Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
24-12-2023 17:14
General
-
Target
07ceef005d2626297437e3289872bf40.exe
-
Size
326KB
-
MD5
07ceef005d2626297437e3289872bf40
-
SHA1
d1735d9e00c820525c6005b2e339a4ac0882efa9
-
SHA256
4d850649831a4cad6dd9d2a6b67fbacc70933c15dd4bd56ff6ffdb27da7aa4a8
-
SHA512
d4979eb0452c285997fd55fa9873e98f6281f442900e1238ce5a5d9c00b11f26ba1de7a484de50de391f5a7492969f685868e46d4660a23b44602dcdfb44610a
-
SSDEEP
6144:7ZqLyrRhjz2YKt3MdauLJb3mZ6JJhrr5Ktxxs23:AYRhjKvt3Mda0b2QTVFos2
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\07ceef005d2626297437e3289872bf40.exe"C:\Users\Admin\AppData\Local\Temp\07ceef005d2626297437e3289872bf40.exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F048.exeC:\Users\Admin\AppData\Local\Temp\F048.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\k19o73yy51m_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\K19O73~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FF66.exeC:\Users\Admin\AppData\Local\Temp\FF66.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F048.exeFilesize
360KB
MD5ce234dc403a41edbc5d5f2e262ebcec5
SHA15a7e8fc06dca1c6b6bb8d433235c194ce19370f6
SHA25617949b1eec606cb3a82d5a57057f560b3ad0584bcb172ed20bf2ce0a209dacc2
SHA51203ec1a9fd44e1e9f57b6a591137a8e7669c5bd2c43eb5e59e7d3fa3f94dcbda890fe79f123d0ad19dc56e29b588886909a557e36725036b30f6b9d18eeb5269b
-
C:\Users\Admin\AppData\Local\Temp\FF66.exeFilesize
198KB
MD5ae36fabd3719835d442ac1b26d314bd0
SHA192626393201a227497a4006252c1a61c109dfbb1
SHA256d33378a360b5f7b15fb9773c8e60539abdaa6f5fd784eb204441ce4db2dc868f
SHA512344e8f3405592ef63cfed85fefc936c9c3b141ea6c3b8b32fdf0f204f16673db7f1b7ac4a21eda3ca6d126b7a7d8443a0a817a06ac10745da6d1b2be36273173
-
C:\Users\Admin\AppData\Local\Temp\FF66.exeFilesize
165KB
MD55b667060c92c137e45a319c08f200f1d
SHA1e53878d3aeacf164ffc04f3ed026737991566e60
SHA256e96ccf4c04705cdccd577d648c8ccc7be45245b59a417b4813d86f88c96ce3ee
SHA5124c66a58495add3446ac190c84c2b8ed2e95b1bbf4a23c54c449d447389b554503be81eb9827023ec17e08a5edf6c4158c131cc6d6f84d27096178a57ecb610fa
-
C:\Users\Admin\AppData\Local\Temp\FF66.exeFilesize
186KB
MD590c36155f5406c973fd239e89a4e7578
SHA177dfaaf0f7d019107ddc7c1f2131f23156650fa8
SHA25617ab528b780cff8a7105b4b0fdc8c9429497a961b2b006314ac57769b678f87b
SHA512883b2fbf34e866582c9cdbbcba3aa15df0556e4d803fb584cbd4224e906e771f35b969eb8df44c3c73648df21eeb00eaafdbb59e8aecfd8fa4a1f8104af3f543
-
C:\Users\Admin\AppData\Local\Temp\k19o73yy51m_1.exeFilesize
37KB
MD5998c609e0e7f177fa2d5d41b86b63f37
SHA176c7d2080459bb2b76efdfd6b3bf34e9f4d0ebc7
SHA256980d75625a3926676170181476bf0512675662a0a114d88e98ee4b94f53fffb7
SHA51244b94fd4293f4a2fa69786bb2610df64a36c7d07c4432c0a1e27b47af0c51a92e03b24390bd0535c6b3fcaeb83b2dec7aaaf502c0ed7e6f112ac2a47214b582e
-
C:\Users\Admin\AppData\Roaming\guhgsvgFilesize
39KB
MD57ba5d9b1431fe57093ed3faadbcfc853
SHA12b898c5f7fd5c968107b0b35be125f3c76fe4367
SHA25686318ca8256ad39ef59bb7eb91319113eb042d8fa54503d29e631798eaabeec9
SHA512e5ab9511bef22fcb374af074442616f67c2286dd9a5863637084079fbe14e2bce313250ea60e0e1e9df10355ad3eb7a78d0e895e917c9526853e23addcc44bfa
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpFilesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\k19o73yy51m_1.exeFilesize
122KB
MD5d838df17fe44ddaa1b7677d90811e860
SHA1df38bd54ed6bdc201aadbfd3e41bd80515b1f4ae
SHA256eaa239874e4c77c9af997a5adf20c7a9c17ec7e9f9026b71beb5c333a72e82fb
SHA51240115fad3922175de00e8ac41a86d24057a0749528bcac65a7f153928b0a7d078e5e6f3272356b4491ab6041de1ba03078146352b0664a910fcd7a7432ee93dd
-
memory/1204-63-0x0000000077B31000-0x0000000077B32000-memory.dmpFilesize
4KB
-
memory/1204-7-0x0000000001D90000-0x0000000001DA5000-memory.dmpFilesize
84KB
-
memory/1204-94-0x0000000001D70000-0x0000000001D71000-memory.dmpFilesize
4KB
-
memory/1544-101-0x0000000000090000-0x000000000009B000-memory.dmpFilesize
44KB
-
memory/1544-99-0x0000000000B60000-0x0000000000BC6000-memory.dmpFilesize
408KB
-
memory/1544-102-0x0000000000B60000-0x0000000000BC5000-memory.dmpFilesize
