Overview

overview

10

Static

static

3

614bf403bf...7a.exe

windows7-x64

10

614bf403bf...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    614bf403bf44d9ea97810d8a7e29197a.exe

  • Size

    276KB

  • MD5

    614bf403bf44d9ea97810d8a7e29197a

  • SHA1

    a6e16375267ca3756ff09c997940592e701d94b6

  • SHA256

    d4ccf1fa78f6a843f2f2eb3ade48c9b486247b497fa54e3c9dc28f7c5ec7088d

  • SHA512

    8f1c20ab1eebb4dd5c7aa72b2a02d2d2e4cf8f4939d31d895fc069eff741f2796e15a11babfa2e71ea9a805d20b9b0994963da44cc2fc8d1367399d0cadabdeb

  • SSDEEP

    6144:6sVtsSuLe88PBJb3d9tiQCegRGCiPUgp6l:68tsRJ8Pbb/tXCegRzsUgc

Score
10/10
betabotsmokeloaderpub1backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • NSIS installer 6 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\614bf403bf44d9ea97810d8a7e29197a.exe
    "C:\Users\Admin\AppData\Local\Temp\614bf403bf44d9ea97810d8a7e29197a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Users\Admin\AppData\Local\Temp\614bf403bf44d9ea97810d8a7e29197a.exe
      "C:\Users\Admin\AppData\Local\Temp\614bf403bf44d9ea97810d8a7e29197a.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2600
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 328
        3⤵
        • Program crash
        PID:4996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2600 -ip 2600
    1⤵
      PID:1956
    • C:\Users\Admin\AppData\Local\Temp\951C.exe
      C:\Users\Admin\AppData\Local\Temp\951C.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:4732
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1144
          3⤵
          • Program crash
          PID:4352
    • C:\Users\Admin\AppData\Local\Temp\9BB4.exe
      C:\Users\Admin\AppData\Local\Temp\9BB4.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1188
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4732 -ip 4732
      1⤵
        PID:1776

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\951C.exe
        Filesize

        360KB

        MD5

        80c413180b6bd0dd664adc4e0665b494

        SHA1

        e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

        SHA256

        6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

        SHA512

        347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9BB4.exe
        Filesize

        188KB

        MD5

        c72435cc874a52eccb61994caeb039e0

        SHA1

        2efc7cacebf56fec5fe1a574e7e812e7f1347d80

        SHA256

        57f4f93fb06d1e520e367d32124ca71173ce802968caecb66568a91f23536793

        SHA512

        75e2ce1c8d8461d137a1f60991255ae9ac9894dbd53bc37347ff5139ae9c82314de8347c2d0592529e1c6055409e8bc1f7d61b6733606de5ceac425ad29b35ce

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9BB4.exe
        Filesize

        93KB

        MD5

        dd19054f6b9b61607a9bb3f61819d1a1

        SHA1

        b36d4d91673a146bdb7dea8ad3fb601c9e7c4e12

        SHA256

        74058607aa32fb35fb92c2575223ef7f550511066a83dcde573efcd4a13dea5e

        SHA512

        431bccb017b73101fcabec737de7352c6b463cb01748198e919bab68ad39437e2c262f3a4628850d7f32956e48aa393cafac788337babe895781655b18d58ab6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        Filesize

        92KB

        MD5

        fa23949873a89ff520e2788b5c2bb55b

        SHA1

        187a183d9b0dafc8dc463fe80a6ccc8aba8f1279

        SHA256

        864defbec2fdbf1c26aa05e4c6c12f1fea98099890ae1349db642b3c31873b39

        SHA512

        b7bfbac096cad020e7ee7cb3fbd2985fc738fbdec7f70603b97c2b073217398b95c8b5ba66c23ffb26fe385f14e60307c29bc36bace916f7a65cb6c008bb880d

        Download Submit

      • memory/2600-8-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2600-3-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2600-4-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3016-48-0x0000000000DA0000-0x0000000001336000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3016-41-0x0000000000DA0000-0x0000000001336000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3408-5-0x0000000002620000-0x0000000002636000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3572-20-0x0000000076F74000-0x0000000076F75000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3572-18-0x0000000002280000-0x00000000022E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3572-23-0x0000000002800000-0x0000000002801000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3572-25-0x0000000002280000-0x00000000022E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3572-19-0x0000000002640000-0x000000000264D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/3572-21-0x0000000002280000-0x00000000022E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3572-16-0x0000000000010000-0x000000000006D000-memory.dmp

        Filesize

        372KB

        Download

      • memory/3572-24-0x0000000002830000-0x000000000283C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3572-34-0x0000000002280000-0x00000000022E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4732-35-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4732-26-0x0000000000650000-0x0000000000A84000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/4732-32-0x0000000000E00000-0x0000000000EC4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/4732-30-0x0000000000E00000-0x0000000000EC4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/4732-28-0x0000000000650000-0x0000000000A84000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/4732-64-0x0000000000E00000-0x0000000000EC4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/4732-63-0x0000000000650000-0x0000000000A83000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/4732-61-0x0000000002C70000-0x0000000002C72000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4732-60-0x0000000000E00000-0x0000000000EC4000-memory.dmp

        Filesize

        784KB

        Download

      • memory/4932-1-0x0000000000570000-0x0000000000670000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4932-2-0x00000000004D0000-0x00000000004D9000-memory.dmp

        Filesize

        36KB

        Download