Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
12-01-2024 03:10
General
-
Target
ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe
-
Size
290KB
-
MD5
6db27327a2233d8ee11abbed6229604b
-
SHA1
feb1887bd6f9c0f84ed539be18d2812042d87e74
-
SHA256
ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4
-
SHA512
a0fac0a468fbc7d4f4b9a03a2a5fb94ec90172f04805066250a6c2fbf322a149acba3ecfd4cfa6889218e0c51bcece9d26c355cf36d5f939cb828a7735d5c5bf
-
SSDEEP
6144:BecoZjpjdRLk/7Y8XOFPN8v9ntG/689RjObRXMA:B+ZjpRRA/7XOFPSvJq68fjObph
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"C:\Users\Admin\AppData\Local\Temp\ea040833f500c29fb2229a00c1578500c65fffddab8eea70083ef392cc066bc4.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 3283⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4908 -ip 49081⤵
-
C:\Users\Admin\AppData\Local\Temp\99B0.exeC:\Users\Admin\AppData\Local\Temp\99B0.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 10723⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\A058.exeC:\Users\Admin\AppData\Local\Temp\A058.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2904 -ip 29041⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
1.1MB
MD56b31e23c2b0d302a87f4ff0e971faab0
SHA111301e0a8c8d77ca283a05ef2a12b3078693d41e
SHA256ff5bba9e5173d9da3e69e564b9ca35fda309c0dfba4a0e6de1e6d6ee35c00577
SHA5128ad8d14a18472eac374d90cf028a023caea1a06f2b9a2bbefcf880436a797000642fd0f38f3d233409425b23aec419f11c5b0b5f0fecc11b7577b1ec7e9d252b
-
Filesize
1.6MB
MD54418849fb4ce3f02c066a1e1464528e2
SHA16b022bac813248ce0c0a73bd2c0994a228c41a98
SHA2561f83add80e6e79379f051c668285e50271dd926a0224836ca914a6db1ddef3ec
SHA512659223459e04a5b8c9ece58bc4f9bea5dccb5432f39f78a58defabec23622c9d31bd7b4fceacd8fe7e3eda6e34cd0b6087bd78aed8f0fd2a2fbb98471de2c05f
-
Filesize
616KB
MD52aa7d4efb3faa9225a58195b68eb98d7
SHA19c70f1a0d5bac6dbec5251408fa47a028aaff444
SHA25664399ae6964ba55f938a3b692d4ea1e866f1e8df040658184d2b01580b80d2e0
SHA51204bb34406509ae261461f0fd2c3e08243c810ec3fa63d6cfee03b85e58011496b98cdc37944c9acd571cd585f694e4701b737b0ee90dee2263672f7c1939eb17
-
Filesize
220KB
MD528507fc217cb276a92519823eac40774
SHA170025049ca79e3032b3c503e94f79c05d830d2eb
SHA2567bbfea5a715c73f22770d937e607b3df2715ca4f5e3a4747ed68d2d9eca35459
SHA512fb72acd3c879eec90e787188e0cce7434ed31e268fcc0404c49870829365e83695199b42c26eb7900868511ddc420c7b97574e37ef1fbeb6eca400c836f28d25
-
Filesize
92KB
MD5fa23949873a89ff520e2788b5c2bb55b
SHA1187a183d9b0dafc8dc463fe80a6ccc8aba8f1279
SHA256864defbec2fdbf1c26aa05e4c6c12f1fea98099890ae1349db642b3c31873b39
SHA512b7bfbac096cad020e7ee7cb3fbd2985fc738fbdec7f70603b97c2b073217398b95c8b5ba66c23ffb26fe385f14e60307c29bc36bace916f7a65cb6c008bb880d
-
Filesize
92KB
MD5ddedfd23bdbb44a6b89cb63778c9a12f
SHA1c80b261146f16a9e34d40947f0b97024742713db
SHA256fb3946bcf285f3d6b07e20ac4f2344de316c89afadc9a91829f5ae1b5f1af23c
SHA51210931539ae3cc4ceede9cb70ba296c086349a8573737a74da9611bee72ddc7c319ac893df2c441a699bf1eeb160ea32846337ff7e00d4eb48a29c332fb248073
-
Filesize
3KB
MD559051403ca9862579ef69cda1fc6d430
SHA1a8fee347200937ddb715046fc67702f1ec93128f
SHA256100371e908ffe9f8effa40cc4b5b52bfb81920eb99ad044625dc91ae1ec5a3e6
SHA512b700295512045d9dc304064a7169ad3b532a45b46f39166d7059e2a692bc8f4126476f498fb496c2ef7e8bdabb410128ddf58778bd5882d465d9d1620270bff9
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
8KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB