Analysis
-
max time kernel
164s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
11-01-2024 01:28
General
-
Target
dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb.exe
-
Size
312KB
-
MD5
3ed9f2c6339d6513940c15d4a58378af
-
SHA1
bd75e9514537bb38e9ba648c92a837e7d8d7b66d
-
SHA256
dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb
-
SHA512
530d1c04fd3acc0a35b54221ae5e25b4ab02fdf656bfda516bab009e94f292cffec83a8480cf95c3bacddc295a845206e6409658c837c3c78f0d1aca5cdf8036
-
SSDEEP
6144:V6xELH+Ym/eqLhvhXfRWK4Pg343g77ji:cxEL+HeqLh2K45QX
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb.exe"C:\Users\Admin\AppData\Local\Temp\dd02b4f83462302b06278dea2591a9d32ab4534743f96b44b24d642e55b721fb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4FFB.exeC:\Users\Admin\AppData\Local\Temp\4FFB.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\5AD9.exeC:\Users\Admin\AppData\Local\Temp\5AD9.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1332 -ip 13321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 388 -ip 3881⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
4.5MB
MD5639e6a982e7cc6169af6f4cd87eb15a4
SHA1b12dbc5c7aa198af7ac87ec0e22c3a7ca6ad7705
SHA256c2186dbb1b823d1b18160bdcfa1bae50a5384a6784b709faa297b25cc9d3a9c0
SHA512518935a3b0f27b84f8130ec11657e9ee86dcb3844720f7466ae6f55dd8b5bfdae8bcc92d29217a4cd52809dd85f6a0da1ccab6fa247fe480f262bfa7ee9623ac
-
Filesize
5.6MB
MD5f7c6d870f0de20c40388b493d2b315d2
SHA11b25397776ae0481184f151ec3e608f3b65ac8e6
SHA2564e07a3356bb6ffaa23224884b2ec5d79b6f956acc186475adac89867c0d623d9
SHA5120619a22579ee70745034c547c53180d4319c3dc5db326dfecc275cd3b3025f354a3e6fac093a925611a5e0cca5ff9dbcfbfe246d376bb173829f332b670f5655
-
Filesize
2.2MB
MD50badb0e573d95db49ac23c11163d9386
SHA1d86dd20e4498ba5576272df07cd71dd9ed40bf8d
SHA2565ebb608342d1306743d1ab56bb587b00d7e14737f5af48be3fa738a98cf29668
SHA512a83d397fdcf2b749aac8f1db38a991b06a70c58d21c84d09cd8a732ee744287e7d7d58edeb817006b6ee245ed313993a3280aea32fd4c5a079b4f960ab35eff8
-
Filesize
2.2MB
MD5bc94fe5f3a7d234dceefa5a25c109358
SHA1eefd19123cb554bd975d9848eff08f195c7794bb
SHA256fdbd693e2a9eab791967e78eef8e1a3423c63b570d6fc8ccd9367be931c779c4
SHA512650632899edc1bce009244cf228500c26df33c2036f774f60529c10bf7b277a49d3e635846097cf2d821a54e066a07f5f6ef2be055e1054e8c4a1a938fad9c69
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
8KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
52KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
5.6MB
-
Filesize
784KB
-
Filesize
5.6MB
-
Filesize
784KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
7.1MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
4.4MB
-
Filesize
36KB