Analysis
-
max time kernel
162s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
22-12-2023 05:29
General
-
Target
718b20cdfd7efb4a26aa0aa020e46af0.exe
-
Size
147KB
-
MD5
718b20cdfd7efb4a26aa0aa020e46af0
-
SHA1
466be33731b34e28b56580f499cc7665bd3e77a9
-
SHA256
0ff586cfb65d5fff23f0410d1082a1852c75ca972967fb84031febe0e9a227af
-
SHA512
2cd4b934b3e51be5869b7f78bdaabb8803e8b6ef36cb51d63384ac5492f7a277cd84c3837026027cd3945e14199650fa97c52a96a03b9541af7c755f1247502f
-
SSDEEP
1536:/qdK3LyZnzrkB4BNeF1hwEQjomml3mwG0SbJrSKfIqNW0IyBRg3Hiz2j5t9WMi9y:SsX17mF4JcWpQSY2j5t9WptBD
Malware Config
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\FCEE.exeC:\Users\Admin\AppData\Local\Temp\FCEE.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 11363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4680 -ip 46801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FCEE.exeFilesize
360KB
MD594f379933c102d45a3bdb6d46070c3b6
SHA1e4004532129c49d22279737f26cff1f00b45a092
SHA256814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff
SHA5124847abc92cdfe5d0fe8bbd351195644ff7354cdd9e4cc6ecb5e2434bc8a43c292dc20013bdaac263319d94ca2792e54c244dbe11bcfa94f37a0e0d4c4ac66aaf
-
memory/228-21-0x00000000022F0000-0x0000000002356000-memory.dmpFilesize
408KB
-
memory/228-35-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/228-25-0x00000000022F0000-0x0000000002356000-memory.dmpFilesize
408KB
-
memory/228-34-0x00000000022F0000-0x0000000002356000-memory.dmpFilesize
408KB
-
memory/228-20-0x0000000077EB4000-0x0000000077EB5000-memory.dmpFilesize
4KB
-
memory/228-24-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/228-16-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/228-18-0x00000000022F0000-0x0000000002356000-memory.dmpFilesize
408KB
-
memory/228-19-0x0000000000510000-0x000000000051D000-memory.dmpFilesize
52KB
-
memory/228-22-0x0000000002830000-0x000000000283C000-memory.dmpFilesize
48KB
-
memory/2232-4-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2232-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2232-3-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3292-5-0x0000000000F60000-0x0000000000F76000-memory.dmpFilesize
88KB
-
memory/4680-36-0x0000000004560000-0x0000000004562000-memory.dmpFilesize
8KB
-
memory/4680-28-0x0000000000B50000-0x0000000000F84000-memory.dmpFilesize
4.2MB
-
memory/4680-30-0x0000000000810000-0x00000000008D4000-memory.dmpFilesize
784KB
-
memory/4680-29-0x0000000000810000-0x00000000008D4000-memory.dmpFilesize
784KB
-
memory/4680-32-0x0000000000810000-0x00000000008D4000-memory.dmpFilesize
784KB
-
memory/4680-26-0x0000000000B50000-0x0000000000F84000-memory.dmpFilesize
4.2MB
-
memory/4680-39-0x0000000000810000-0x00000000008D4000-memory.dmpFilesize
784KB
-
memory/4680-38-0x0000000000B50000-0x0000000000F83000-memory.dmpFilesize
4.2MB
-
memory/4880-2-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/4880-1-0x0000000002150000-0x0000000002250000-memory.dmpFilesize
1024KB