Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
14-01-2024 03:13
General
-
Target
4e58387e1431f77f2fb4f103f82f7e5703daa02e039e352f05384c2ea300d103.exe
-
Size
351KB
-
MD5
7df8edaa8a8b2412a77e89ad13496b51
-
SHA1
ee567909d3b5862a02702870f1227e999bf1becf
-
SHA256
4e58387e1431f77f2fb4f103f82f7e5703daa02e039e352f05384c2ea300d103
-
SHA512
f01eed16bf3ad7912b4886a48cef58c9d0ccb34d391b77a122ed2c0f0a2e5855a6d456435c4955c9e67df619b3e1c952a4f4a06b387fb4280f790d7b942acfa4
-
SSDEEP
3072:dJ1IpLEoO3wZ699/ddzJ2yDRForgjJqUQhM9jb26est5Fh6m5Pa6BV95j:duLhO3wZ699/PJTFqENTQhalhtC6BVX
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4e58387e1431f77f2fb4f103f82f7e5703daa02e039e352f05384c2ea300d103.exe"C:\Users\Admin\AppData\Local\Temp\4e58387e1431f77f2fb4f103f82f7e5703daa02e039e352f05384c2ea300d103.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\7742.exeC:\Users\Admin\AppData\Local\Temp\7742.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\g597g5ug37_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\G597G5~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7DF7.exeC:\Users\Admin\AppData\Local\Temp\7DF7.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
564KB
MD51acbd9de3b923f00a78314176ed96364
SHA14ce91aa9f59f175a9445ef6dd4d2d0c5416dab6d
SHA2563c99a5152fe07752cf3deca61bf0b34800158c19fbd7d2e463ade2edf05a7374
SHA5122efacdb049ca6344a91e4de47210582c1b19b572a9fab540b13103dfbd150249ee39d13dfdc4336b6b2a756dd9004dd45142ddd844121612a468e9c733f9a31e
-
Filesize
442KB
MD5537f9e6074330d068850074110eac4ba
SHA1bbc4e17c10216966ae15aad1a3766e5df26d3227
SHA25650e5b7d70b04cf2c713ebd5e6d53643f3f2c12378eca3141f5230d33d0b7c0ae
SHA5123c664c668420c5f51f05689dbc69fb8affc965a8ecf92b76c3ebb1cfba458e1f8a8169f10a57656c6aa64585aacd1c89ad006ebeb194287d83538dbef8f382e3
-
Filesize
490KB
MD5138007903c50e4a4a91c3c5f2a6e228f
SHA163fcc10098a679497509a136f772c10468451c60
SHA256faacd4c06d871bda3cbc29b3c0da3f14e0ba2a8038d46a235700f364e771ef73
SHA512291fa8945540564875693b41046da9384aaa329de3b22c124972d18abeb0f6bb4cc006e5b0e5287d5d990fedb682707dccd1a76c05461f9686bb46447d966061
-
Filesize
249KB
MD52c9c142b1dd3de561ad27342ec512e9d
SHA182e37cfeabbfb6ff36860acf40182aab129e7b96
SHA2562cb25745fc4d5a52df0feb0c6ae08e8db7d5eca20733c3a601264d7aabc7ed9d
SHA512891e7f8b0e26db648f312d822a29a1be8e1ba2ba03f72a6599e22f4541d72f175df56adf5db73543029f155acc12836c736a87afdf8b11ce20cdaa4fe8c189ba
-
Filesize
73KB
MD5b0ad309206d6adf9f9c3c749675acd59
SHA13b59967f5a96e25459c02429e7f1c6f78da6eecb
SHA256d05fa985a5825e7d72af41ecf4cfcdbe9e64ebf0fac7ad66be01ae703e52322c
SHA5121b61f60135c328ef8dd35f6c2ec4cc9c62a26cf75d1298e6f8d717a1da47f5db60c5763352bac3fefb458d4ab948523f91190b54d2f1f3cad627011f2a47a3f0
-
Filesize
58KB
MD540eacd5d4785e2d4ec11b06f250211ee
SHA14f3eb0f1ef5b36e0d0ca396885cb88db9c3c04c8
SHA2565fb0860bd0b94cfc66b2302e33d95dddf9e5e74d4452e0779c2bb49186e92242
SHA5123b40276b7c8bd12b06891f6c005ad78736be130fd746da859b8089821983dbbeda8d94262c8ae9ec30604fc3cb8e0f597beeb332dc5f86293671ea2e0886c5a4
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
1024KB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
36KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
5.6MB