Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24-12-2023 17:14
General
-
Target
07ceef005d2626297437e3289872bf40.exe
-
Size
326KB
-
MD5
07ceef005d2626297437e3289872bf40
-
SHA1
d1735d9e00c820525c6005b2e339a4ac0882efa9
-
SHA256
4d850649831a4cad6dd9d2a6b67fbacc70933c15dd4bd56ff6ffdb27da7aa4a8
-
SHA512
d4979eb0452c285997fd55fa9873e98f6281f442900e1238ce5a5d9c00b11f26ba1de7a484de50de391f5a7492969f685868e46d4660a23b44602dcdfb44610a
-
SSDEEP
6144:7ZqLyrRhjz2YKt3MdauLJb3mZ6JJhrr5Ktxxs23:AYRhjKvt3Mda0b2QTVFos2
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ceef005d2626297437e3289872bf40.exe"C:\Users\Admin\AppData\Local\Temp\07ceef005d2626297437e3289872bf40.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DE4A.exeC:\Users\Admin\AppData\Local\Temp\DE4A.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 11083⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\E5FC.exeC:\Users\Admin\AppData\Local\Temp\E5FC.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2992 -ip 29921⤵
-
C:\Users\Admin\AppData\Roaming\dbjcuwsC:\Users\Admin\AppData\Roaming\dbjcuws1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpFilesize
979KB
MD57ce94d8d5d986ec09ae8ee4a6c08f6e9
SHA137703ada3e21a10deb7baea6627a0665224a6652
SHA256d0aa6f31318764a205ee70568372cc8d9dcf151c2899526304671db9b9c6a4a2
SHA51208699e73beac2da8701106147cf05cf27020ca919c0de662eb27e43495f78ed72e147baed5e5df1524db11826f2e7e0468f2ad5fb99d533ef47c13adc7b5bc5e
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpFilesize
81KB
MD52fd4e86e10d6ec6f885f64dbc2030e35
SHA1c61a22bf112b0b35df5602dd59fac05c09476ec9
SHA256f3f8d41f28849a4d203dd127b6d55b76bdb2cfcf72e3f260d9b14b67d5979c93
SHA512986487b8c184f85b628a1ac7af840a8910c32cd548266759ab3136d979b8c7723888cf1f597d149b6eb4a3fdf2fbf0c39a02916a52fc530d515d56ee9dcb2e01
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpFilesize
37KB
MD5e6a34ea92fe5986d6903840e2509c409
SHA1c83573ea58dd2475ccead1b4e3040b1392f75ca4
SHA2562e4a255ca60a577b4710e0ca1263ee0dfffd9e9b9735a67fbc425c1e305c802c
SHA512acd2de18286e2a6afc76e6a4d6c25e8f8962cc55d4c558e4d4ef7054cd9baadc0f0c621cb478c5656c63920275a808581aadf1c8ac522d3ec78993621ddd8f6f
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpFilesize
68KB
MD517451462068bc3530fb11d42d7c1987b
SHA1531e3db1ba289b9ada7dd82031e1326cba68920f
SHA2560edb2196e07d8bf3c1cc5950f0e5c0f2994b36f5c378d3208d3dcd5897c3c1b6
SHA512aeb9672ad027408fe454e1ac7e83cbaea83425926460e8cf2dab1fe5e1525ca75fc5b0abb8aef7b0d24081eb87cd8ea1eae4950bf6d9a478d7b89e85a06202b8
-
C:\Users\Admin\AppData\Local\Temp\DE4A.exeFilesize
360KB
MD5ce234dc403a41edbc5d5f2e262ebcec5
SHA15a7e8fc06dca1c6b6bb8d433235c194ce19370f6
SHA25617949b1eec606cb3a82d5a57057f560b3ad0584bcb172ed20bf2ce0a209dacc2
SHA51203ec1a9fd44e1e9f57b6a591137a8e7669c5bd2c43eb5e59e7d3fa3f94dcbda890fe79f123d0ad19dc56e29b588886909a557e36725036b30f6b9d18eeb5269b
-
C:\Users\Admin\AppData\Local\Temp\E5FC.exeFilesize
57KB
MD59a286b2f7e671f95db8d3047e2cf4568
SHA16b1e821d820c876c3ca90df1f6c7855265ad1827
SHA25643de2a9d62a722789ba7a6e6d92b5fc7c1e0b981373343a7299a32f29bcde11a
SHA512a7201fc7b679e8672f1aaf4da359543921a847aed984d8756e2591cc9ccd712c86cef420c01de155a4e7aa3033737a7ede670eabd92bb2c91d7877c1c1e8e9de
-
C:\Users\Admin\AppData\Local\Temp\E5FC.exeFilesize
116KB
MD5393929e146e3f92bb3d4504f46578372
SHA149692f7eb5402d5c2e2aaf851139b67c789701d1
SHA2564a5a63fc9b7b6f31e4da7943974ac08e4986e2cdd01e21de09a49b34aa6f20bf
SHA512158c15362998dc33f9df984903e2d9a64ae7acfb29af1328f24403755f6097c07ff60ade6fb8d1d077ae1b5cb13dd5944e02a872e75493dbac459eb4110eb9eb
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
14KB
MD54aa5fe5dc4d28637a24c20fafe8e3684
SHA14179f313c499fc9c830379967944c875e12c7271
SHA256f8d3ec323ab93e8abc73f03cc41172df4de20d58995261c143f1eaa65109ea53
SHA5120c79fc9986a57496e6dca4eb47599f68cb2300326088b7ef5fa5cc688ebc5502855282db3ffcb16e80537d9643ed73d9102d366018b459c6842f5bed7feecea9
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
197KB
MD539a5be1b166742a4e06aaecb5d0ede96
SHA1d23e01ede793518ef3eb4af1330fbbcb9ba09246
SHA256e882538b389269ea88c714814f361393112b874cf54150884a2d4ccfb0d9b8c9
