Analysis Overview
SHA256
79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de
Threat Level: Known bad
The file 79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-23 00:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-23 00:36
Reported
2023-09-23 00:42
Platform
win7-20230831-en
Max time kernel
328s
Max time network
324s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bdftcgh | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\bdftcgh | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\bdftcgh | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\bdftcgh | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bdftcgh | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2728 wrote to memory of 2528 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\bdftcgh |
| PID 2728 wrote to memory of 2528 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\bdftcgh |
| PID 2728 wrote to memory of 2528 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\bdftcgh |
| PID 2728 wrote to memory of 2528 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\bdftcgh |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe
"C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {40F53409-8588-4DE2-BBC1-D791ED661A35} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\bdftcgh
C:\Users\Admin\AppData\Roaming\bdftcgh
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gudintas.at | udp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
| AR | 186.13.17.220:80 | gudintas.at | tcp |
Files
memory/2808-0-0x0000000000220000-0x0000000000235000-memory.dmp
memory/2808-1-0x0000000000240000-0x0000000000249000-memory.dmp
memory/2808-2-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2808-3-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2808-4-0x0000000000220000-0x0000000000235000-memory.dmp
memory/2808-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1208-5-0x0000000002E80000-0x0000000002E96000-memory.dmp
memory/2808-9-0x0000000000240000-0x0000000000249000-memory.dmp
C:\Users\Admin\AppData\Roaming\bdftcgh
| MD5 | 05a6b123f8ab7eaaeb40621f079bae87 |
| SHA1 | 2bebec5327c4411bb975b69cd92457f55111cfd1 |
| SHA256 | 79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de |
| SHA512 | 5be23582b62c25614b6007941520bc751801594ba29617875159a7d588eb1e34e747ef4a5236edf9d5f8c5caa2e20d50a99bc0d50b6356a1673dff5ef0785fa5 |
C:\Users\Admin\AppData\Roaming\bdftcgh
| MD5 | 05a6b123f8ab7eaaeb40621f079bae87 |
| SHA1 | 2bebec5327c4411bb975b69cd92457f55111cfd1 |
| SHA256 | 79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de |
| SHA512 | 5be23582b62c25614b6007941520bc751801594ba29617875159a7d588eb1e34e747ef4a5236edf9d5f8c5caa2e20d50a99bc0d50b6356a1673dff5ef0785fa5 |
memory/2528-15-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2528-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1208-16-0x0000000002DB0000-0x0000000002DC6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-23 00:36
Reported
2023-09-23 00:42
Platform
win10-20230915-en
Max time kernel
300s
Max time network
299s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rucujcv | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rucujcv | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rucujcv | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rucujcv | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rucujcv | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe
"C:\Users\Admin\AppData\Local\Temp\79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de.exe"
C:\Users\Admin\AppData\Roaming\rucujcv
C:\Users\Admin\AppData\Roaming\rucujcv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gudintas.at | udp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 79.216.224.84.in-addr.arpa | udp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| HU | 84.224.216.79:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
Files
memory/3464-0-0x00000000004A0000-0x00000000004B5000-memory.dmp
memory/3464-1-0x00000000004C0000-0x00000000004C9000-memory.dmp
memory/3464-2-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3232-3-0x00000000010C0000-0x00000000010D6000-memory.dmp
memory/3464-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3464-7-0x00000000004C0000-0x00000000004C9000-memory.dmp
memory/3464-8-0x00000000004A0000-0x00000000004B5000-memory.dmp
C:\Users\Admin\AppData\Roaming\rucujcv
| MD5 | 05a6b123f8ab7eaaeb40621f079bae87 |
| SHA1 | 2bebec5327c4411bb975b69cd92457f55111cfd1 |
| SHA256 | 79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de |
| SHA512 | 5be23582b62c25614b6007941520bc751801594ba29617875159a7d588eb1e34e747ef4a5236edf9d5f8c5caa2e20d50a99bc0d50b6356a1673dff5ef0785fa5 |
C:\Users\Admin\AppData\Roaming\rucujcv
| MD5 | 05a6b123f8ab7eaaeb40621f079bae87 |
| SHA1 | 2bebec5327c4411bb975b69cd92457f55111cfd1 |
| SHA256 | 79a62aa738291f15636bfdd41733c557467f5cc848ab47e0265dc30c34ff73de |
| SHA512 | 5be23582b62c25614b6007941520bc751801594ba29617875159a7d588eb1e34e747ef4a5236edf9d5f8c5caa2e20d50a99bc0d50b6356a1673dff5ef0785fa5 |
memory/4476-14-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3232-15-0x0000000002FB0000-0x0000000002FC6000-memory.dmp
memory/4476-16-0x0000000000400000-0x000000000043E000-memory.dmp