.at Virustotal: Detection: 5% Perma Link
Source: livbev.online Virustotal: Detection: 6% Perma Link
Source: volisc.biz Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\tcgiwaf ReversingLabs: Detection: 39%
Multi AV Scanner detection for submitted file
Source: 2Qvkmk7HGr.exe ReversingLabs: Detection: 39%
Source: 2Qvkmk7HGr.exe Virustotal: Detection: 41% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\tcgiwaf Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 2Qvkmk7HGr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 2Qvkmk7HGr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_004032A0 GetNumberFormatW,InterlockedIncrement,SetFileAttributesW,GetCommMask,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,GetComputerNameA,ClearCommError,InterlockedIncrement,EnumTimeFormatsA,GetTempFileNameA,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,CreateActCtxW,InterlockedExchange,InterlockedExchangeAdd,GetShortPathNameW,GetCurrencyFormatW,GetLocaleInfoW,InterlockedIncrement,SetVolumeMountPointA,GlobalUnWire,CreateSemaphoreW, 7_2_004032A0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:54854 -> 211.171.233.126:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:55718 -> 211.171.233.126:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:55719 -> 211.171.233.126:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:55720 -> 211.171.233.126:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:54853 -> 211.171.233.126:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:55686 -> 211.171.233.126:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 211.171.233.126 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://tnc-corp.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://volisc.biz/tmp/index.php
Source: Malware configuration extractor URLs: http://livbev.online/tmp/index.php
Source: Malware configuration extractor URLs: http://liverds.at/tmp/index.php
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 211.171.233.126 211.171.233.126
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uepnecxbbbdpiq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: tnc-corp.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://strnbrsjeqnhidm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: tnc-corp.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://amjpnfqmtie.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: tnc-corp.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lkexyglvlsxrxq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: tnc-corp.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kgbmakinbtdtwix.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 209Host: tnc-corp.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://roqbxksriohvi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: tnc-corp.ru
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: tnc-corp.ru
Source: global traffic DNS traffic detected: DNS query: volisc.biz
Source: global traffic DNS traffic detected: DNS query: livbev.online
Source: global traffic DNS traffic detected: DNS query: liverds.at
Source: unknown HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uepnecxbbbdpiq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: tnc-corp.ru
Source: explorer.exe, 00000001.00000000.1752481052.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1752481052.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1752481052.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1752481052.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1753482488.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1751138246.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1751529258.0000000008720000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1758674619.000000000C964000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1758674619.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1748652192.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1752481052.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1752481052.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1758674619.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2004791838.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2004938818.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1768955297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00403054 RtlCreateUserThread,NtTerminateProcess, 0_2_00403054
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401583
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00402721 NtEnumerateKey,NtClose, 0_2_00402721
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_0040158E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040158E
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015BC
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_00403054 RtlCreateUserThread,NtTerminateProcess, 5_2_00403054
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_00401583
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_00402721 NtEnumerateKey,NtClose, 5_2_00402721
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_0040158E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_0040158E
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_004015BC
Detected potential crypto function
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00401A28 0_2_00401A28
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_00401A28 5_2_00401A28
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_0040D8CA 7_2_0040D8CA
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_00410CF7 7_2_00410CF7
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_004084F9 7_2_004084F9
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_004121FD 7_2_004121FD
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_0041026F 7_2_0041026F
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_004113EF 7_2_004113EF
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_004107B3 7_2_004107B3
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: String function: 00407890 appears 34 times
Uses 32bit PE files
Source: 2Qvkmk7HGr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2004791838.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2004938818.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1768955297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 2Qvkmk7HGr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tcgiwaf.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/2@72/1
