Overview

overview

10

Static

static

3

954c9a8408...e2.exe

windows7-x64

10

954c9a8408...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    954c9a84081ee955881bbd4f13d70fe2.exe

  • Size

    187KB

  • MD5

    954c9a84081ee955881bbd4f13d70fe2

  • SHA1

    eaf4d0c7a777c849352e020f16e25ac61ea46379

  • SHA256

    a09973818d133a17fc00542bf00d38a75e9b235d6e3d05b099d955f814c66e80

  • SHA512

    8d46acccbe61352da60715208f7f8e108fad5b2748c9a0f2fb25f36cc5a7cc87b848590414781299cf953d72893c8cd98c3645c0ce038621e6aaa7fc65a65294

  • SSDEEP

    3072:wtYR9pLhV6v//e5O5Z5ev99l9ENPGdwDYTuKJIX:zRfLhV6v//e5OG99lMGd7TuK

Score
10/10
betabotsmokeloaderbackdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\954c9a84081ee955881bbd4f13d70fe2.exe
    "C:\Users\Admin\AppData\Local\Temp\954c9a84081ee955881bbd4f13d70fe2.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1308
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 368
      2⤵
      • Program crash
      PID:2376
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1308 -ip 1308
    1⤵
      PID:384
    • C:\Users\Admin\AppData\Local\Temp\ABA1.exe
      C:\Users\Admin\AppData\Local\Temp\ABA1.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1140
          3⤵
          • Program crash
          PID:4312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2960 -ip 2960
      1⤵
        PID:4684

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Modify Registry

      6
      T1112

      Credential Access

      Discovery

      Query Registry

      5
      T1012

      System Information Discovery

      5
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ABA1.exe
        Filesize

        138KB

        MD5

        e61ff360a1413c6c2b3781f81bcdc992

        SHA1

        0be0c3e6dedae604faeaecbe743ce9fef220bbd3

        SHA256

        a3d8f5b9571ae65abf4032c43f08278686e714f04ade77372384e0d97ff27840

        SHA512

        fb84f3b4b6a2cc4f7c523fd8facdc9172c3b4d9d7cd9f5b59a5b58526b4008e70c3fe5411e27c8be616eb84ac5b4cb10790fc97b24d75e7f717fbe7466468b5d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ABA1.exe
        Filesize

        108KB

        MD5

        493c594a1cfc363250f8516031c578fb

        SHA1

        81143f22fac361a91ceff9913789717bc0c6dabf

        SHA256

        3af6674ec7f8da81cfa780c2f3694ae25b3f088c5108294daaebc18a19b52eda

        SHA512

        1ae5b63a8bb32620a00dc7c5ea29e02d7ea6bbf0245223849449fb1d4f6aefed95f92b801ffbd936481f5105ad601fd3dc706dd33b38a192b36ee46fcea53ca2

        Download Submit
      • memory/1308-1-0x00000000023C0000-0x00000000024C0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1308-2-0x00000000021D0000-0x00000000021D9000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1308-3-0x0000000000400000-0x000000000214C000-memory.dmp
        Filesize

        29.3MB

        Download
      • memory/1308-7-0x0000000000400000-0x000000000214C000-memory.dmp
        Filesize

        29.3MB

        Download
      • memory/2960-34-0x0000000002EC0000-0x0000000002EC2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2960-36-0x00000000004E0000-0x0000000000913000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/2960-37-0x0000000001000000-0x00000000010C4000-memory.dmp
        Filesize

        784KB

        Download
      • memory/2960-24-0x00000000004E0000-0x0000000000914000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/2960-31-0x0000000001590000-0x0000000001591000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2960-28-0x0000000001000000-0x00000000010C4000-memory.dmp
        Filesize

        784KB

        Download
      • memory/2960-30-0x0000000001000000-0x00000000010C4000-memory.dmp
        Filesize

        784KB

        Download
      • memory/2960-26-0x00000000004E0000-0x0000000000914000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/3364-4-0x0000000002E10000-0x0000000002E25000-memory.dmp
        Filesize

        84KB

        Download
      • memory/5104-14-0x0000000000010000-0x000000000006D000-memory.dmp
        Filesize

        372KB

        Download
      • memory/5104-18-0x0000000002280000-0x00000000022E6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/5104-20-0x00000000772A4000-0x00000000772A5000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5104-21-0x0000000002800000-0x0000000002801000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5104-33-0x0000000002280000-0x00000000022E6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/5104-22-0x0000000002830000-0x000000000283C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/5104-23-0x0000000002280000-0x00000000022E6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/5104-16-0x0000000002280000-0x00000000022E6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/5104-17-0x0000000002640000-0x000000000264D000-memory.dmp
        Filesize

        52KB

        Download