Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
14-01-2024 04:08
General
-
Target
fbec4956a178bb65221cf87ab537b828.exe
-
Size
207KB
-
MD5
fbec4956a178bb65221cf87ab537b828
-
SHA1
5e587f1f30a712e45b35e451af167a5ba54f508d
-
SHA256
f22e8c6027000f421c70d5733ff537d1e2e49deb5cc1d6ad3287175dffc2668e
-
SHA512
805d8ac96078aa598e2cd562e60748aeb9f36710490015d3203f309d26f341795fd1a3c82e28cb828947ff99777985fd00a540d3e1f42edd0b471a0739f8a490
-
SSDEEP
3072:Bo/htLJYeiJiiKVYgTemVAJny/8WyrtD7wmxRivBL2A:uTLJYefYgT/AByyug
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbec4956a178bb65221cf87ab537b828.exe"C:\Users\Admin\AppData\Local\Temp\fbec4956a178bb65221cf87ab537b828.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D5DE.exeC:\Users\Admin\AppData\Local\Temp\D5DE.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 11243⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\DDFD.exeC:\Users\Admin\AppData\Local\Temp\DDFD.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4432 -ip 44321⤵
-
C:\Users\Admin\AppData\Roaming\gjvecrtC:\Users\Admin\AppData\Roaming\gjvecrt1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
57KB
MD59a286b2f7e671f95db8d3047e2cf4568
SHA16b1e821d820c876c3ca90df1f6c7855265ad1827
SHA25643de2a9d62a722789ba7a6e6d92b5fc7c1e0b981373343a7299a32f29bcde11a
SHA512a7201fc7b679e8672f1aaf4da359543921a847aed984d8756e2591cc9ccd712c86cef420c01de155a4e7aa3033737a7ede670eabd92bb2c91d7877c1c1e8e9de
-
Filesize
17KB
MD580a7b7902bb193c7282c3f5557b2f621
SHA12ec8c646ad662e236d6293bbc4f280e49303de8d
SHA256118167f836282985554b2d0c72823f09f7a4028975f7e867b894b683b1925ab8
SHA5129c04056e0e08a8b16aea3e27766a770eaa81365056b874226fd1eeabf3c9ffb0cfb4c50ae5a643419e161ed28a69f43a1daef01c30530fc41ce68b441d93e03f
-
Filesize
1.2MB
MD5c494f7ac12d40ef32277a2d3b809a08a
SHA12a90f702267f7ab2a211b368723b51334dc66b80
SHA2561147874e7e0e9a5a02386be0990520884e0b983f06d9fe35a32d57d7584ee8ec
SHA5122f17c9432ecd1a33e273258a1d701462efa2d63f0d9de386eed44676bba1952ef0eac0e70b55413e97d3cb6f4e9e5ccd20d85ef20308db79cfdd0223959e96c6
-
Filesize
806KB
MD5782ba38906fde61f48a1cc6e7d85be30
SHA1f383ecd9ff682863aede398699e3f42e390c7240
SHA2569f2b143f6bc1e7567a81580811ba13ee885e439dc7ebc67d175a76998e1b1159
SHA51274ef184cd35b33241585b5cc57b602bbfcef2bbb5eb59142130f9537f6c0b18184ccdb643eff55638bc5930f2953a516bcdd30fe9782071093dcc476012db331
-
Filesize
1.1MB
MD5a3e0e19008a5e3e951fa4f3cbd03ed56
SHA12d9f5c3d9aa0704005c96970c21f9236bfa42eda
SHA2560fdfbc8e7b61a15fc1de6dd3ddc59957d3246666761d420db6c89b1917ae778f
SHA512d3e5554bd8cfb6f1f376d2aa7bbcd832b1b95bad5656ea110e39608ade2db183405a2486fe365df9269d8d045b42c3abefce17c61d15b4c86db30bab618123bb
-
Filesize
706KB
MD57741b2c7baf45087b0c58ac7b16fd91b
SHA1cedcf4fea17201731af5ce0f5ec8f9d29f60bda2
SHA256c4f937f3bef67f33de7042d85277fc4567cdf6920b145ad01b6c29c03e104fb7
SHA512be386921f974463962622bb78ac9f9480547344b4d1038ba307e6351d58f7e8c7c6016c6e690d95dca5e045a60de20f4b7dbc0daf3ac4ff0a8db220490bbcb2d
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
207KB
MD5fbec4956a178bb65221cf87ab537b828
SHA15e587f1f30a712e45b35e451af167a5ba54f508d
SHA256f22e8c6027000f421c70d5733ff537d1e2e49deb5cc1d6ad3287175dffc2668e
SHA512805d8ac96078aa598e2cd562e60748aeb9f36710490015d3203f309d26f341795fd1a3c82e28cb828947ff99777985fd00a540d3e1f42edd0b471a0739f8a490
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
1024KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
228KB
-
Filesize
1024KB
-
Filesize
228KB
-
Filesize
4.2MB
-
Filesize
8KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
784KB