Overview

overview

10

Static

static

3

a18c5634a1...38.exe

windows7-x64

10

a18c5634a1...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a18c5634a16a2dfb8ae46752ce4e4238.exe

  • Size

    347KB

  • MD5

    a18c5634a16a2dfb8ae46752ce4e4238

  • SHA1

    f290033b1dd5137d026c90f9f4056e13b07a02ac

  • SHA256

    e6aa74189e7f0e76c61715f31439a43360b3b66f86e899b3c621c817298623d0

  • SHA512

    94a3793371ff34448d8f372b83edab12a93d380a8d4670a6937090096d8479c4f6e38f0f898d83ddadca12b982fbe0c5a93dc1125223ed9a6765b86676454bc4

  • SSDEEP

    3072:Qnp1z2pL0IOQeXR4j+ygDNkdOnXaXmMd5VITRLdKPo95n:WALxOQkRd3BkdOnXYPFITREwb

Score
10/10
betabotsmokeloaderpub1backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • NSIS installer 6 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a18c5634a16a2dfb8ae46752ce4e4238.exe
    "C:\Users\Admin\AppData\Local\Temp\a18c5634a16a2dfb8ae46752ce4e4238.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2020
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 368
      2⤵
      • Program crash
      PID:2868
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2020 -ip 2020
    1⤵
      PID:3768
    • C:\Users\Admin\AppData\Local\Temp\CF08.exe
      C:\Users\Admin\AppData\Local\Temp\CF08.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2816
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1140
          3⤵
          • Program crash
          PID:1176
    • C:\Users\Admin\AppData\Local\Temp\D65C.exe
      C:\Users\Admin\AppData\Local\Temp\D65C.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3916
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2816 -ip 2816
      1⤵
        PID:116
      • C:\Users\Admin\AppData\Roaming\ajefisa
        C:\Users\Admin\AppData\Roaming\ajefisa
        1⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: MapViewOfSection
        PID:4824
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 372
          2⤵
          • Program crash
          PID:4036
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4824 -ip 4824
        1⤵
          PID:860

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\CF08.exe
          Filesize

          360KB

          MD5

          80c413180b6bd0dd664adc4e0665b494

          SHA1

          e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

          SHA256

          6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

          SHA512

          347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\D65C.exe
          Filesize

          348KB

          MD5

          af93b9e1256eb8e79e98d5953a575b80

          SHA1

          118996a23a51c925091e5a6cb947114f7b76aa75

          SHA256

          7e8fb8825a2154a97d2367c87c7e40b324ab50dcc760798e6de3bc80e035d276

          SHA512

          2d17fa1c45a1ff8a8343e36061c4baed24731c5f4dc52a127d16cc23b8d673dbf922bb9fcf849212a706a4c303c3344ec85ea85734ca10fb8fd09ae4e4b6b7ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\D65C.exe
          Filesize

          64KB

          MD5

          2f54dbcfa506309d89f25ca13d4803a2

          SHA1

          e149abc0cd2cdf25c67e4b88e1bbe0cb6ed1afb3

          SHA256

          720bbff1fce95f63d4ca9c8b4653844ea87eb884e130e749a2838bef4ae933ec

          SHA512

          6f706a5a2ba98468c5839cc2d3de6fb2f51a7851abfcd69b69d572b8b0d0b499adf1bf30099f30fb5a185aa859e2857e8146ca19a8e4ecb3205c96e63398ee9d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          381KB

          MD5

          65a07d20fd12a87366b0951e0541db29

          SHA1

          36f91897894c24390cf02181178e8efe04a7e15b

          SHA256

          2c53c6230503e9ac061e3a3ef5a2baa06457768fe18d30bedd9a9a29b859a902

          SHA512

          a1d4b90b6049cec4eec802f71ebab7bd158ee232c9fd1f430c8a68a217e4a00173a66255d8007c1433418c24523dc99ea3414ab66590200dc6f81305129ce2ad

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          92KB

          MD5

          fa23949873a89ff520e2788b5c2bb55b

          SHA1

          187a183d9b0dafc8dc463fe80a6ccc8aba8f1279

          SHA256

          864defbec2fdbf1c26aa05e4c6c12f1fea98099890ae1349db642b3c31873b39

          SHA512

          b7bfbac096cad020e7ee7cb3fbd2985fc738fbdec7f70603b97c2b073217398b95c8b5ba66c23ffb26fe385f14e60307c29bc36bace916f7a65cb6c008bb880d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsmD775.tmp\System.dll
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit

        • memory/620-25-0x0000000000610000-0x0000000000676000-memory.dmp

          Filesize

          408KB

          Download

        • memory/620-23-0x0000000002830000-0x000000000283C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/620-18-0x0000000002640000-0x000000000264D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/620-20-0x0000000000610000-0x0000000000676000-memory.dmp

          Filesize

          408KB

          Download

        • memory/620-15-0x0000000000010000-0x000000000006D000-memory.dmp

          Filesize

          372KB

          Download

        • memory/620-21-0x0000000002800000-0x0000000002801000-memory.dmp

          Filesize

          4KB

          Download

        • memory/620-17-0x0000000000610000-0x0000000000676000-memory.dmp

          Filesize

          408KB

          Download

        • memory/620-24-0x0000000000610000-0x0000000000676000-memory.dmp

          Filesize

          408KB

          Download

        • memory/620-19-0x00000000774F4000-0x00000000774F5000-memory.dmp

          Filesize

          4KB

          Download

        • memory/620-35-0x0000000000610000-0x0000000000676000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1112-48-0x0000000000220000-0x00000000007B6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1112-41-0x0000000000220000-0x00000000007B6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2020-3-0x0000000000400000-0x0000000000879000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/2020-1-0x0000000000A70000-0x0000000000B70000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2020-2-0x00000000009E0000-0x00000000009E9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2020-8-0x0000000000400000-0x0000000000879000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/2816-30-0x0000000001000000-0x00000000010C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2816-32-0x0000000001000000-0x00000000010C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2816-29-0x0000000001000000-0x00000000010C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2816-28-0x00000000009C0000-0x0000000000DF4000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/2816-33-0x0000000001420000-0x0000000001421000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2816-26-0x00000000009C0000-0x0000000000DF4000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/2816-65-0x0000000001000000-0x00000000010C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2816-64-0x00000000009C0000-0x0000000000DF3000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/2816-62-0x0000000003400000-0x0000000003402000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2816-61-0x0000000001000000-0x00000000010C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/3520-73-0x00000000027C0000-0x00000000027D6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3520-5-0x00000000029C0000-0x00000000029D6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3916-60-0x0000000072A20000-0x0000000073137000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/3916-69-0x0000000072A20000-0x0000000073137000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/4824-71-0x0000000000400000-0x0000000000879000-memory.dmp

          Filesize

          4.5MB

          Download

        • memory/4824-70-0x0000000000B30000-0x0000000000C30000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4824-76-0x0000000000400000-0x0000000000879000-memory.dmp

          Filesize

          4.5MB

          Download