Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12-01-2024 03:10
General
-
Target
ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
-
Size
290KB
-
MD5
6db27327a2233d8ee11abbed6229604b
-
SHA1
feb1887bd6f9c0f84ed539be18d2812042d87e74
-
SHA256
ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4
-
SHA512
a0fac0a468fbc7d4f4b9a03a2a5fb94ec90172f04805066250a6c2fbf322a149acba3ecfd4cfa6889218e0c51bcece9d26c355cf36d5f939cb828a7735d5c5bf
-
SSDEEP
6144:BecoZjpjdRLk/7Y8XOFPN8v9ntG/689RjObRXMA:B+ZjpRRA/7XOFPSvJq68fjObph
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\AF04.exeC:\Users\Admin\AppData\Local\Temp\AF04.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7sius3e733eoc_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\7SIUS3~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B8D5.exeC:\Users\Admin\AppData\Local\Temp\B8D5.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
1.2MB
MD5f0fe6939167c541f93815f6f94d2f971
SHA1f162eeb3c9a2faf0f1f063676527bfb789b29aaa
SHA2563ca6b4020fa82b54d8f0bd4db56cbf89a81156720d561a7c17cffc14fc6e6ec5
SHA5128e0dd309289c45f6ce784a4e497ad239ed0945d4792b7d82189398c56cccc9c2b4e47573289aab653252bfeb57b3034b35328e61812d6ab6fecc8f388241350c
-
Filesize
2.8MB
MD51be6039d82321670b68d66b2dc8eae88
SHA1415d7e284d1ac3d434c7495616bc2f08bf7a2a41
SHA2564bd7df4d8ae8772bcbba5014d8a8ec41adf721a69b85aa98ac8bdc23c6593067
SHA5128202723c9abda642a1a3f7a0508e02dd51f00fc8242ffe07ac808a360905e17abfffc1955560147eb4167fd129afd9259168f2ce43d585d6c80881f0463e1825
-
Filesize
1.6MB
MD51a4a19235810c65b56620474e4ffdb4e
SHA13174283b3ec9ef0f6cce70c0ab86c8d96e76dae6
SHA2569aafe66ed5bd254db8b884cef40a0179d721cda78a4ebd42f7ecc3a70e0109eb
SHA51214fa030aae18f409e4594b9975c1b35a275cab140325674917325f3b7107649ed0828f8de9a14b56bddfbdbc71e99dba6168c9e18ad1fdbb84f4cbd1677aba73
-
Filesize
290KB
MD56db27327a2233d8ee11abbed6229604b
SHA1feb1887bd6f9c0f84ed539be18d2812042d87e74
SHA256ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4
SHA512a0fac0a468fbc7d4f4b9a03a2a5fb94ec90172f04805066250a6c2fbf322a149acba3ecfd4cfa6889218e0c51bcece9d26c355cf36d5f939cb828a7735d5c5bf
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
372KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
784KB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB