Analysis
-
max time kernel
165s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
13-01-2024 05:52
General
-
Target
00924a49c1fc68fa7b54e1cacdf19c93.exe
-
Size
235KB
-
MD5
00924a49c1fc68fa7b54e1cacdf19c93
-
SHA1
391c74453d3c3a23ebc22e307a6f071bcc818c9e
-
SHA256
ac78b4ea0e6ae2d971799e6505d937f15276df8f34a509983f423622fed31cf0
-
SHA512
d1cccc99f3df6cc0676f2a6e86ad9dc1284d6312148f2a389622d50a4469e159122118c14b30462e3e5fac8d54400f08e14948658804905615abf584daf87a67
-
SSDEEP
3072:RC2zySmwWaXJVCadJizA1KSB2JybTZS5ygptqwldE2fARvSL:RC2m6qaQMlLgpH7YSL
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00924a49c1fc68fa7b54e1cacdf19c93.exe"C:\Users\Admin\AppData\Local\Temp\00924a49c1fc68fa7b54e1cacdf19c93.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1BE0.exeC:\Users\Admin\AppData\Local\Temp\1BE0.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 11443⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\2278.exeC:\Users\Admin\AppData\Local\Temp\2278.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 536 -ip 5361⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
547KB
MD5f27a56030ac8d2f00f2a77a909260ba4
SHA189aea0cec8313c1973041d0c5249ecd1e1d0f8ff
SHA25613f92390d48ba9f3782d8217125ea323b8ab57527c447218fec24e9084f5b449
SHA5123ccff8e3c6f71fd35f7e59c8145d42192c2f701f27db262980303feff005adcf167edeee351b6436e38738980fea1322ac481c7312fe2256955b177236d7ebcf
-
Filesize
524KB
MD5715c29f45cf0ecbb066310a52c1d9882
SHA18fd09101195f936caa560de9141626f259b14223
SHA25673ce4644cf252c30deb0647fb0457429b745a61cb796eee359c0fb109fe90ee0
SHA512f24d0fbde55082fac7539e5b8e137586d1e31fc8b7ba3b4cadfdaa744dfb9e6b255b09cd5f14e65dc4ae0182c3f01d11a276f21ef5fa7c2791e15cf714664eb9
-
Filesize
307KB
MD5702bb88ac23f3dc7b4be2ea42a7b55ae
SHA1952087c8b8751963aaff38b35852fa5a32dc1819
SHA256745564d2fe9aa13d2a5f025aa37fb40ba2298b1edc1b0a29026fe6d13c9e70be
SHA512d61b7d14e6ce3af9b73d09061fd329fa7896ca6267be37eb12d8ff7a9b4312a7b8d115d47233194d2d0f1502cf37705c250a34c5812146631cf0bb0d13e12157
-
Filesize
188KB
MD5704db874aa35ab1942cb1a7cc990873d
SHA19ef6acdffc4e6146244bae2e7d58b089d44cf2c6
SHA2564317d0b5ffda14b40f3f71ce229dde5cbe03655301e35646518858259c4ab596
SHA51245aab9f7312e4695544efb9661b8d1df0f9bbc91914adb8f36db798feb6077ba659876cc76a6dc661c22739d0bd69ae5c7074d12232fa854a831174433d359e3
-
Filesize
85KB
MD5af16c15d54c3b245b030016fa9070935
SHA1c87346ebba4b62c34e2e597dfdb5b4a9ee57a4e0
SHA25621876ede5be1b9ffc031299b98df793e13dc328a85860813cd7bc74c960821bc
SHA512ab742f3ca78e450bb60ecaed4cf1006500c1e8225284ec338cd59c29d6a2c94c1ff8327fe209309c35fe6332f080103211535143e6b9c11d56ca4f4ad8dbe73d
-
Filesize
936KB
MD5a0e2e2de647c7d9cec63adab7fa5b52f
SHA1144e24392705db624206b868a326df69fb860076
SHA256a1bede2796b10cfb880e6931dd70be09e4c06996b67784cbacc55c597f43b93a
SHA5126abdc48f89a668ed42d60eb2f0da0442f966f9ae12c5d74032d3043f331e8d4c77cf57ba4799629ec084d458be5441dcd9f72a88c2b635e54cd9a2494f496ec1
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
8KB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
88KB
-
Filesize
248KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
5.6MB
-
Filesize
5.6MB