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_00403690 SetLastError,SetLastError,DefineDosDeviceA,_realloc,OpenJobObjectW,InterlockedExchangeAdd,_strlen,_abort,VirtualAlloc,GetTickCount,GetTickCount,GetDiskFreeSpaceExA,ReadConsoleInputA,InterlockedExchange,GetDiskFreeSpaceExA,LoadLibraryA,ReadConsoleInputA,LCMapStringA,OpenEventA,LCMapStringA,InterlockedExchange,OpenEventA,GetCurrentProcess,GetAltTabInfoW,GetCurrentProcess,GetAltTabInfoW,GetLastError,GetLastError,GetFileAttributesW,GetShortPathNameA,GlobalFree,GetFileAttributesW,GetShortPathNameA,GlobalFree,GetEnvironmentStrings,SetComputerNameW,InterlockedExchange,LoadLibraryA, 7_2_00403690
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00531C87 CreateToolhelp32Snapshot,Module32First, 0_2_00531C87
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\tcgiwaf Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Command line argument: LiEz 7_2_00403A10
Source: C:\Users\user\AppData\Roaming\tcgiwaf Command line argument: ZV7 7_2_00403A10
Source: C:\Users\user\AppData\Roaming\tcgiwaf Command line argument: b6 7_2_00403A10
Source: C:\Users\user\AppData\Roaming\tcgiwaf Command line argument: y9= 7_2_00403A10
Source: C:\Users\user\AppData\Roaming\tcgiwaf Command line argument: 5Myi 7_2_00403A10
Source: C:\Users\user\AppData\Roaming\tcgiwaf Command line argument: Kn 7_2_00403A10
Source: 2Qvkmk7HGr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2Qvkmk7HGr.exe ReversingLabs: Detection: 39%
Source: 2Qvkmk7HGr.exe Virustotal: Detection: 41%
Source: unknown Process created: C:\Users\user\Desktop\2Qvkmk7HGr.exe "C:\Users\user\Desktop\2Qvkmk7HGr.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\tcgiwaf C:\Users\user\AppData\Roaming\tcgiwaf
Source: unknown Process created: C:\Users\user\AppData\Roaming\tcgiwaf C:\Users\user\AppData\Roaming\tcgiwaf
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.shell.broker.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Unpacked PE file: 0.2.2Qvkmk7HGr.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\tcgiwaf Unpacked PE file: 5.2.tcgiwaf.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_0040AE2E LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_0040AE2E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_0040294B push ebx; ret 0_2_00402957
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00402923 push ebx; ret 0_2_00402926
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00402930 push ebx; ret 0_2_00402942
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_0053920D push edi; iretd 0_2_00539228
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_005333C3 push es; ret 0_2_005333C4
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_005394E1 push edx; iretd 0_2_005395E2
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_005395B5 push edx; iretd 0_2_005395E2
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00552997 push ebx; ret 0_2_005529A9
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_0055298A push ebx; ret 0_2_0055298D
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_005529B2 push ebx; ret 0_2_005529BE
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_0040294B push ebx; ret 5_2_00402957
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_00402923 push ebx; ret 5_2_00402926
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_00402930 push ebx; ret 5_2_00402942
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_00562997 push ebx; ret 5_2_005629A9
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_0056298A push ebx; ret 5_2_0056298D
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_005629B2 push ebx; ret 5_2_005629BE
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_0062920D push edi; iretd 5_2_00629228
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_006294E1 push edx; iretd 5_2_006295E2
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_006233C3 push es; ret 5_2_006233C4
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_006295B5 push edx; iretd 5_2_006295E2
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_004078D5 push ecx; ret 7_2_004078E8
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_00405483 push ecx; ret 7_2_00405496
Source: 2Qvkmk7HGr.exe Static PE information: section name: .text entropy: 7.0024890042663355
Source: tcgiwaf.1.dr Static PE information: section name: .text entropy: 7.0024890042663355
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\tcgiwaf Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\tcgiwaf Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\2qvkmk7hgr.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\tcgiwaf:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\tcgiwaf API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\tcgiwaf API/Special instruction interceptor: Address: 7FFE2220D584
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 450 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2613 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1030 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 363 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 372 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1947 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 883 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 875 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4136 Thread sleep count: 450 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 648 Thread sleep count: 2613 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 648 Thread sleep time: -261300s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2588 Thread sleep count: 1030 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2588 Thread sleep time: -103000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4924 Thread sleep count: 363 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4924 Thread sleep time: -36300s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5756 Thread sleep count: 335 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 8 Thread sleep count: 372 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 8 Thread sleep time: -37200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 648 Thread sleep count: 1947 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 648 Thread sleep time: -194700s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_004032A0 GetNumberFormatW,InterlockedIncrement,SetFileAttributesW,GetCommMask,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,GetComputerNameA,ClearCommError,InterlockedIncrement,EnumTimeFormatsA,GetTempFileNameA,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,CreateActCtxW,InterlockedExchange,InterlockedExchangeAdd,GetShortPathNameW,GetCurrencyFormatW,GetLocaleInfoW,InterlockedIncrement,SetVolumeMountPointA,GlobalUnWire,CreateSemaphoreW, 7_2_004032A0
