Analysis Overview
SHA256
5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489
Threat Level: Known bad
The file 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-22 04:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-22 04:16
Reported
2023-09-22 04:21
Platform
win7-20230831-en
Max time kernel
300s
Max time network
125s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bbfbfag | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\bbfbfag | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\bbfbfag | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\bbfbfag | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bbfbfag | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 2640 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\bbfbfag |
| PID 1400 wrote to memory of 2640 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\bbfbfag |
| PID 1400 wrote to memory of 2640 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\bbfbfag |
| PID 1400 wrote to memory of 2640 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\bbfbfag |
Processes
C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe
"C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {8C2DF981-1EAD-42DA-823B-923982FFA14C} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\bbfbfag
C:\Users\Admin\AppData\Roaming\bbfbfag
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gudintas.at | udp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
Files
memory/2140-1-0x00000000007B0000-0x00000000008B0000-memory.dmp
memory/2140-2-0x0000000000400000-0x0000000000717000-memory.dmp
memory/2140-3-0x0000000000230000-0x0000000000239000-memory.dmp
memory/1204-4-0x00000000029A0000-0x00000000029B6000-memory.dmp
memory/2140-5-0x0000000000400000-0x0000000000717000-memory.dmp
C:\Users\Admin\AppData\Roaming\bbfbfag
| MD5 | ba46aac85484a5e446516a53359ef71d |
| SHA1 | fc487c46fb047de9a8d0c7433c11d97703f81704 |
| SHA256 | 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489 |
| SHA512 | 924d02a9a757129858ee1d8300f30d1d824ee254192d2f0e69a7aaaff025d905c3603caf8d8254f184f58871b3860a3fb93340d4d5b544d91304f21807160bad |
C:\Users\Admin\AppData\Roaming\bbfbfag
| MD5 | ba46aac85484a5e446516a53359ef71d |
| SHA1 | fc487c46fb047de9a8d0c7433c11d97703f81704 |
| SHA256 | 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489 |
| SHA512 | 924d02a9a757129858ee1d8300f30d1d824ee254192d2f0e69a7aaaff025d905c3603caf8d8254f184f58871b3860a3fb93340d4d5b544d91304f21807160bad |
memory/2640-14-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/2640-15-0x0000000000400000-0x0000000000717000-memory.dmp
memory/1204-16-0x0000000002C70000-0x0000000002C86000-memory.dmp
memory/2640-17-0x0000000000400000-0x0000000000717000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-22 04:16
Reported
2023-09-22 04:21
Platform
win10-20230915-en
Max time kernel
300s
Max time network
253s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eghfuur | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eghfuur | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eghfuur | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eghfuur | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eghfuur | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe
"C:\Users\Admin\AppData\Local\Temp\5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489.exe"
C:\Users\Admin\AppData\Roaming\eghfuur
C:\Users\Admin\AppData\Roaming\eghfuur
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gudintas.at | udp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 251.39.40.211.in-addr.arpa | udp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| KR | 211.40.39.251:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/1232-1-0x00000000009E0000-0x0000000000AE0000-memory.dmp
memory/1232-2-0x0000000000400000-0x0000000000717000-memory.dmp
memory/1232-3-0x0000000000850000-0x0000000000859000-memory.dmp
memory/3288-4-0x0000000001340000-0x0000000001356000-memory.dmp
memory/1232-5-0x0000000000400000-0x0000000000717000-memory.dmp
C:\Users\Admin\AppData\Roaming\eghfuur
| MD5 | ba46aac85484a5e446516a53359ef71d |
| SHA1 | fc487c46fb047de9a8d0c7433c11d97703f81704 |
| SHA256 | 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489 |
| SHA512 | 924d02a9a757129858ee1d8300f30d1d824ee254192d2f0e69a7aaaff025d905c3603caf8d8254f184f58871b3860a3fb93340d4d5b544d91304f21807160bad |
C:\Users\Admin\AppData\Roaming\eghfuur
| MD5 | ba46aac85484a5e446516a53359ef71d |
| SHA1 | fc487c46fb047de9a8d0c7433c11d97703f81704 |
| SHA256 | 5454718e78b8dedd6d00cdb377fce6541d6456ea690f7e9fa64cc37ecdaa2489 |
| SHA512 | 924d02a9a757129858ee1d8300f30d1d824ee254192d2f0e69a7aaaff025d905c3603caf8d8254f184f58871b3860a3fb93340d4d5b544d91304f21807160bad |
memory/5080-14-0x0000000000910000-0x0000000000A10000-memory.dmp
memory/5080-15-0x0000000000400000-0x0000000000717000-memory.dmp
memory/3288-16-0x0000000003240000-0x0000000003256000-memory.dmp
memory/5080-17-0x0000000000400000-0x0000000000717000-memory.dmp