betabot | c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2

Windows Service

T1543.003

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

536A.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5oew551o3.exe	536A.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5oew551o3.exe\DisableExceptionChainValidation	536A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "bark.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

5CC2.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 5CC2.exe
Deletes itself 1 IoCs

Processes:

pid process

3552
Executes dropped EXE 3 IoCs

Processes:

536A.exe5CC2.exeWindowsUpdater.exe

pid process

3840 536A.exe
2188 5CC2.exe
4228 WindowsUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	5CC2.exe

pid	process
3552

pid	process
3840	536A.exe
2188	5CC2.exe
4228	WindowsUpdater.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\5oew551o3.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\5oew551o3.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

536A.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 536A.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

536A.exeexplorer.exe

pid process

3840 536A.exe
4668 explorer.exe
4668 explorer.exe
4668 explorer.exe
4668 explorer.exe
4668 explorer.exe
4668 explorer.exe
4668 explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3096 4668 WerFault.exe explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	536A.exe

pid	process
3840	536A.exe
4668	explorer.exe
4668	explorer.exe
4668	explorer.exe
4668	explorer.exe
4668	explorer.exe
4668	explorer.exe
4668	explorer.exe

pid	pid_target	process	target process
3096	4668	WerFault.exe	explorer.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5CC2.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\5CC2.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

Processes:

explorer.exe536A.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	536A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	536A.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe

pid	process
4612	c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe
4612	c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe536A.exe

pid process

4612 c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe
3840 536A.exe
3840 536A.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

536A.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3840	536A.exe
Token: SeRestorePrivilege	3840	536A.exe
Token: SeBackupPrivilege	3840	536A.exe
Token: SeLoadDriverPrivilege	3840	536A.exe
Token: SeCreatePagefilePrivilege	3840	536A.exe
Token: SeShutdownPrivilege	3840	536A.exe
Token: SeTakeOwnershipPrivilege	3840	536A.exe
Token: SeChangeNotifyPrivilege	3840	536A.exe
Token: SeCreateTokenPrivilege	3840	536A.exe
Token: SeMachineAccountPrivilege	3840	536A.exe
Token: SeSecurityPrivilege	3840	536A.exe
Token: SeAssignPrimaryTokenPrivilege	3840	536A.exe
Token: SeCreateGlobalPrivilege	3840	536A.exe
Token: 33	3840	536A.exe
Token: SeDebugPrivilege	4668	explorer.exe
Token: SeRestorePrivilege	4668	explorer.exe
Token: SeBackupPrivilege	4668	explorer.exe
Token: SeLoadDriverPrivilege	4668	explorer.exe
Token: SeCreatePagefilePrivilege	4668	explorer.exe
Token: SeShutdownPrivilege	4668	explorer.exe
Token: SeTakeOwnershipPrivilege	4668	explorer.exe
Token: SeChangeNotifyPrivilege	4668	explorer.exe
Token: SeCreateTokenPrivilege	4668	explorer.exe
Token: SeMachineAccountPrivilege	4668	explorer.exe
Token: SeSecurityPrivilege	4668	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	4668	explorer.exe
Token: SeCreateGlobalPrivilege	4668	explorer.exe
Token: 33	4668	explorer.exe
Token: SeShutdownPrivilege	3552
Token: SeCreatePagefilePrivilege	3552

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3552

pid	process
3552

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

536A.exe5CC2.exe

description	pid	process	target process
PID 3552 wrote to memory of 3840	3552		536A.exe
PID 3552 wrote to memory of 3840	3552		536A.exe
PID 3552 wrote to memory of 3840	3552		536A.exe
PID 3552 wrote to memory of 2188	3552		5CC2.exe
PID 3552 wrote to memory of 2188	3552		5CC2.exe
PID 3552 wrote to memory of 2188	3552		5CC2.exe
PID 3840 wrote to memory of 4668	3840	536A.exe	explorer.exe
PID 3840 wrote to memory of 4668	3840	536A.exe	explorer.exe
PID 3840 wrote to memory of 4668	3840	536A.exe	explorer.exe
PID 2188 wrote to memory of 4228	2188	5CC2.exe	WindowsUpdater.exe
PID 2188 wrote to memory of 4228	2188	5CC2.exe	WindowsUpdater.exe
PID 2188 wrote to memory of 4228	2188	5CC2.exe	WindowsUpdater.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe
"C:\Users\Admin\AppData\Local\Temp\c229e14c4c20bdca6fefaaa7fb60e0cb50c75548717fd4494a2745a735c580b2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4612

C:\Users\Admin\AppData\Local\Temp\536A.exe
C:\Users\Admin\AppData\Local\Temp\536A.exe
1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Modifies firewall policy service
  - Sets file execution options in registry
  - Checks BIOS information in registry
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1060
    3⤵
    - Program crash
    PID:3096

C:\Users\Admin\AppData\Local\Temp\5CC2.exe
C:\Users\Admin\AppData\Local\Temp\5CC2.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
  2⤵
  - Executes dropped EXE
  PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4668 -ip 4668
1⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

6

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

7