Analysis Overview
SHA256
1bb992ed6e0b7861afa33bca11cdb13b50dbcedcfd1c9fbb3551fbe805d795db
Threat Level: Known bad
The file 6252a112e0b7ec864abc4005b38d1077.bin was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 02:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 02:17
Reported
2024-03-14 02:20
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sabgvth | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sabgvth | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sabgvth | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sabgvth | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sabgvth | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2660 wrote to memory of 2764 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\sabgvth |
| PID 2660 wrote to memory of 2764 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\sabgvth |
| PID 2660 wrote to memory of 2764 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\sabgvth |
| PID 2660 wrote to memory of 2764 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\sabgvth |
Processes
C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe
"C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {7C2471DD-CF0A-401E-BB8B-B7AB3C7A4E35} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\sabgvth
C:\Users\Admin\AppData\Roaming\sabgvth
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nidoe.org | udp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
Files
memory/1460-1-0x0000000000560000-0x0000000000660000-memory.dmp
memory/1460-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1460-3-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1460-5-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1212-4-0x0000000003170000-0x0000000003186000-memory.dmp
C:\Users\Admin\AppData\Roaming\sabgvth
| MD5 | 6252a112e0b7ec864abc4005b38d1077 |
| SHA1 | 24374bebe039057efc1cd4d3a325580757530d2a |
| SHA256 | 1bb992ed6e0b7861afa33bca11cdb13b50dbcedcfd1c9fbb3551fbe805d795db |
| SHA512 | e66c5f0a905abdebfed899b4ee9461bba10a54b940ca3218d31b89edc5bb6b990ab86873ec5dbf47d1e594cfb9a817ec733a6561e60e2a2c6491ac57b19ea4a9 |
C:\Users\Admin\AppData\Roaming\sabgvth
| MD5 | 197f4e10c89b2a97633051eb7018257b |
| SHA1 | a712f3d9ec428b152d566e941b492d332bb37e71 |
| SHA256 | e76b0ea1fe7563f195284a0388d03b313085b83a599512531a236597cf736e27 |
| SHA512 | eed6294a775239fe3d5f5b1f7edffd76d2dd3e96d3d935c8d758573ab455d3f198d767acb9a81eba739bce51f12df961e1c7c1c3803a96d3b0a53115119bf98d |
memory/2764-14-0x00000000005E0000-0x00000000006E0000-memory.dmp
memory/2764-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2764-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1212-16-0x0000000002E30000-0x0000000002E46000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 02:17
Reported
2024-03-14 02:20
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sacrewu | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sacrewu | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sacrewu | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sacrewu | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sacrewu | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe
"C:\Users\Admin\AppData\Local\Temp\6252a112e0b7ec864abc4005b38d1077.exe"
C:\Users\Admin\AppData\Roaming\sacrewu
C:\Users\Admin\AppData\Roaming\sacrewu
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nidoe.org | udp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| US | 8.8.8.8:53 | 243.161.140.123.in-addr.arpa | udp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| KR | 123.140.161.243:80 | nidoe.org | tcp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/1824-2-0x00000000004C0000-0x00000000004CB000-memory.dmp
memory/1824-3-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1824-1-0x0000000000510000-0x0000000000610000-memory.dmp
memory/1824-5-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3464-4-0x0000000002690000-0x00000000026A6000-memory.dmp
C:\Users\Admin\AppData\Roaming\sacrewu
| MD5 | 6252a112e0b7ec864abc4005b38d1077 |
| SHA1 | 24374bebe039057efc1cd4d3a325580757530d2a |
| SHA256 | 1bb992ed6e0b7861afa33bca11cdb13b50dbcedcfd1c9fbb3551fbe805d795db |
| SHA512 | e66c5f0a905abdebfed899b4ee9461bba10a54b940ca3218d31b89edc5bb6b990ab86873ec5dbf47d1e594cfb9a817ec733a6561e60e2a2c6491ac57b19ea4a9 |
memory/3500-14-0x00000000006D0000-0x00000000007D0000-memory.dmp
memory/3500-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3464-16-0x0000000002800000-0x0000000002816000-memory.dmp
memory/3500-19-0x0000000000400000-0x0000000000438000-memory.dmp