Analysis Overview
SHA256
f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606
Threat Level: Known bad
The file f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 06:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 06:07
Reported
2024-03-15 06:10
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\djhrfij | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\djhrfij | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\djhrfij | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\djhrfij | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 1828 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\djhrfij |
| PID 1728 wrote to memory of 1828 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\djhrfij |
| PID 1728 wrote to memory of 1828 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\djhrfij |
| PID 1728 wrote to memory of 1828 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\djhrfij |
Processes
C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe
"C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {2B566BD8-2490-480C-B1A4-22006194D13E} S-1-5-21-778096762-2241304387-192235952-1000:AYFLYVMK\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\djhrfij
C:\Users\Admin\AppData\Roaming\djhrfij
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nidoe.org | udp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
| KR | 175.119.10.231:80 | nidoe.org | tcp |
Files
memory/2192-1-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/2192-2-0x00000000003B0000-0x00000000003BB000-memory.dmp
memory/2192-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1356-4-0x0000000002670000-0x0000000002686000-memory.dmp
memory/2192-5-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Roaming\djhrfij
| MD5 | 99dbdc616a0156da7de4ddfed412d1be |
| SHA1 | 046d9a56d7645d417ae829b740104b8f01795138 |
| SHA256 | f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606 |
| SHA512 | 1fd1943143666b3718764322e25b111c3c1c434f4ec71de9f0fed7b5c64f015374556f1cbc78aca6641b27ad7f447e64760de2b1d4a8d085ef42fad7a34d22fb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 06:07
Reported
2024-03-15 06:10
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
147s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\esahaas | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe
"C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Roaming\esahaas
C:\Users\Admin\AppData\Roaming\esahaas
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nidoe.org | udp |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.98.143.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| US | 13.107.246.64:443 | tcp | |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| JM | 63.143.98.185:80 | nidoe.org | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
Files
memory/4700-1-0x00000000007B0000-0x00000000008B0000-memory.dmp
memory/4700-2-0x0000000000610000-0x000000000061B000-memory.dmp
memory/4700-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4700-4-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3156-5-0x0000000002F70000-0x0000000002F86000-memory.dmp
memory/4700-6-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4700-9-0x0000000000610000-0x000000000061B000-memory.dmp
C:\Users\Admin\AppData\Roaming\esahaas
| MD5 | 99dbdc616a0156da7de4ddfed412d1be |
| SHA1 | 046d9a56d7645d417ae829b740104b8f01795138 |
| SHA256 | f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606 |
| SHA512 | 1fd1943143666b3718764322e25b111c3c1c434f4ec71de9f0fed7b5c64f015374556f1cbc78aca6641b27ad7f447e64760de2b1d4a8d085ef42fad7a34d22fb |