Analysis Overview
SHA256
734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af
Threat Level: Known bad
The file 734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-21 20:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-21 20:07
Reported
2023-09-21 20:10
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
SmokeLoader
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cadeaut | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cadeaut | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2244 set thread context of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe | C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe |
| PID 1400 set thread context of 2592 | N/A | C:\Users\Admin\AppData\Roaming\cadeaut | C:\Users\Admin\AppData\Roaming\cadeaut |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\cadeaut | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\cadeaut | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\cadeaut | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cadeaut | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe
"C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe"
C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe
"C:\Users\Admin\AppData\Local\Temp\734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af.exe"
C:\Users\Admin\AppData\Roaming\cadeaut
C:\Users\Admin\AppData\Roaming\cadeaut
C:\Users\Admin\AppData\Roaming\cadeaut
C:\Users\Admin\AppData\Roaming\cadeaut
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| GB | 96.16.110.41:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
memory/2244-1-0x0000000000930000-0x0000000000A30000-memory.dmp
memory/2244-2-0x0000000002460000-0x0000000002469000-memory.dmp
memory/3044-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3044-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3044-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2608-5-0x00000000031D0000-0x00000000031E6000-memory.dmp
C:\Users\Admin\AppData\Roaming\cadeaut
| MD5 | 486ecdc9522e173d5cdef07bf7c22622 |
| SHA1 | efe7a2cf5a4271a3f76fd2cab5139ff8d7e9e5f2 |
| SHA256 | 734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af |
| SHA512 | f2c493fce94e5865315f05b6de3105adf489064ca8081a8bf5487c47d753840e9c90bf5539f2b1b80813f730d70acd3faba7785183482d289e002688572dc0a3 |
C:\Users\Admin\AppData\Roaming\cadeaut
| MD5 | 486ecdc9522e173d5cdef07bf7c22622 |
| SHA1 | efe7a2cf5a4271a3f76fd2cab5139ff8d7e9e5f2 |
| SHA256 | 734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af |
| SHA512 | f2c493fce94e5865315f05b6de3105adf489064ca8081a8bf5487c47d753840e9c90bf5539f2b1b80813f730d70acd3faba7785183482d289e002688572dc0a3 |
memory/1400-16-0x0000000000730000-0x0000000000830000-memory.dmp
C:\Users\Admin\AppData\Roaming\cadeaut
| MD5 | 486ecdc9522e173d5cdef07bf7c22622 |
| SHA1 | efe7a2cf5a4271a3f76fd2cab5139ff8d7e9e5f2 |
| SHA256 | 734c300338f40643967931a824822684721d02b80912b7066814a7802eff06af |
| SHA512 | f2c493fce94e5865315f05b6de3105adf489064ca8081a8bf5487c47d753840e9c90bf5539f2b1b80813f730d70acd3faba7785183482d289e002688572dc0a3 |
memory/2592-19-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2608-20-0x0000000003210000-0x0000000003226000-memory.dmp
memory/2592-21-0x0000000000400000-0x0000000000409000-memory.dmp