Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
13-01-2024 05:52
General
-
Target
00924a49c1fc68fa7b54e1cacdf19c93.exe
-
Size
235KB
-
MD5
00924a49c1fc68fa7b54e1cacdf19c93
-
SHA1
391c74453d3c3a23ebc22e307a6f071bcc818c9e
-
SHA256
ac78b4ea0e6ae2d971799e6505d937f15276df8f34a509983f423622fed31cf0
-
SHA512
d1cccc99f3df6cc0676f2a6e86ad9dc1284d6312148f2a389622d50a4469e159122118c14b30462e3e5fac8d54400f08e14948658804905615abf584daf87a67
-
SSDEEP
3072:RC2zySmwWaXJVCadJizA1KSB2JybTZS5ygptqwldE2fARvSL:RC2m6qaQMlLgpH7YSL
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\00924a49c1fc68fa7b54e1cacdf19c93.exe"C:\Users\Admin\AppData\Local\Temp\00924a49c1fc68fa7b54e1cacdf19c93.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\6A95.exeC:\Users\Admin\AppData\Local\Temp\6A95.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u9y79m1uk_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\U9Y79M~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7753.exeC:\Users\Admin\AppData\Local\Temp\7753.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
182KB
MD52ab9fbcf4de31eb5ff42d45ab0380ccd
SHA1644d34d95c2c337b7837b1493f6ca5c5648b564c
SHA256956c00505f0bcfd35856636100f36029fb509ebdbc03e80a7b13e3b7f1a30aee
SHA512580f84cd71b026f93d5d91ab27003fd0e52d101596a648bdf27b7ed5897496ec41719f0ccf653db4d848e78286838c9cd16debf65d6b31e987c113af8935d3b2
-
Filesize
17KB
MD59509cb5eb0f624b3a916c33d5371c856
SHA1d097ce34952ce005bbea556a92da6ff532d60f36
SHA25640442a3ec24076984d76911a67dc27d7d8050fc9807fb7b09c720b5064e0ef19
SHA512f3626a10498b41fa70578a8316e93ada4ba039073c6e1773baf1a502dc71aba2100fab41da37dff3cf68cd665cda462db97c4ce28dce19b169cd68995318c9cd
-
Filesize
1KB
MD5350e4003ef18942c96d982621a05286d
SHA177e3608787ea00b65656622a170722a3c1506977
SHA25627f7c2bdb5136c46b8430b1af9b11a2ff0d936a7266ee845199e9ee27e572dbc
SHA51260f9259ee5eb2487e6af46707c31ad4282927518211ee4fcd11e1ce9fb44c7731b1864f9079722f4302fd557a8eb8c7cf171618d095c29daf18c3ba31cf9d8a5
-
Filesize
54KB
MD5661b6b7f313553d07ef148a1efd52ec5
SHA1ac5311deed9d2af447f88513c596b26eede43637
SHA256d77b040ef19b3af4f2bb8913810f096bd3afa5dbc0666b0d9a9297aa7e5f0fad
SHA51282db9a17dc6bd113259b8d08b411deda2b4e47805bb600f6570d845dd4da86b625da01d38a6ee28715efed817cf8c6491e5a55d4ff8ec07859994f9486c36aca
-
Filesize
74KB
MD5f1dd265060598b85b104fb5bbc34a1ac
SHA10f9aee059032b88068456517ed5952371adf3caf
SHA25621cc703d3ab4fcf0ae1772715629437803511e912becd2cfb3cc15822360135e
SHA51206916fb14f99189cbc548d402508ec3e00d4bcba66b25ee2d227a3cbecefaf7b7c9cadc656cc71a711a74af8ae90df794360a338f2bc406d24ce3f8b330e8294
-
Filesize
192KB
MD5e19f86ee40f91df0d250708af41193ad
SHA1d6dc1012d8b64b16b179632c2691515955108f38
SHA256b1235cfd81c6efea281f34f97d69b7b214e462cc287bccfeb2cdab414a9eefcc
SHA5128e653e5196492e808183f9ebbd01f2fa06b43fdbfafe4f7e595db17d23ea3e76ac75554b9045f25c64bcdc9de41fa08eecaecd68b89691edd647469434f13401
-
Filesize
51KB
MD55b9b3f67efc4d8b05381c28ad310a9ad
SHA1321cb92af94c0cb8bad1e1a11120ebd605be8ce4
SHA25636236010984e614e3b5a41801ad4d982c1f9a428e0d87d6cecbec8c9d8167c69
SHA51217807532840153e8d744b21e7109c87901d1778c80756e147070ebd02c4d1ae4f194de7fa721441783b082112526ee44bdd4bf0f9bb9166b5e46667c664db8c0
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
4KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
5.6MB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
48KB