Source: explorer.exe, 00000001.00000000.1753254303.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1752481052.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1752481052.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1753254303.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
Source: explorer.exe, 00000001.00000000.1753254303.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1752481052.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1752481052.000000000982D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1753254303.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1749862002.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1752481052.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_0040540B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0040540B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_0040AE2E LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_0040AE2E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00531564 push dword ptr fs:[00000030h] 0_2_00531564
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_0055092B mov eax, dword ptr fs:[00000030h] 0_2_0055092B
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Code function: 0_2_00550D90 mov eax, dword ptr fs:[00000030h] 0_2_00550D90
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_0056092B mov eax, dword ptr fs:[00000030h] 5_2_0056092B
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_00560D90 mov eax, dword ptr fs:[00000030h] 5_2_00560D90
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 5_2_00621564 push dword ptr fs:[00000030h] 5_2_00621564
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_0040540B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0040540B
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_0040456C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0040456C
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_00408D38 SetUnhandledExceptionFilter, 7_2_00408D38
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_00405FB4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00405FB4

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: tcgiwaf.1.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 211.171.233.126 80 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Thread created: C:\Windows\explorer.exe EIP: 87D19D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Thread created: unknown EIP: 87F19D0 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\2Qvkmk7HGr.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\tcgiwaf Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: explorer.exe, 00000001.00000000.1748268149.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1749490951.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1752481052.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1748268149.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1748268149.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1748268149.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: GetLocaleInfoA, 7_2_0040FAF0
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: GetNumberFormatW,InterlockedIncrement,SetFileAttributesW,GetCommMask,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,GetComputerNameA,ClearCommError,InterlockedIncrement,EnumTimeFormatsA,GetTempFileNameA,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,CreateActCtxW,InterlockedExchange,InterlockedExchangeAdd,GetShortPathNameW,GetCurrencyFormatW,GetLocaleInfoW,InterlockedIncrement,SetVolumeMountPointA,GlobalUnWire,CreateSemaphoreW, 7_2_004032A0
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_00403560 GetNumberFormatW,CreateJobObjectA,GetTimeFormatW,GetNumberFormatW,CreateJobObjectA,GetConsoleAliasExesA,CreateNamedPipeW,SetFileShortNameW,CreateProcessW,GetTimeFormatW,GetModuleFileNameW,TlsGetValue,SetEnvironmentVariableW,GetTimeFormatW,GetModuleFileNameA, 7_2_00403560
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_00409A64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 7_2_00409A64
Source: C:\Users\user\AppData\Roaming\tcgiwaf Code function: 7_2_004032A0 GetNumberFormatW,InterlockedIncrement,SetFileAttributesW,GetCommMask,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,GetComputerNameA,ClearCommError,InterlockedIncrement,EnumTimeFormatsA,GetTempFileNameA,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,CreateActCtxW,InterlockedExchange,InterlockedExchangeAdd,GetShortPathNameW,GetCurrencyFormatW,GetLocaleInfoW,InterlockedIncrement,SetVolumeMountPointA,GlobalUnWire,CreateSemaphoreW, 7_2_004032A0

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538071 Sample: 2Qvkmk7HGr.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 23 volisc.biz 2->23 25 tnc-corp.ru 2->25 27 2 other IPs or domains 2->27 39 Multi AV Scanner detection for domain / URL 2->39 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 7 other signatures 2->45 7 2Qvkmk7HGr.exe 2->7         started        10 tcgiwaf 2->10         started        12 tcgiwaf 2->12         started        signatures3 process4 signatures5 47 Detected unpacking (changes PE section rights) 7->47 49 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->49 51 Maps a DLL or memory area into another process 7->51 59 3 other signatures 7->59 14 explorer.exe 59 3 7->14 injected 53 Antivirus detection for dropped file 10->53 55 Multi AV Scanner detection for dropped file 10->55 57 Machine Learning detection for dropped file 10->57 process6 dnsIp7 29 tnc-corp.ru 211.171.233.126, 54853, 54854, 55686 LGDACOMLGDACOMCorporationKR Korea Republic of 14->29 19 C:\Users\user\AppData\Roaming\tcgiwaf, PE32 14->19 dropped 21 C:\Users\user\...\tcgiwaf:Zone.Identifier, ASCII 14->21 dropped 31 System process connects to network (likely due to code injection or exploit) 14->31 33 Benign windows process drops PE files 14->33 35 Deletes itself after installation 14->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
211.171.233.126
 tnc-corp.ru Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true

Contacted Domains

Name IP Active
tnc-corp.ru 211.171.233.126 true
volisc.biz unknown unknown
liverds.at unknown unknown
livbev.online unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://volisc.biz/tmp/index.php true unknown
http://livbev.online/tmp/index.php true
    		unknown
    http://liverds.at/tmp/index.php true
      		unknown
      http://tnc-corp.ru/tmp/index.php true
        		unknown