Analysis
-
max time kernel
152s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12-01-2024 23:11
General
-
Target
2e08721f791305935eb167081cc4dc13b58297d3810ef998026c7a0a59f00f40.exe
-
Size
301KB
-
MD5
f127ade2e89118628ebbbd9ec1cdc39d
-
SHA1
6b809f9841021a85db849335cb5dade1e6803b9b
-
SHA256
2e08721f791305935eb167081cc4dc13b58297d3810ef998026c7a0a59f00f40
-
SHA512
38cf4f2b67c3daa301a5d8431b3104a278357ec44cc485f969c3b11784f070fa00be466a1e3f901edc8bb48f3e8f52c784962c082d17cf263434bfc0bb15fa11
-
SSDEEP
6144:R8lL2DkSZY1P0N9pWXe8/5dfTgYn79o6q:R+7SZYd1Xegn7a
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2e08721f791305935eb167081cc4dc13b58297d3810ef998026c7a0a59f00f40.exe"C:\Users\Admin\AppData\Local\Temp\2e08721f791305935eb167081cc4dc13b58297d3810ef998026c7a0a59f00f40.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\BA5A.exeC:\Users\Admin\AppData\Local\Temp\BA5A.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1u1a1mo5m7q3a_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\1U1A1M~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E81F.exeC:\Users\Admin\AppData\Local\Temp\E81F.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
281KB
MD53afe7b2911a9b46befdb9f2d0c4cb8e9
SHA1a63880db28b0045ef697c69615ac9e449d7104e2
SHA2569d7643a227621ca73592d916550ae6446b5609322f5c94810ed36548217e4cb0
SHA5129c2fe6f9d689f6e9a9213c07fa171821597476627a653d9751383068b11afd543d777c6b6d1ce1cc703204071839988250b69fdde38c716edca634c33a5e7595
-
Filesize
22KB
MD5958f050290c01f516c5fa7ee1f4cd201
SHA146bc79900119f9c323d2b11664d491969709ab5a
SHA2569f359b49f2a35e47b882b68da4a7c6bb24650d5da47a90dfc2a5a4f7b465af79
SHA512e596d4c92ccee75080a9fc67abb3f34d21ab70e02d5d58e2daadb7f8ba94c15e02452946aba1058ec25a7b476e399d25201697ce90f5b77aa0d4e27cc1495fb4
-
Filesize
470KB
MD58ba938f81c574f294058181ffe65f6f3
SHA11258771fd74d0368622f12ecf9fc3bc281336460
SHA256e84e9190b622367aa8dde0c3f06d59eb6540b46cc62c7daef2f5ba0724a112ac
SHA51264b023626fd2046f304524cdb3a270dabdb8ee325bebf7aab9d48d0543cdea354b6347b9f2e4cc1ce2f834bac68cfc1e2149d5be4b7aeee860cb89313e865394
-
Filesize
463KB
MD53d3cc2c2b4cf6926213e2b1e8b718200
SHA1a0f450401e4bcc10012847a164ace07789fbe873
SHA256425c0ebabe161d673c1332272c4af599ef910fc30aba385a781cc5515bf37b73
SHA512a63aefc6e63c77dc371d339c10a05f2184e86e348fbb0306c1e83a6e2ea14afeeacdbc561da158d361103bb361b7c199c2358f564b57eac77d4ac2d715a46569
-
Filesize
449KB
MD5b140e7b51c1d7fa3252cd4d058b94261
SHA1be0df14a5e1dee75d541d1fa83365839cde8204a
SHA2560ce45d3e77827b83ef81267e28f657000507fa8a9074cd1c7ba86e580bf1ac9f
SHA512dc12f5d9706b251f960005da76b0c982dc723570ffa7fceca7dbab1807450e8d52778bac48e6396d32c9f9f446cfecfb1a811bf75a51b107dad11095adddff86
-
Filesize
301KB
MD5f127ade2e89118628ebbbd9ec1cdc39d
SHA16b809f9841021a85db849335cb5dade1e6803b9b
SHA2562e08721f791305935eb167081cc4dc13b58297d3810ef998026c7a0a59f00f40
SHA51238cf4f2b67c3daa301a5d8431b3104a278357ec44cc485f969c3b11784f070fa00be466a1e3f901edc8bb48f3e8f52c784962c082d17cf263434bfc0bb15fa11
-
Filesize
64KB
MD5c23571dd53ca170ec261f9b6e2095ee4
SHA19b2efa64c556a78fefb0c2ce8d67802aca67f23f
SHA256a4955e4b94b0491e2567fd11e00841f33e9e8aae96f398eafd37ed1e1d85775e
SHA512ab72f0c0bcad06487d0181a4538f2d7a6a69e1eb1e6189ece045c21c1aa722f44168b737ae41f445eb064295293d36e83c918e63ba30c8a6eb80e1a28a92380e
-
Filesize
48KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
328KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
328KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
404KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB