Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
14-01-2024 23:08
General
-
Target
toolspab4.exe
-
Size
206KB
-
MD5
5784cb0aeb2ac45ece0689e7eecfc399
-
SHA1
2d08f92794072432692225d06768b1b2dd37e2d5
-
SHA256
12eb79f7104c4b5f780f5fc86145924fb81f3bc043c782328ad69c660a287670
-
SHA512
cc2d49ee58955a3edbc08002e91caf63f9610bb4b3d34101d6025f047cc734ad0d825685114d5ae894d1c250ebd6c3fe265d8fb2120110d559cf345606fdfce1
-
SSDEEP
3072:qXNx5tV7E7ycJc5GD5LhwrXoD6hYNRQSpPtgLE5eYoAVN:K3fV7WCGdhCoUi9pWLiZP
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab4.exe"C:\Users\Admin\AppData\Local\Temp\toolspab4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6B70.exeC:\Users\Admin\AppData\Local\Temp\6B70.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ew73w9a_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\7ew73w9a.exe" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\708F.exeC:\Users\Admin\AppData\Local\Temp\708F.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
259KB
MD55eeba1fefe72d4e78b2aafecd986c03c
SHA135d83173c3ec36c32a0c1fde319f20ee7844ae64
SHA2563740701779e17dddd05a98eec97cfcb2645964cc76ce10ff1a1313254e7a8c31
SHA5121fe4b329d4a3e80cb6572f9343fe3bd9b7a4a88ba603f9034161b041fb5703fe643a05eba8c726dd1eb9087e540312aac1b8b50e6410fbfb6edf3be086af385a
-
Filesize
212KB
MD5cece138907a041bfcb836cd9c45d9e11
SHA184401e8b999153e5c5ebb643be77c5d9ee6b306f
SHA256acdae9dd505c26adb7a8e58b0d84a623039967193f42498ce694bda71a93c030
SHA5123e592386032a72e72b07832719361c1b06b425dee3d68917377ae0f39bc13bcbfc46e1cf1bb626538b80175deaee444310eb50852ba00b62e2b3157d3f882501
-
Filesize
15KB
MD5b43ff5c0deb25ef12320e43adda96858
SHA1117016db9d1d4b9f64088617dd05bcfa65a3c5c0
SHA256b15ab06b75b7f1e9030c58f9edd1407cf4bfe4dfc556f5d5e7ce3faec8837d4f
SHA51287ffac24254a95bd69a4b9f5ae619e077d9f9a6ca39eb65d8670aeed2cc29a914a91a7c3b0968655ce500fca79b0a492e20122ac95867064bfec38e28f943fab
-
Filesize
201KB
MD5c996b1f62df95a3b46772062a26e4e0e
SHA15d38060047f255916c01adf16519708361c44798
SHA256018c9bbe562375700fe49130beb3cc4c75e7a8d1f87106ef9316e3dc1dea59de
SHA512f9156b5dbe227fe1e36d2d4ba0596ac46f9369d7827b3284f8708aaf325cfa02a09ce6301687a95c2e95b9a694f4ad91f2e89b97cd30142adc013c3f22141be4
-
Filesize
144KB
MD5fed56575db2ce56850eef60c485dadb6
SHA1b8dbff5eeaeb2fec308fdb8cb823bc180bcda643
SHA2567eb7e5737fa1b56bf62e243296bf7a8a863d286f3703e1fcc8ca63e31b22c5bf
SHA512c298a98fe8f0089120a4b770977643fd5ac52ff5d49c0f0bfe6d418b06c6847004655ad65500cfa8b9ad00036cfecfeb87f2f1ece41442ebd7a1bedcc29d758f
-
Filesize
140KB
MD5c534d01bcaef787ffd6ac38b676118ff
SHA125e826b510710f0d1208aa629af57122b1d8dee0
SHA256561c08de321a1c16afab46e1c5a8e52977d2352b8e7746f2e72d880bc7e0d280
SHA5128feb1b97b1add3dbb3adec53648bfd8d512a1f2adc37358d30a0378afc2f56bf113e1164e7934405cecc4866a18cbd1cc466d9ade1bf01af4d3a904aab7c8c82
-
Filesize
277KB
MD562a5ce9d26c74749fc8cbda7214bdecd
SHA1f85b3f98596d114a018b3d5ad312c5578ae43a14
SHA2560dc4a99a963acb22baf333b4aba522326843001733d242bdf3c354c097ab28df
SHA51216abdc1d53aa40395a75273daa4fa1f955354595f71345170c8731dc83822e56d3a8be3552e3a3be620e210f17e4c318f4aecdc3d13bcaf53c1ca35df025e78f
-
Filesize
28KB
MD5696674dabbc23913913e4d1ff5559c56
SHA134a95e09dd80144582c06ec0151e7ffdea1e383e
SHA256166315d6131c99f761ef422aeea5aaa2e9348a9000948dd78a6389ef238b7b9c
SHA5120378faad539f886a3dca6b0a672570c6ecb1bc46f587d6d2b28b2688ed6c46b3eefd64dc3efb671797f3a96b74ef9c09fc23ef72e06e863637de4f27f2cd79a4
-
Filesize
317KB
MD509fbfa1c4c2b91d0f72ab22bf83ad223
SHA1bb906137ffe5bde341a98158b8a7c034e9c52032
SHA25621fe0f587385eed19ede281e0e8d21023c13f295f7f1f8b45a631fb9df5ec864
SHA512c905e77c65d3d0732a0f37efee2ff20b857b47700cab314a0110e661d17015d3ef48ecdb77f24be7f89fd1caf8b8b4e37463ca8b71dd695e1c4f35cfbce90840
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
404KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
36KB
-
Filesize
224KB
-
Filesize
1024KB
-
Filesize
224KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB