Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
22-12-2023 15:45
General
-
Target
df87f718fb9e4e94e0b202af8b84f22b.exe
-
Size
282KB
-
MD5
df87f718fb9e4e94e0b202af8b84f22b
-
SHA1
e63f6762c1182004f4db715b9216fd8a6387e096
-
SHA256
e70c261bbee76cac0f53d99beb2c1a70938d75a9c6e99459c531a6ec57a10f54
-
SHA512
9929db3ebde4297d4b3223bc15c1353e8658afd1cfa5045a7a9afbb573eb300051918e25ef0b3d8db45783c1b6e0cc45f6de46063a2f1dadd5bd009b5052aca8
-
SSDEEP
6144:bIQEK8NZVn50WAi0HK55N28f4TH8dWDg:tEK87Vn50WAi0Arf4z8Ag
Malware Config
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
NSIS installer 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\df87f718fb9e4e94e0b202af8b84f22b.exe"C:\Users\Admin\AppData\Local\Temp\df87f718fb9e4e94e0b202af8b84f22b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\df87f718fb9e4e94e0b202af8b84f22b.exe"C:\Users\Admin\AppData\Local\Temp\df87f718fb9e4e94e0b202af8b84f22b.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D614.exeC:\Users\Admin\AppData\Local\Temp\D614.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u7o335q7_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\u7o335q7.exe" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\E2C2.exeC:\Users\Admin\AppData\Local\Temp\E2C2.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D614.exeFilesize
360KB
MD594f379933c102d45a3bdb6d46070c3b6
SHA1e4004532129c49d22279737f26cff1f00b45a092
SHA256814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff
SHA5124847abc92cdfe5d0fe8bbd351195644ff7354cdd9e4cc6ecb5e2434bc8a43c292dc20013bdaac263319d94ca2792e54c244dbe11bcfa94f37a0e0d4c4ac66aaf
-
C:\Users\Admin\AppData\Local\Temp\E2C2.exeFilesize
31KB
MD5fc9dfe521be7e9ffc43c2fc51286d39c
SHA1c18a4099bdedcb8d08b91cf0f23ddb616bf9d5d9
SHA25629a177fde517ee1c366bfa0c5bcf6f3331758618629233abf231690b94ab0a58
SHA512b7bceae98c07bbec50c51321a920cf49ec93cf11416bb373dfb8664fbde8705e0f915d1c4aff8d030a3f5fe639ee2151c51ac4057464534d704014ac9d560103
-
C:\Users\Admin\AppData\Local\Temp\u7o335q7_1.exeFilesize
92KB
MD5e4acd7ca2ea87f6a25ed6616651d6e5a
SHA19834b33f79c40a3a1877caadbae8d5e66c72321b
SHA25664da0216177a135f000ee6c5a4d41d08844fae011bdb4658ea8ac5feb2df9f48
SHA51203c8dd00b4846dc3495b0925b8b0f5096dd2eb163ca0fe7907b7cdd2c0e585df0419921e9cbd2d68c828f0f1905cf5fca5892c6e3de6dcdf54fd3dd608601303
-
\Users\Admin\AppData\Local\Temp\u7o335q7_1.exeFilesize
302KB
MD50a81d67b97713c1c6629d1c9ed6f3bb9
SHA17c2db1265dc0610a7dc0fb2f1cef8d5d13220ffc
SHA2564a037a9df109d9916edb203fe932fe5fb93557d44864766b96f8ccd9853bce91
SHA512be53c378fa0653502ac142a36df2526c88e336ab220a68c057fa33e9a0f199c3de558cafbb3c52bc3c72d612394da7c95de24b235ec5d5ca5b21f4350be3b7b3
-
memory/1212-106-0x0000000000060000-0x00000000000C5000-memory.dmpFilesize
404KB
-
memory/1212-102-0x0000000000060000-0x00000000000C6000-memory.dmpFilesize
408KB
-
memory/1212-105-0x0000000000100000-0x000000000010B000-memory.dmpFilesize
44KB
-
memory/1212-103-0x0000000000060000-0x00000000000C6000-memory.dmpFilesize
408KB
-
memory/1232-7-0x0000000002970000-0x0000000002986000-memory.dmpFilesize
88KB
-
memory/1232-97-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/1232-62-0x0000000077471000-0x0000000077472000-memory.dmpFilesize
4KB
-
memory/1672-77-0x0000000077471000-0x0000000077472000-memory.dmpFilesize
4KB
-
memory/2092-8-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2092-5-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2092-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2092-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2120-61-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-69-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-34-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-37-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2120-38-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-43-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-44-0x00000000001A0000-0x0000000000264000-memory.dmpFilesize
784KB
-
memory/2120-45-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/2120-41-0x00000000001A0000-0x0000000000264000-memory.dmpFilesize
784KB
-
memory/2120-40-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-39-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-36-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-35-0x00000000001A0000-0x0000000000264000-memory.dmpFilesize
784KB
-
memory/2120-112-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-101-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-49-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-50-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-51-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-95-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-86-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-76-0x00000000001A0000-0x0000000000264000-memory.dmpFilesize
784KB
-
memory/2120-73-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2120-60-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-63-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-64-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-65-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-66-0x00000000001A0000-0x0000000000264000-memory.dmpFilesize
784KB
-
memory/2120-67-0x0000000077420000-0x00000000775C9000-memory.dmpFilesize
1.7MB
-
memory/2120-68-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-33-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-72-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-71-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-70-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2120-74-0x0000000077600000-0x0000000077781000-memory.dmpFilesize
1.5MB
-
memory/2280-59-0x00000000001F0000-0x0000000000786000-memory.dmpFilesize
5.6MB
-
memory/2280-91-0x00000000001F0000-0x0000000000786000-memory.dmpFilesize
5.6MB
-
memory/2384-3-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/2384-1-0x0000000000290000-0x0000000000390000-memory.dmpFilesize
1024KB
-
memory/2876-88-0x0000000001CC0000-0x0000000001D26000-memory.dmpFilesize
408KB
-
memory/2876-110-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2876-89-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2876-108-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/2876-94-0x0000000001CC0000-0x0000000001D26000-memory.dmpFilesize
408KB
-
memory/2876-93-0x0000000001D40000-0x0000000001D4C000-memory.dmpFilesize
48KB
-
memory/2876-109-0x0000000001CC0000-0x0000000001D26000-memory.dmpFilesize
408KB
-
memory/2876-90-0x0000000001CC0000-0x0000000001D26000-memory.dmpFilesize
408KB
-
memory/2932-47-0x0000000001D50000-0x0000000001DB6000-memory.dmpFilesize
408KB
-
memory/2932-26-0x0000000001D50000-0x0000000001DB6000-memory.dmpFilesize
408KB
-
memory/2932-24-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2932-23-0x0000000001D50000-0x0000000001DB6000-memory.dmpFilesize
408KB
-
memory/2932-22-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/2932-30-0x0000000002500000-0x000000000250C000-memory.dmpFilesize
48KB
-
memory/2932-27-0x0000000077610000-0x0000000077611000-memory.dmpFilesize
4KB
-
memory/2932-31-0x0000000001D50000-0x0000000001DB6000-memory.dmpFilesize
408KB
-
memory/2932-29-0x0000000001DC0000-0x0000000001DC1000-memory.dmpFilesize
4KB
-
memory/2932-25-0x0000000000320000-0x000000000032D000-memory.dmpFilesize
52KB
-
memory/2932-48-0x0000000001DE0000-0x0000000001DE1000-memory.dmpFilesize
4KB