404KB
-
memory/1544-98-0x0000000000B60000-0x0000000000BC6000-memory.dmpFilesize
408KB
-
memory/1680-107-0x0000000077B31000-0x0000000077B32000-memory.dmpFilesize
4KB
-
memory/2436-4-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2436-8-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2436-2-0x00000000005F0000-0x00000000006F0000-memory.dmpFilesize
1024KB
-
memory/2436-3-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/2520-68-0x0000000077AE0000-0x0000000077C89000-memory.dmpFilesize
1.7MB
-
memory/2520-62-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-39-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-92-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-40-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-90-0x0000000000090000-0x0000000000154000-memory.dmpFilesize
784KB
-
memory/2520-48-0x0000000000090000-0x0000000000154000-memory.dmpFilesize
784KB
-
memory/2520-47-0x0000000000090000-0x0000000000154000-memory.dmpFilesize
784KB
-
memory/2520-46-0x0000000000360000-0x000000000036C000-memory.dmpFilesize
48KB
-
memory/2520-45-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-42-0x0000000000090000-0x0000000000154000-memory.dmpFilesize
784KB
-
memory/2520-49-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-50-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-51-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-37-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-109-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-35-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-36-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2520-33-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-61-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-32-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-34-0x0000000000090000-0x0000000000154000-memory.dmpFilesize
784KB
-
memory/2520-64-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-66-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-65-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-84-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-67-0x0000000000090000-0x0000000000154000-memory.dmpFilesize
784KB
-
memory/2520-69-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-70-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-72-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-71-0x0000000077CC0000-0x0000000077E41000-memory.dmpFilesize
1.5MB
-
memory/2520-73-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2692-29-0x0000000001EC0000-0x0000000001EC1000-memory.dmpFilesize
4KB
-
memory/2692-30-0x0000000001CC0000-0x0000000001D26000-memory.dmpFilesize
408KB
-
memory/2692-25-0x0000000077CD0000-0x0000000077CD1000-memory.dmpFilesize
4KB
-
memory/2692-27-0x0000000002500000-0x000000000250C000-memory.dmpFilesize
48KB
-
memory/2692-43-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/2692-26-0x0000000001CC0000-0x0000000001D26000-memory.dmpFilesize
408KB
-
memory/2692-24-0x0000000000320000-0x000000000032D000-memory.dmpFilesize
52KB
-
memory/2692-23-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2692-22-0x0000000001CC0000-0x0000000001D26000-memory.dmpFilesize
408KB
-
memory/2692-38-0x0000000001CC0000-0x0000000001D26000-memory.dmpFilesize
408KB
-
memory/2692-21-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/2872-86-0x0000000000420000-0x0000000000486000-memory.dmpFilesize
408KB
-
memory/2872-88-0x0000000000360000-0x0000000000366000-memory.dmpFilesize
24KB
-
memory/2872-89-0x0000000001EC0000-0x0000000001ECC000-memory.dmpFilesize
48KB
-
memory/2872-91-0x0000000000420000-0x0000000000486000-memory.dmpFilesize
408KB
-
memory/2872-104-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/2872-106-0x0000000000360000-0x0000000000366000-memory.dmpFilesize
24KB
-
memory/2872-105-0x0000000000420000-0x0000000000486000-memory.dmpFilesize
408KB
-
memory/3056-59-0x0000000000370000-0x0000000000906000-memory.dmpFilesize
5.6MB
-
memory/3056-60-0x0000000000370000-0x0000000000906000-memory.dmpFilesize
5.6MB