SHA512913abcaf1377a55934ca024501d0a995db04cd9dbe13f53bfba5cfcd842d99f0faf4c8d8cf2960631d421e92b2424cf19b8c83acfb67dac88c402af0742ff798
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
149KB
MD5a322724939e35d012d9ae873891dc9fb
SHA1e55530d01101a684d72e08f3e7f7672cbc32f17f
SHA2569202d4918f0e654470bc80224aade7bd0beeadf65e6a96081733d8b6d125b73a
SHA5125d6a2c033a113d9aab026255aae86900223a32bcbf4ce8284576b6e9bfe3c9f39ffe34aaf53b0bcd5dc50068e2dede34efa2793c27f22c38fc0b49e3abe8090f
-
C:\Users\Admin\AppData\Local\Temp\lib.dllFilesize
146KB
MD533859df418b57322fb50c2c961f56434
SHA1831233b95d81a411794423b0f119b71e791a8641
SHA25640a23c12f472379462a8b5d0572b39b85171747a09093e297925a8eb931fc69a
SHA5123c02632f4057d93cb292e47218c08896c6092f633fc65d3cdf835819994d789b3680e89aa2b0e2d9644cdca5ebaadd30c029e12ecfbfd0f6b5d4a893b24e51e4
-
C:\Users\Admin\AppData\Local\Temp\nsjEA22.tmp\System.dllFilesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
C:\Users\Admin\AppData\Roaming\dbjcuwsFilesize
29KB
MD5bb9eefcbfbb7661734efc6ab9012db6d
SHA1e53efedc99f31c0309118220b0001e98614d09fc
SHA256f1ac913f76369cd2286e17ea7c891adb75d08b749ab0e0566c003d7f2d3e252a
SHA5122e3ec9ccfc4cd651c3b8764d87a7ec461013b8be02a62cca689e52ef20c6c66f905d74cf783e3a2bca5cec9315a24d37e275b244bc69162e6e64cc4ee77cfc26
-
C:\Users\Admin\AppData\Roaming\dbjcuwsFilesize
54KB
MD52d0503eb2ba9660f681c828375fb70d9
SHA11682ce5260ffac4b3da3428654499749a051d420
SHA2564a4caceccfb2e1ac72a92c4fdf21d133ebb7c2f6383d82129d46ca4446d55115
SHA51276463d6ddfea6cd5590cbb08ee31e3eebecd4c8e67561c36f16aa6b59514fdef3dcb4ceeff54bebc6a090774fd0219cc05e8d61e6ba5c89043c342f74d110ae7
-
memory/464-24-0x0000000002290000-0x00000000022F6000-memory.dmpFilesize
408KB
-
memory/464-28-0x0000000002290000-0x00000000022F6000-memory.dmpFilesize
408KB
-
memory/464-27-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/464-25-0x0000000002830000-0x000000000283C000-memory.dmpFilesize
48KB
-
memory/464-23-0x0000000077404000-0x0000000077405000-memory.dmpFilesize
4KB
-
memory/464-58-0x0000000002290000-0x00000000022F6000-memory.dmpFilesize
408KB
-
memory/464-56-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/464-22-0x0000000002640000-0x000000000264D000-memory.dmpFilesize
52KB
-
memory/464-21-0x0000000002290000-0x00000000022F6000-memory.dmpFilesize
408KB
-
memory/464-19-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/564-48-0x0000000000400000-0x0000000000996000-memory.dmpFilesize
5.6MB
-
memory/564-34-0x0000000000400000-0x0000000000996000-memory.dmpFilesize
5.6MB
-
memory/1564-82-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1564-74-0x00000000007A0000-0x00000000008A0000-memory.dmpFilesize
1024KB
-
memory/1564-75-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2992-47-0x0000000000D20000-0x0000000000DE4000-memory.dmpFilesize
784KB
-
memory/2992-37-0x00000000007E0000-0x0000000000C14000-memory.dmpFilesize
4.2MB
-
memory/2992-43-0x0000000000D20000-0x0000000000DE4000-memory.dmpFilesize
784KB
-
memory/2992-42-0x0000000000D20000-0x0000000000DE4000-memory.dmpFilesize
784KB
-
memory/2992-64-0x0000000003240000-0x0000000003242000-memory.dmpFilesize
8KB
-
memory/2992-67-0x0000000000D20000-0x0000000000DE4000-memory.dmpFilesize
784KB
-
memory/2992-66-0x00000000007E0000-0x0000000000C13000-memory.dmpFilesize
4.2MB
-
memory/2992-35-0x00000000007E0000-0x0000000000C14000-memory.dmpFilesize
4.2MB
-
memory/3412-8-0x0000000001560000-0x0000000001575000-memory.dmpFilesize
84KB
-
memory/3412-79-0x0000000002E70000-0x0000000002E85000-memory.dmpFilesize
84KB
-
memory/3424-70-0x0000000072BF0000-0x0000000073307000-memory.dmpFilesize
7.1MB
-
memory/3424-63-0x0000000072BF0000-0x0000000073307000-memory.dmpFilesize
7.1MB
-
memory/4792-1-0x0000000000610000-0x0000000000710000-memory.dmpFilesize
1024KB
-
memory/4792-12-0x00000000021B0000-0x00000000021B9000-memory.dmpFilesize
36KB
-
memory/4792-10-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4792-3-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4792-2-0x00000000021B0000-0x00000000021B9000-memory.dmpFilesize
36KB