Overview

overview

10

Static

static

3

990a6d8f56...ba.exe

windows7-x64

10

990a6d8f56...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    990a6d8f565a8df63234c7a9faabe6ba.exe

  • Size

    290KB

  • MD5

    990a6d8f565a8df63234c7a9faabe6ba

  • SHA1

    328558357bbbafd16fad998fabb4e03c328900e9

  • SHA256

    db726961f1431fd7343b23e90a146a7fd19233d4980815f2d68d50c36bc1175d

  • SHA512

    2ae5bc20ee6b6a91662cc3d49433c7354fb8a0f3bdfb224d5da2820e6e637fb886279d6fca0b17bafa5bf991dfa9a3a4179ae9f9ba09b3f8bb04f626ea8eeabe

  • SSDEEP

    3072:jec4fYwGFV04Lr70+sJiaUEvhqwuFVEYWQzkWl+tyYA5gi9/6NmJ5b4cQ4bRXp6h:jec43GFV04LNzEw9EYW8+lA/6+bRXMA

Score
10/10
betabotsmokeloaderup3backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\990a6d8f565a8df63234c7a9faabe6ba.exe
    "C:\Users\Admin\AppData\Local\Temp\990a6d8f565a8df63234c7a9faabe6ba.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Users\Admin\AppData\Local\Temp\990a6d8f565a8df63234c7a9faabe6ba.exe
      "C:\Users\Admin\AppData\Local\Temp\990a6d8f565a8df63234c7a9faabe6ba.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:544
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 328
        3⤵
        • Program crash
        PID:3240
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 544 -ip 544
    1⤵
      PID:2396
    • C:\Users\Admin\AppData\Local\Temp\A25A.exe
      C:\Users\Admin\AppData\Local\Temp\A25A.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1144
          3⤵
          • Program crash
          PID:2400
    • C:\Users\Admin\AppData\Local\Temp\A7F9.exe
      C:\Users\Admin\AppData\Local\Temp\A7F9.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:5104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2204 -ip 2204
      1⤵
        PID:728
      • C:\Users\Admin\AppData\Roaming\jrjtvbd
        C:\Users\Admin\AppData\Roaming\jrjtvbd
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Users\Admin\AppData\Roaming\jrjtvbd
          C:\Users\Admin\AppData\Roaming\jrjtvbd
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:684
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 328
            3⤵
            • Program crash
            PID:4260
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 684 -ip 684
        1⤵
          PID:4052

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\A25A.exe
          Filesize

          154KB

          MD5

          1948ebec84176c817398f4502858edbd

          SHA1

          d2eece5fb2dcc1ccfd21d15686eafc308feb6383

          SHA256

          e70696f60ab52f24737f61ea1f62638d70e5c0ee535cac1e12473443138122b1

          SHA512

          98f237d354b3c6716bdaf3755f541de89295ddafc8594ac5145fb963011f7e2bda396699c588fd9c88b248fcf8af322b000e8729d6739a833d61195bea8a2882

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\A25A.exe
          Filesize

          133KB

          MD5

          e5f6a9b838d403a4680a4538e44cd6a6

          SHA1

          9e637d9b23ed005e0f452e667127bf426491bfb8

          SHA256

          b90687e956e52825f1d148f143f2a9266153315451cd270a7593ab3b51095c0c

          SHA512

          cfed5668ff343a22c987fdb36d7fd0d13d8a7db4dcc36a52826fa5ba5e7aac3f9410a483f583fcce62ef01e6b068d4701e5f0925a1036b5c9452db29d97d3a1e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\A7F9.exe
          Filesize

          265KB

          MD5

          8dd15f0da691facf26f679bffecd895a

          SHA1

          a098dbca7798a0d77262384fa6f0d12d8b9b5452

          SHA256

          4e305c721e7c40e16855cfcb2ac6f2e2c5b987dc7600283b11ee67593cae56bb

          SHA512

          a3dd2dd6347883e8c8ddd2e43db3410e01f5ae7a2c6df6bfcaf7c9092740266081076a259c5f100b1d088e26bc0d35a6a4f86b06588cc5e24eaea2aa50bde17e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\A7F9.exe
          Filesize

          170KB

          MD5

          fec2f6826ad770ca04592cde07b2ef19

          SHA1

          887d9c50fba509961e68a4bb576f85cd2f1f244a

          SHA256

          bb4d5c838b5aee5a99fca3e90912776e3d9983639dc0c15791c012645f73ccbd

          SHA512

          27fb2d381a9fda49d3d3e95b661e73978869012effc96921115e353b61799547d81cb8e28b0424fed2a81d845e44eca6db01551ff17ddaa6c66c5b9262f250b7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          123KB

          MD5

          51d0f92ca62e167f15bd3338ae50159d

          SHA1

          0c190a89fa42bf66aa61515e67d3dfa3098e9fe9

          SHA256

          badc9fdb29dac5b7b97c50e5a432014d6055bd4e05567899a94870cbcd551ae0

          SHA512

          652fa193c045d9081e0bb4d388a09e2c928764aa401c353054219aa9d36b66f1758ed4b310d5b57b21628fab605ababbe85a0735e011a2c8964933ae959256d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          245KB

