Overview

overview

10

Static

static

3

8f951988ac...a0.exe

windows7-x64

10

8f951988ac...a0.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    50s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f951988acb3a0d53fe2d66cfd60b7a0.exe

  • Size

    205KB

  • MD5

    8f951988acb3a0d53fe2d66cfd60b7a0

  • SHA1

    9c39e8de9925b1102c39cbaabd01839c7e0c2e3e

  • SHA256

    9024a473b6244e9aef3f65da784300194ff67434a204b445e5099ea80c19f949

  • SHA512

    8bc796f9f523d20d2fc10d36ba8fa60bf0e412733b75ee0bfcc82716f3d6fbe86b0af614f885d5f294694ebd60f1e74040b7ad044357896a5611821b69ce30e8

  • SSDEEP

    3072:EdrEskahJisaAN0yunrtMxxFF3m7SfdBm2HQWRlMuqBL2A:kEskaFVunrqvldBcz+

Score
10/10
betabotsmokeloaderpub1backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 2 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • NSIS installer 3 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f951988acb3a0d53fe2d66cfd60b7a0.exe
    "C:\Users\Admin\AppData\Local\Temp\8f951988acb3a0d53fe2d66cfd60b7a0.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2516
  • C:\Users\Admin\AppData\Local\Temp\278D.exe
    C:\Users\Admin\AppData\Local\Temp\278D.exe
    1⤵
    • Sets file execution options in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      2⤵
      • Modifies firewall policy service
      • Checks BIOS information in registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:808
      • C:\Users\Admin\AppData\Local\Temp\cg9c7aiwacgm_1.exe
        /suac
        3⤵
          PID:1672
          • C:\Windows\SysWOW64\regedit.exe
            "C:\Windows\SysWOW64\regedit.exe"
            4⤵
            • Runs regedit.exe
            PID:1784
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\CG9C7A~1.EXE" /RL HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:2448
    • C:\Users\Admin\AppData\Local\Temp\316D.exe
      C:\Users\Admin\AppData\Local\Temp\316D.exe
      1⤵
        PID:564

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\278D.exe
        Filesize

        179KB

        MD5

        c2ccf44b52b480fede775df69e83c1b1

        SHA1

        46525d2a039e7d8474a7bf818234a40cef5be9ae

        SHA256

        94e98e960b54c09dcb47622d192a357d481d9fc0b7ca09f3fe4fa5b5894f9b92

        SHA512

        7823da0b87d2a30ba2bc77329159d56dbc0352253dd7b0588ca760446716ddf939d11289ca7b5e87f903fe377d16d326d0ac0dab9e36d6ec93298ddda9890c81

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\278D.exe
        Filesize

        68KB

        MD5

        8dbd3884efe520b0fecc7c17558f5a65

        SHA1

        21ae92e1c72e6ffe33bbae3257b8afd6ee3c71fd

        SHA256

        6fb9ecbea6336b033ddd4a18bddeba9ed938d10c6339fc5da1fec899cacd3f0c

        SHA512

        4ead0c563601748a1aad97792c489efedaf13ef66a5bd942b8d5570a013f9dedffc5a95e8deddf4abf5951df65b44575a98b68fa4960b7cee95dd0d2ef77b5f2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\278D.exe
        Filesize

        22KB

        MD5

        76733ef789a850cee88f5074ccf83a8b

        SHA1

        2b9430e550bd50dbca85c98c00c125fb205a363c

        SHA256

        9075cdf404b13d7188b156089cdebd086acb4c707aeec181c2a84e5ed7832806

        SHA512

        e63aedc0c85c0b9738701c4d03cb22eea9dcda77a660a55ad623bc0e37798d6e2191c0f7f17207448577f6e1d844722cd93ceb85fd675b598442ff772db429c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\316D.exe
        Filesize

        11KB

        MD5

        4bcda3e31892b25e7bdfed6ad39eb472

        SHA1

        91db4d60fa5c6bfb4b799246fa86f27c33b1fe7f

        SHA256

        04fdb7f2092ea0f95550600f2e9b9f8184966b421934bec8c7a9ca3ae9bc3a67

        SHA512

        605d4bd3f64d10678693beafb231154e3f29c480d4a726c644ea25913bef08e8d8a2d2262a76d2fa1eceb5ea50b5386a6c3103d4ecbbfa21e6758175c8d9e65f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\316D.exe
        Filesize

        1KB

        MD5

        350e4003ef18942c96d982621a05286d

        SHA1

        77e3608787ea00b65656622a170722a3c1506977

        SHA256

        27f7c2bdb5136c46b8430b1af9b11a2ff0d936a7266ee845199e9ee27e572dbc

        SHA512

        60f9259ee5eb2487e6af46707c31ad4282927518211ee4fcd11e1ce9fb44c7731b1864f9079722f4302fd557a8eb8c7cf171618d095c29daf18c3ba31cf9d8a5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\316D.exe
        Filesize

        39KB

        MD5

        53cc2a22f13f76e2c78c2fd1c906a8dc

        SHA1

        c4386f4d4946d1bcd0bb002c7dd0e4844270f7b7

        SHA256

        ad47c2dbfe18c43a13040f4da307ea4e875932272817eee2ec99900512d88cd3

        SHA512

        39ca37ea4848b167dfdf1da3ba410f3a5ffa6dc006869fba208733e8d257c0185aeae7f0f3abb24e0dc0bafd8033b55e9cc87904ab0a9780ede3551a934a72fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\cg9c7aiwacgm_1.exe
        Filesize

        217KB

        MD5

        caa61738609b146871250d5f0525fd51

        SHA1

        343ea2b9a1554fb78f33bf96ca55a7dccfbe77eb

        SHA256

        75cf71de92b41e645997ab81233facd9f35aaa4806a79197303d11d0674d65ae

        SHA512

        116081ffc02b2cce9083911dde52b869677a3dc101044875211b8abc20afc54133aab0ff5190efb33de283948070a5c15ca230b5aaa5bd1818409785705f572d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\hsbdrij
        Filesize

        31KB

        MD5

        148bee26191122d0ccd8a12f5b34c29e

        SHA1

        2289b837f2c39faadc6d7fff210a89c3cd5efd2b

        SHA256

        a4fe872df5759576b05acebce8a5d8ddcff5ec65213779b257fa83faf2b0ac3a

        SHA512

        b6d1eb1f787087a976921a7157cf22ba5851f0a78f5e9045c43a46a5a90f3306ce518ec6eae36bf172738f65a473141738eb8f91547d7342ed80e2e93ecf2737

        Download Submit

      • \Users\Admin\AppData\Local\Temp\cg9c7aiwacgm_1.exe
        Filesize

        92KB

        MD5

        466b29d280dcdffa55451031921958ce

        SHA1

        7d80acc9ed98fe8a699520ac1678889dc9710b1b

        SHA256

        5da619cd850f359b0da2c53a53fea1e81f78051234d6840fcb1e8d6eb11c1588

        SHA512

        a5028ea5a9612dea45671087e10d5666b7a142902676ffd9cc5142e9a8fdf4ec8af82279963dbcd9c15319beb6e21051fe1de3192eb5a1090881b2de65ca4798

        Download Submit

      • memory/564-73-0x0000000000D00000-0x0000000001296000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/564-53-0x0000000000D00000-0x0000000001296000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/808-58-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-65-0x00000000000E0000-0x00000000000E6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/808-114-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-113-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-108-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-93-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-84-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-30-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-31-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-32-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-75-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-37-0x00000000000E0000-0x00000000000E6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/808-38-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-39-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-44-0x0000000000210000-0x00000000002D4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/808-43-0x00000000003A0000-0x00000000003AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/808-41-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-40-0x0000000000210000-0x00000000002D4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/808-34-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-33-0x0000000000210000-0x00000000002D4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/808-71-0x0000000000210000-0x00000000002D4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/808-51-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-54-0x0000000000310000-0x0000000000311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/808-55-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-70-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-66-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-69-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-56-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-57-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-68-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-67-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-60-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-61-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-62-0x0000000077880000-0x0000000077A01000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/808-63-0x00000000776A0000-0x0000000077849000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/808-64-0x0000000000210000-0x00000000002D4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/816-74-0x00000000776F1000-0x00000000776F2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1196-72-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1196-102-0x0000000002250000-0x0000000002251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1196-59-0x00000000776F1000-0x00000000776F2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1196-4-0x0000000002B10000-0x0000000002B26000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1672-98-0x0000000000520000-0x0000000000586000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1672-95-0x0000000000010000-0x000000000006D000-memory.dmp

        Filesize

        372KB

        Download

      • memory/1672-99-0x00000000002A0000-0x00000000002A6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1672-91-0x0000000002510000-0x000000000251C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1672-92-0x0000000000520000-0x0000000000586000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1672-89-0x00000000002A0000-0x00000000002A6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1672-88-0x0000000000520000-0x0000000000586000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1672-87-0x0000000000520000-0x0000000000586000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1784-112-0x00000000000D0000-0x00000000000DB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1784-103-0x00000000000D0000-0x00000000000DB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1784-104-0x0000000000170000-0x00000000001D5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/1784-100-0x0000000000170000-0x00000000001D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1784-97-0x0000000000170000-0x00000000001D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2516-3-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2516-1-0x0000000000520000-0x0000000000620000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2516-2-0x0000000000220000-0x0000000000229000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2516-8-0x0000000000220000-0x0000000000229000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2516-5-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2632-36-0x00000000003F0000-0x0000000000456000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2632-27-0x00000000003F0000-0x0000000000456000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2632-24-0x00000000003F0000-0x0000000000456000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2632-19-0x0000000000010000-0x000000000006D000-memory.dmp

        Filesize

        372KB

        Download

      • memory/2632-20-0x00000000003F0000-0x0000000000456000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2632-28-0x0000000001EB0000-0x0000000001EBC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2632-26-0x0000000000520000-0x0000000000521000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2632-22-0x0000000000360000-0x000000000036D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2632-21-0x0000000000350000-0x0000000000351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2632-23-0x0000000077890000-0x0000000077891000-memory.dmp

        Filesize

        4KB

        Download