Overview

overview

10

Static

static

3

376349c30b...a0.exe

windows7-x64

10

376349c30b...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    376349c30b19dea794469cf65f012ca0.exe

  • Size

    203KB

  • MD5

    376349c30b19dea794469cf65f012ca0

  • SHA1

    0eac406b118bb4a35e7501306577d689d2dbb85e

  • SHA256

    06b7da2a21d1375abfb7d433fe0acd3816524390605df00ae4d01660bbe92923

  • SHA512

    996a9eb46fa22413aec5741d1f70deae1d59539a79cb362eefd472c3b860971cecef8270af6a4203c7f39499c0fc957076f5728682b97666bff26b1dc7bb82d4

  • SSDEEP

    3072:UL4yhYY/3d0wTF29H9jmHd7cxatBgGgS/lPYxAxAU:UL4yhB/3dg9gFVg8FY6xA

Score
10/10
betabotsmokeloaderbackdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\376349c30b19dea794469cf65f012ca0.exe
    "C:\Users\Admin\AppData\Local\Temp\376349c30b19dea794469cf65f012ca0.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4168
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 368
      2⤵
      • Program crash
      PID:5060
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4168 -ip 4168
    1⤵
      PID:2276
    • C:\Users\Admin\AppData\Local\Temp\ABD0.exe
      C:\Users\Admin\AppData\Local\Temp\ABD0.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1140
          3⤵
          • Program crash
          PID:4704
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4376 -ip 4376
      1⤵
        PID:4640

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Modify Registry

      6
      T1112

      Credential Access

      Discovery

      Query Registry

      5
      T1012

      System Information Discovery

      5
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ABD0.exe
        Filesize

        30KB

        MD5

        a4e7ac0800a8ab24290a7060d1198e10

        SHA1

        38e3d79639bf2b6fe4d62f77bfdec1760f7e022c

        SHA256

        c7d665db307fdee1654495216284ac9f498c88c3155324466eb641fff5c08fed

        SHA512

        0641f2dbcb97eb925486975c5b9247aa1162931047aa808056d7f85879b05fece5625b902a2cb64300c8fb24ca72b41f9a739ea8c334187edba8003de1ae7de7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ABD0.exe
        Filesize

        35KB

        MD5

        86cac1959b70f02bd8ccac3661e70a76

        SHA1

        7feabe2ca7674f22317017b9f4b24feab1eb90e0

        SHA256

        d2ef6940e22d1041162b55a01bc4687266762af3a48b119293229010bdffa2db

        SHA512

        4ad2488f89a75af3db955033f5dd9ca21dfc43c0dbc62ddce58c1986fdb67b75d153b4168c85fd25beedf73537f8a118b62851979ea679524ae7cc66070cb431

        Download Submit
      • memory/2316-20-0x0000000077214000-0x0000000077215000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2316-23-0x00000000022A0000-0x0000000002306000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2316-19-0x00000000005E0000-0x00000000005ED000-memory.dmp
        Filesize

        52KB

        Download
      • memory/2316-14-0x0000000000010000-0x000000000006D000-memory.dmp
        Filesize

        372KB

        Download
      • memory/2316-16-0x00000000022A0000-0x0000000002306000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2316-17-0x00000000022A0000-0x0000000002306000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2316-24-0x00000000022A0000-0x0000000002306000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2316-33-0x00000000022A0000-0x0000000002306000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2316-22-0x0000000002830000-0x000000000283C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2316-21-0x0000000002800000-0x0000000002801000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3404-4-0x0000000003180000-0x0000000003195000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4168-7-0x0000000000400000-0x0000000001D80000-memory.dmp
        Filesize

        25.5MB

        Download
      • memory/4168-1-0x0000000001E20000-0x0000000001F20000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/4168-3-0x0000000000400000-0x0000000001D80000-memory.dmp
        Filesize

        25.5MB

        Download
      • memory/4168-2-0x0000000001F40000-0x0000000001F49000-memory.dmp
        Filesize

        36KB

        Download
      • memory/4376-34-0x0000000003FE0000-0x0000000003FE2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4376-30-0x0000000000110000-0x00000000001D4000-memory.dmp
        Filesize

        784KB

        Download
      • memory/4376-28-0x0000000000110000-0x00000000001D4000-memory.dmp
        Filesize

        784KB

        Download
      • memory/4376-31-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4376-27-0x0000000000C80000-0x00000000010B4000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/4376-37-0x0000000000110000-0x00000000001D4000-memory.dmp
        Filesize

        784KB

        Download
      • memory/4376-36-0x0000000000C80000-0x00000000010B3000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/4376-25-0x0000000000C80000-0x00000000010B4000-memory.dmp
        Filesize

        4.2MB

        Download