          MD5

          a3b3ccb0452382f5ee377ef069cb828a

          SHA1

          9d1033dca367d4028a74c659b1a05ad676668a8c

          SHA256

          5f3eaaa606e165ebeaf661eab45cec868adb816545d8dd26169cad593411b0f6

          SHA512

          6ed95e1d6c54abfca9e6178e46b67c2924aa2aee3f7b5e5a0f94a163bfc92d9c1357a36d07cc5d45225a9988e66e5c67653f120748b4bf873bc6f7b38288fab9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          73KB

          MD5

          30b397dd15ce3b68dba6f9277c7ae6ed

          SHA1

          2b4143e39276982de403e3ac43c802e8eaede37c

          SHA256

          59e13aefe2259a5c074f9741cc085ac29199a67287084ebe707381a87a7d4662

          SHA512

          a8ff33828066b3302da7551ea4debb680b19ac0669bf126287874c7c98c40ed33214b4a62f59e29dd00b3f3bdec3c0a1ed62adb2f78d9b1e54d46d1df6680f39

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\lib.dll
          Filesize

          226KB

          MD5

          6a668e92d8a22650ff8ab1733e3f8f10

          SHA1

          9a6a07a3147d6e2622326bb6a50617af326f0bee

          SHA256

          13f05deb90bd9db092ff4dcf9be3e8bbd36f824860792dfb22fd525036602589

          SHA512

          7b0abc4d397d628e079cbbea624dd5e7fbb7636b0ada26f08f6c864a342f371fd39675777bf84d6722fd0bacef3a8d0624688055d657fd27b18ffb955be1f3e5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\System.dll
          Filesize

          12KB

          MD5

          dd87a973e01c5d9f8e0fcc81a0af7c7a

          SHA1

          c9206ced48d1e5bc648b1d0f54cccc18bf643a14

          SHA256

          7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

          SHA512

          4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\jrjtvbd
          Filesize

          138KB

          MD5

          ad9f59751a85a8b035841f609dc73176

          SHA1

          61f5a2961ec551eb4eb2487bc940701a942f0305

          SHA256

          2c2fb82e12d02f6899fc88380a51be1fac1fd238c1af49ab82e9f9e8d03584bc

          SHA512

          760701e6d4527e2de215a302c42ddff1187c14467ceb002a9e82455ab9e2a5cc199646c5e003611d5b4ebfdfe564d3e7025e6bca4e85f86cee332d053bcdea71

          Download Submit

        • C:\Users\Admin\AppData\Roaming\jrjtvbd
          Filesize

          219KB

          MD5

          6b04762ad46b8901f6aa342e57ca78d2

          SHA1

          c57f678c9e395bc4b4a5726abb4027ef7bc68166

          SHA256

          28847c2a0ef1b3d35ad8d7a6131b97bfe88f471c4085772e93963986f935d3a7

          SHA512

          75350e6286f07b52a929744bbad6ee606a4939e4b60d9bc0bc6a8a358a2fa7a0aa9c5baa2dac22d730c94d057745ad505c3051bc20247bf93ed5a45e48b24b07

          Download Submit

        • C:\Users\Admin\AppData\Roaming\jrjtvbd
          Filesize

          122KB

          MD5

          e65c2ac4ea32875875c22be1e7acd402

          SHA1

          42fa2499e38f0b5627ac8066da12ea4f7400ad9a

          SHA256

          0429e4a26f7cc7277310a24e97c714cee13f12c786903c2352cc3496b84e9f5e

          SHA512

          cbb675d87455bae0b635d9e75ff9fb4be304fb95b17b01c657bc606e4dda416fccd1792844ef040cf6eb06ae27d4739d0fbd14f28f3dbc50f673fc843a58b79a

          Download Submit

        • memory/544-8-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/544-4-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/544-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2004-49-0x0000000000090000-0x0000000000626000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2004-42-0x0000000000090000-0x0000000000626000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2068-71-0x0000000000739000-0x0000000000747000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2204-33-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2204-62-0x00000000040B0000-0x00000000040B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2204-65-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2204-30-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2204-64-0x0000000000060000-0x0000000000493000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/2204-31-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2204-29-0x0000000000060000-0x0000000000494000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/2204-27-0x0000000000060000-0x0000000000494000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/2204-61-0x0000000000800000-0x00000000008C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2496-18-0x00000000022D0000-0x0000000002336000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2496-36-0x00000000022D0000-0x0000000002336000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2496-24-0x00000000022D0000-0x0000000002336000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2496-25-0x0000000002800000-0x0000000002801000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2496-26-0x00000000022D0000-0x0000000002336000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2496-22-0x0000000002830000-0x000000000283C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2496-21-0x00000000022D0000-0x0000000002336000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2496-35-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2496-20-0x00000000773A4000-0x00000000773A5000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2496-16-0x0000000000010000-0x000000000006D000-memory.dmp

          Filesize

          372KB

          Download

        • memory/2496-19-0x0000000000620000-0x000000000062D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3488-5-0x0000000003300000-0x0000000003316000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3488-72-0x0000000001230000-0x0000000001246000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4052-2-0x0000000002190000-0x0000000002199000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4052-1-0x0000000000590000-0x0000000000690000-memory.dmp

          Filesize

          1024KB

          Download