Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
09-01-2024 03:24
General
-
Target
0faa7c27d8cedbb19af0586a236ce4eca6b151509e526bedcc970606e391ce74.exe
-
Size
311KB
-
MD5
cf5a70c2f7978229efebcca70f6d2053
-
SHA1
b2eb3eb28b89c31ccd4f4c89edaa1ed6d5a233a4
-
SHA256
0faa7c27d8cedbb19af0586a236ce4eca6b151509e526bedcc970606e391ce74
-
SHA512
7f16690701912b9d043113783827dfbfd2b89fee0b74e4a0bc38ee73535bd7a4bc23014eee1632196926109d4b5e37cb076df975149b422df7719db0af8f000b
-
SSDEEP
3072:eQLtli/LX0eRJibugK7Onq8zVvV6nnOh7wZPO6VmRZcJfTK7KVDrc+B5f239+9Uz:eQLtwk47Oqq36nnwZKfTgYn79oUq
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0faa7c27d8cedbb19af0586a236ce4eca6b151509e526bedcc970606e391ce74.exe"C:\Users\Admin\AppData\Local\Temp\0faa7c27d8cedbb19af0586a236ce4eca6b151509e526bedcc970606e391ce74.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\22B6.exeC:\Users\Admin\AppData\Local\Temp\22B6.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 10723⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\2AE4.exeC:\Users\Admin\AppData\Local\Temp\2AE4.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1492 -ip 14921⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
249KB
MD581e3cfa543ced860c93b81bda6c20fda
SHA12ef8a37cf38942555056afd7cc17e1b1cacadae0
SHA256172afb2000997f95458e939df1cdb3cd8828bc6e4e0e47a076a7784104bbae9f
SHA512c00184eb5bfa2f15e1be06e9e1fc8ed34eb3ae0a9b1db01e3165b92ff4e2cf7f44234d88da08ff2d0aa3edea83cfae519a3c2734f2839e9543ad2c70a99b7e3f
-
Filesize
262KB
MD56ab0535829c80dd920b0c0d1c930c800
SHA17756577ddb433c33288c02b6d515d481fb2cd214
SHA25661e14cdbff48bd437c58af8490d92330e528f6311226fba86edd372924f57731
SHA512ac0509ec0d34874181e3e242bb8a88f2bbc017732b535fb453abb5273fb826fe1d2492622ce3c5b7d2e34245c9380c808cab93d0971a3e6f49d5cf64cfc0a670
-
Filesize
71KB
MD54f92275a01230ad2c0eb8d8ebbcde49a
SHA15f3e5f54a2b5ad319d1919810bd4ddbe85242b4a
SHA25693600fb887e06c805d0929bb89d9e7232ca6ea49083c0edb66a0287012dfd4e1
SHA5121b29293743cb64e2beaeab936c627e12827a3ec21162e712f2096aefaea03a40692f3b89a89882bbd9406ffbdd23a858f00ed033c8a6de503230d6c2903fd5d6
-
Filesize
687KB
MD53385eed7febb74ec97c0c3787c03263f
SHA15c9ff7e98d3f067cd415fefbc35382b2bce451d4
SHA256998e25662f5acc1618aa408187d0f5645394a2d589b3db3dd60eb1fcbc67c367
SHA512158eeb3f0c51839630d38a5ce4a21d91e8e470721c14918fac75ac3d6728637b2f9c69de903750c9e61461f08129769244452040db36928056bd52c2b32fa3ce
-
Filesize
723KB
MD5d95a1dc03b19fe7f44d1cfeec89dbd49
SHA1e3e471d4b7e803796228fa6e681a21ae522da152
SHA256d3434d78dc2610dd914bd60436773367c72c8fe749fbaeed1abc0b9ed80001e4
SHA5129ed910219b6b30675e2e91a336c283dd8795e56af0966b1d3177c5a239c03e5dc2a6696958288c1432deecb13887f4f8c157ccda4179fd0e1d237be74be25215
-
Filesize
849KB
MD548861882e8a6b9e8e9d4dafaae4398fd
SHA11a9f8e9b753671b368ea17a7b7d4ea83d9d8cfe7
SHA256359d52b12245b80946c6addcbca4dc1c4e71e2bdea603f689710d2130de1fa57
SHA512741cfc94592cd785ee425a47a0252cf93189231e1dddcaf461edeb1a928711a7e3993a820e822954cb06ff763dddfa72cab490ddbee193362a259759ef5727da
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
8KB
-
Filesize
784KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
336KB
-
Filesize
336KB