Analysis Overview
SHA256
5ae6ad592f3806e2840611a519b023a8784e964dc7c9a242e74842e6db0a79d0
Threat Level: Known bad
The file e6e3028a84a32392db5d40c60d64a79b was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-20 16:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-20 16:25
Reported
2023-12-21 02:11
Platform
win7-20231215-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fbaecta | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fbaecta | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fbaecta | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fbaecta | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fbaecta | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 2592 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\fbaecta |
| PID 2652 wrote to memory of 2592 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\fbaecta |
| PID 2652 wrote to memory of 2592 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\fbaecta |
| PID 2652 wrote to memory of 2592 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\fbaecta |
Processes
C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe
"C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {35DD2874-F2B1-443B-830B-DD3F6142C5B9} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\fbaecta
C:\Users\Admin\AppData\Roaming\fbaecta
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gmpeople.com | udp |
| DE | 3.64.163.50:80 | gmpeople.com | tcp |
| US | 8.8.8.8:53 | mile48.com | udp |
| US | 208.91.197.46:80 | mile48.com | tcp |
| US | 8.8.8.8:53 | lecanardstsornin.com | udp |
| US | 8.8.8.8:53 | m3600.com | udp |
| US | 8.8.8.8:53 | camasirx.com | udp |
| TR | 89.107.229.40:80 | camasirx.com | tcp |
Files
memory/2156-3-0x0000000000400000-0x0000000000870000-memory.dmp
memory/2156-2-0x0000000000020000-0x0000000000029000-memory.dmp
memory/2156-1-0x00000000009B0000-0x0000000000AB0000-memory.dmp
memory/2156-5-0x0000000000400000-0x0000000000870000-memory.dmp
memory/1252-4-0x0000000002D70000-0x0000000002D85000-memory.dmp
C:\Users\Admin\AppData\Roaming\fbaecta
| MD5 | dfc4e0dec637550b9e954e8d819ef545 |
| SHA1 | b3d5c412e6f87b582edaffe1f03d0728b8c9a94e |
| SHA256 | f7c6e2feb987994ee79cd6796e69a2aecd5f9cd0c16b205973c45aa30e4de72a |
| SHA512 | a940f0dde6c270a2a6fd1ed6704b2da94b3d0bff531b21ee3446fbf77e67be3350f3134357c45ba19be5ec805f78b3de99113090b29f012a109f7d4ed95094d8 |
C:\Users\Admin\AppData\Roaming\fbaecta
| MD5 | 6df330b1ac8486975f3562b8f254ecd7 |
| SHA1 | d8489b83dfc814c73f4421240432600b48605a21 |
| SHA256 | 397c49987de53d43a440fc7519a8a63da5b8642eb77fd94961e56deabd329e16 |
| SHA512 | 862b6b6657c26a7ea3b593e80d3498f45938e317048692d768eb4d1c0e9527b0ffdb4b17b341159de26602657b9ec84cca72164de76e09f690127097097c1ef7 |
memory/2592-14-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2592-15-0x0000000000400000-0x0000000000870000-memory.dmp
memory/2592-17-0x0000000000400000-0x0000000000870000-memory.dmp
memory/1252-16-0x0000000002E20000-0x0000000002E35000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-20 16:25
Reported
2023-12-21 02:12
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
150s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\faueage | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\faueage | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\faueage | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\faueage | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\faueage | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe
"C:\Users\Admin\AppData\Local\Temp\e6e3028a84a32392db5d40c60d64a79b.exe"
C:\Users\Admin\AppData\Roaming\faueage
C:\Users\Admin\AppData\Roaming\faueage
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gmpeople.com | udp |
| DE | 3.64.163.50:80 | gmpeople.com | tcp |
| US | 8.8.8.8:53 | mile48.com | udp |
| US | 208.91.197.46:80 | mile48.com | tcp |
| US | 8.8.8.8:53 | 50.163.64.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lecanardstsornin.com | udp |
| US | 8.8.8.8:53 | m3600.com | udp |
| US | 8.8.8.8:53 | camasirx.com | udp |
| TR | 89.107.229.40:80 | camasirx.com | tcp |
| US | 8.8.8.8:53 | 46.197.91.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.229.107.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/5036-1-0x0000000000A40000-0x0000000000B40000-memory.dmp
memory/5036-2-0x00000000001C0000-0x00000000001C9000-memory.dmp
memory/5036-3-0x0000000000400000-0x0000000000870000-memory.dmp
memory/3516-4-0x0000000002830000-0x0000000002845000-memory.dmp
memory/5036-5-0x0000000000400000-0x0000000000870000-memory.dmp
C:\Users\Admin\AppData\Roaming\faueage
| MD5 | 0a1472bf189132792f41a95dd4940a5c |
| SHA1 | df955d6063120876087db564c03a249573ea4ceb |
| SHA256 | 6d261231c63ebcc8d96d4a027dbb20bbfd03d90651753ac56c1be2038482b192 |
| SHA512 | 81fb72d2bf0fcfa7ec0527925afe8751bd259f5975ed91fa6fdbd9b77c5803243540d568e43583e5015c7dd96c6062ed96ae71fecdc21c39b6f064e7b377de71 |
C:\Users\Admin\AppData\Roaming\faueage
| MD5 | e6e3028a84a32392db5d40c60d64a79b |
| SHA1 | 9b6b9232d4104458e6d2293af4c923e423072e4a |
| SHA256 | 5ae6ad592f3806e2840611a519b023a8784e964dc7c9a242e74842e6db0a79d0 |
| SHA512 | 2f17159bf47ded19aa5d22353fa2cf6d5324653224afbc88ccfbba44131dfd7c15c9f91bbf03f869fa4a766dcb459241238b8d637f668648dc4f33fcb648b85f |
memory/3128-14-0x0000000000AC0000-0x0000000000BC0000-memory.dmp
memory/3128-15-0x0000000000400000-0x0000000000870000-memory.dmp
memory/3516-16-0x00000000041E0000-0x00000000041F5000-memory.dmp
memory/3128-19-0x0000000000400000-0x0000000000870000-memory.dmp