Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
12-01-2024 15:39
General
-
Target
a18c5634a16a2dfb8ae46752ce4e4238.exe
-
Size
347KB
-
MD5
a18c5634a16a2dfb8ae46752ce4e4238
-
SHA1
f290033b1dd5137d026c90f9f4056e13b07a02ac
-
SHA256
e6aa74189e7f0e76c61715f31439a43360b3b66f86e899b3c621c817298623d0
-
SHA512
94a3793371ff34448d8f372b83edab12a93d380a8d4670a6937090096d8479c4f6e38f0f898d83ddadca12b982fbe0c5a93dc1125223ed9a6765b86676454bc4
-
SSDEEP
3072:Qnp1z2pL0IOQeXR4j+ygDNkdOnXaXmMd5VITRLdKPo95n:WALxOQkRd3BkdOnXYPFITREwb
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Looks for VMWare services registry key. 1 TTPs 1 IoCs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a18c5634a16a2dfb8ae46752ce4e4238.exe"C:\Users\Admin\AppData\Local\Temp\a18c5634a16a2dfb8ae46752ce4e4238.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\B3F4.exeC:\Users\Admin\AppData\Local\Temp\B3F4.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\59qw9co931um95_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\59QW9C~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BF2B.exeC:\Users\Admin\AppData\Local\Temp\BF2B.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {36C989C7-E016-4805-BB78-7FA6600B7E3E} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\drebeviC:\Users\Admin\AppData\Roaming\drebevi2⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5292e64f5eb72aa827c171f909496e3c7
SHA1b50db1e7441f9be5c69cee000f5ea9f22f51ca8a
SHA2564e48f894c32b12e3f8ccc251ce21ea90cf460e0aa4bb590df5ac66f0b88c9db8
SHA5127a8d8df323840f8a59d1df08a663a1d273c27a73c838919d684d189dbaad8aea1ca91fc244492a314db98b079f8695187aee60361f395d64bb49929eb3401476
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
217KB
MD590a0781b212947f6bca3ae45665d1efe
SHA1c3ee95681323d9e8292899388afe8e08ac1e8d89
SHA256eaae6dd1d35cfd4b65f02d9f678e2f819709053f8b4838d253d753b57da97165
SHA512479f9b49732912769ab6687c0cdbe58bd8a894c6c4eace8dada586d5385dd47e5a3b14d5046d17ce249cad23ddcd313b1786fe4efcd7e47de8b6776dbeacb9e7
-
Filesize
122KB
MD5cd5c4dffc27da96c960fc4b57cca216c
SHA1b327f2aeb8cc11e37f897f72f1fa7c6f3d877d24
SHA2563d48a646c39a2b803709b2ddbab553102ee6d370be9d7681791b05a2ca8b7425
SHA51282f651373100806c9dd428824f11a14453852c9f2d37cecdd06e0a0c7343805311e91120239dbba2ff6cc0d2fa576aa0455c5e10065ab914e119a7c3b7c00ff5
-
Filesize
107KB
MD55ed1944c55992e22a98fd33f35702738
SHA1d426ad61b5754fda9301379dd68a742af68f3a37
SHA2566928e1241f5a06880b47c1460d9a6859c2d70e97a27f2106dca17b5a53e734f9
SHA512e3e74518e74f3e1d96303e4af747f0b69bf92bc5a30a0cac6cfa84cf403664f126db5c908e4187da87fb26a76779835dd8c64e80079e47b4fba04e162e679dd5
-
Filesize
146KB
MD58be527ad9ca0cee6513d2df76c525c35
SHA1fb1eac7e662fa0466e699b9848a0e69191a7a0a9
SHA2565a1c4e3293e56537a997d0958fc84475c1587fce6d123b3e0149e54d7b3cc435
SHA512e01cb4a08e0e63f20200f98eec921b40fb9250f6cd2cd7afc400f5f4474ae995839b713b373a7b3a9adfe02baf277006fbf7482ca5c080ffc2c2fb8a20ea9ad3
-
Filesize
22KB
MD5b592bcbddb52e88269cc4a11d7417b9e
SHA1f4f9676f5211c3b60b99175dd5a2699c8d7d3ec9
SHA256ee9a551837891e79ba3e7e4724a3aaddd680214c2892f7430a33b6d196366d26
SHA512d82ffb511b594980cdec5e3c4d01240466ccc749c807add43396c6d46cdc5b4d23613f9f667301607c3258d5d0ccc2ef91e48960c2a7ef1405c4b8209197fcad
-
Filesize
79KB
MD516e1b5eab1fd5e4758d0a0a60112b11d
SHA1222f772a160a389946bcc24734c66518f331e3fe
SHA2567f043c74292239845edcc4828e55289a0ebee232d319151bf094031f4ac881ec
SHA512adda1a2a13966b386d59b490722dc39822290588aeb41e99aa7dc1a3cb91bb86e1f3fc442cb985aff76a7e104a69158a764e37a6195e8ce95572de4264ee0164
-
Filesize
2KB
MD556692d4899e873d38df5647be0bae925
SHA1eff81580fd41615e3ac43410c970ac53d23abde1
SHA256e8c70d88d85b7f013bd528b0f7df262bec08e9d0e8fe23202a7719d5a7b3b43b
SHA512413b4eff03f9d0feb9c87f73a089e421c3a1d4e6f8badcd71e97f0d6434db4afccf25e4209ed1aff3e43bd6fb7281ebccd7fb96ec6f4a32a510ebe7bbe45fbc9
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
36KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
44KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
784KB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
784KB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB