Analysis Overview
SHA256
fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691
Threat Level: Known bad
The file fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-23 16:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-23 16:48
Reported
2023-09-23 16:50
Platform
win10-20230915-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sdecveg | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sdecveg | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 916 set thread context of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe | C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe |
| PID 3952 set thread context of 4436 | N/A | C:\Users\Admin\AppData\Roaming\sdecveg | C:\Users\Admin\AppData\Roaming\sdecveg |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sdecveg | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sdecveg | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sdecveg | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sdecveg | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe
"C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe"
C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe
"C:\Users\Admin\AppData\Local\Temp\fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691.exe"
C:\Users\Admin\AppData\Roaming\sdecveg
C:\Users\Admin\AppData\Roaming\sdecveg
C:\Users\Admin\AppData\Roaming\sdecveg
C:\Users\Admin\AppData\Roaming\sdecveg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
Files
memory/916-1-0x0000000002750000-0x0000000002850000-memory.dmp
memory/916-2-0x00000000026F0000-0x00000000026F9000-memory.dmp
memory/2636-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2636-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2636-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3296-5-0x0000000001450000-0x0000000001466000-memory.dmp
C:\Users\Admin\AppData\Roaming\sdecveg
| MD5 | 14b3ae8430e975d51a5452484a3bcfb5 |
| SHA1 | 4b1e785d83d7b3737c59c4ee81f7ae006792596d |
| SHA256 | fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691 |
| SHA512 | 7e0ae58ea2b6f5261823930b973e8855dfab7c226484dd03da0a1604a39cc2e05df98624df4cc6dbc533df191af59510a0f2804986cb909f32e62b5d5db71068 |
C:\Users\Admin\AppData\Roaming\sdecveg
| MD5 | 14b3ae8430e975d51a5452484a3bcfb5 |
| SHA1 | 4b1e785d83d7b3737c59c4ee81f7ae006792596d |
| SHA256 | fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691 |
| SHA512 | 7e0ae58ea2b6f5261823930b973e8855dfab7c226484dd03da0a1604a39cc2e05df98624df4cc6dbc533df191af59510a0f2804986cb909f32e62b5d5db71068 |
memory/3952-16-0x0000000002700000-0x0000000002800000-memory.dmp
C:\Users\Admin\AppData\Roaming\sdecveg
| MD5 | 14b3ae8430e975d51a5452484a3bcfb5 |
| SHA1 | 4b1e785d83d7b3737c59c4ee81f7ae006792596d |
| SHA256 | fbf7afb2ded5b12702f92f5c3620486e19b6d3a15b8703d8cf80b8d30a55b691 |
| SHA512 | 7e0ae58ea2b6f5261823930b973e8855dfab7c226484dd03da0a1604a39cc2e05df98624df4cc6dbc533df191af59510a0f2804986cb909f32e62b5d5db71068 |
memory/4436-19-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3296-20-0x0000000001720000-0x0000000001736000-memory.dmp
memory/4436-23-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3952-25-0x0000000002700000-0x0000000002800000-memory.dmp