Analysis
-
max time kernel
158s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
05/01/2024, 18:28
General
-
Target
toolspub2.exe
-
Size
178KB
-
MD5
05d2cf367964e2a1f8c83a9df167e836
-
SHA1
d12c5cc51b1ee41815c5af5f279a620ba84ac407
-
SHA256
0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058
-
SHA512
c3b9b57609b8c499c0eeadad5ac00f7e329dd064650d1f7762c1cc0d56be961ea9db178624a847cf71b7bfa52e275595514a6288ace7f557c56e42d37e72118d
-
SSDEEP
3072:R4qdWTLGklFGCBTk6MuMJo9aMkwtDJsT3i6IaGWK3MkCRMk5Ds:R4qATL5nGIk6zGo9aMFfsDSaGD8k4
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 14 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\4E20.exeC:\Users\Admin\AppData\Local\Temp\4E20.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1w3ksa7q93ua_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\1W3KSA~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5800.exeC:\Users\Admin\AppData\Local\Temp\5800.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {B64A7EED-BF16-4A1D-A7ED-7AEA80404F40} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD5123ea1eb447e0b48d5c494360bb09367
SHA16b6a994bf5a847cb8e099bbba4e2f0d76f8e8e1b
SHA256d19d9f23449dc7c7ba20e749e0dca2ef72c3c8ecc05dba4a41f20c7790bad131
SHA5122457c308f5105b22a1ae3509b9e8155ea5a7af8a6a6539b6f7684e09ab042c3d195462aa9526dc0552c4c7509c3c7d53ef06fa9ac5879bea41d9ced3bee8f184
-
Filesize
107KB
MD5ce2f2e9a73d9bc751e3bb326a334fde5
SHA177da5eca0d5d14f403abe172fc06105dc9034ee6
SHA2567618625a361ad71d1c13b9d0a6c2e0045582ad58717ac4ca05e5f74340885544
SHA512c0049dd0dd89b944c05d9a38d69666e238c17a188296237447104f9048febeadccad1730bdb6295a54c5303e10c7874908d1092ed7f0d1a867b3ae41d742fdef
-
Filesize
106KB
MD5bd381650c00f55d8125a2daae1a921a1
SHA1524eef762d8ec3b7e85e3cbd2db24026e2a0c414
SHA2568d69cb75c74a2f98ebcf824ac8711268178c1cac4f1d9798557fff28e08b1542
SHA512cfebd4e818e64571d6c4c05fce5bb6cdf16b2bef43ea06f2eb9a694d41e30025e380d7367fb97636cb832b3bf729af2d1687faa1809438b758276daba97b5d6e
-
Filesize
13KB
MD529d181725bb32ed3240e68e97c41641a
SHA1c8ceda9f28b69d61387df4881972bc174497a5e0
SHA25691c8dae4e751f73f6a6d7479b8112d19ff7113ecca05e674f4732fa675769f7c
SHA51266c9a9d1e8aa6b599f84169ff993c046238cd003c17eab725ea667add8e7c9461fb401e4f907300488b2e71a4bbda99420545e2ddb65c3f310f24e7162b995cd
-
Filesize
7KB
MD5714258a9ae740694980994a9c23a36d2
SHA1e5f5c0390c00c250e2dc2a0c95e6b85c3220b034
SHA25670e0f1ee3c3619f642ad524f7076a34877ccc81810a20a80017861a8ef5dc7a6
SHA5120e8fa7f0eb69808dd7fc05650d914c786361ae7f55d963756670c7ac830e560416df427b4c92f5d232ecc5fcf6c50d93b5b33ed2cf454a0cd81619ada18c25f3
-
Filesize
95KB
MD59405bb1e9705e617661415c1a0df79ab
SHA1f12ba8ccc636a3726d8a58bba8eca0aa29f571ac
SHA2569be846c2d3f6e32f4c11f4ce1e4f8b8336e57fe9cb6118119be3d50fb919e115
SHA512bd381808626bbd395a59cea317d5ddb3140e96bcb8a4507374c63ab6c5d9d637b0017dcdd0962f018797a804dd7991a161ba29a8810bdd8f4c60e65195082a0a
-
Filesize
49KB
MD57e5104e669d3cf0a9f8be98e9fc8cf95
SHA1e0e15f4f7789b8379deaa71b27354c1b38b39ab7
SHA256fddba512d9386dd77c758442d5b496807c685a5ee147246920b438af1d6dc0e6
SHA51262ec7a49083471c5da54e1d9379f35fb14ce01099d2aea14b6b5baa484a6b06c8590a176d66c052b98a1a4ecae2ea27f21ad9bcf5dcbf951a6c0a73c39045c2d
-
Filesize
25KB
MD537ff6a759efbc5b59050cdce13945ba9
SHA17a33b7b401618809aa04eb8ef0288edeab40e9a6
SHA2568ec80cd86a7fda1fc8446e7d7bbcad073cfa1baa07fe5d4a2c4b55a906934c2c
SHA5129521e63e2c1041bd1e00f95e9537728bd25a6e787f4b15e4ff90ebffdd7bc96134a46a7b5ff23031a4869093de5fb9a94ef93466e60a9814b9ca2e3519b53d91
-
Filesize
85KB
MD5a015c6866efbeb787f9620b39c9e1e01
SHA10687d985b158694e37212b2db576b6966cee21d3
SHA256f6ec503ba41efc1c3f8af417de0363e9b952875c53057c52db202b3bc4f8aeb9
SHA5121a5632d66ccbccee7fa9fa5cd005fb84883a995db9e44ee7e13230bbda5894ae4ec501a1f080be434c73ee45083de4769f74ed19196cdfd3f2f7563b137db564
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
1024KB
-
Filesize
36KB