Analysis
-
max time kernel
148s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
15-01-2024 05:35
General
-
Target
toolspub1.exe
-
Size
204KB
-
MD5
1312fc2e043e2347c3de8a9a6907c430
-
SHA1
075a04bc32a70aeedb23ee83842dd32fe691ba58
-
SHA256
4b3f4607405154b8182848324699427778605dd52afabaff7a0fd542a4bc9212
-
SHA512
108be06b849ded957240b52b006961f4bb01a9684ac0f2a81d70008f9b3a6cf1c2ee657cfe5ea6f566772735dabbc1c505342f37df6985296ddcebf3e917694f
-
SSDEEP
3072:EkI0nM3Jq/AmlEkJiAj1K/2stqLiP+k9IYBn7Q97fsRLx8yM+cmk:EkICXlETZ2kx7QoxJcL
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8ED7.exeC:\Users\Admin\AppData\Local\Temp\8ED7.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ys11g3e_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\3ys11g3e.exe" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\99B1.exeC:\Users\Admin\AppData\Local\Temp\99B1.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5b6ad0bd37fd94548b2d837a79054fad9
SHA1d7dc4f26f3eba26cd1da2a0596070da3bb485860
SHA256265072608fcaa7e2ccf870132a034e7b75fe3200d5a5998ef667d0f1e5676e9b
SHA51239754d6e90f06c086f3bff6e79cc7f069e6cc8b62fd2723386a59a9e2d50a4bb02c7f082003a4a00826e72e62c33d87d2d322c0af93e478c5137f133740c6c3e
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
349KB
MD55c8922b20530a2e83c337d2870a952b8
SHA1aa14bce9d0890e227e3c77ef6139b7e64ab4fdc1
SHA256df5d30b4e086d5dbf084c0d5f24104e3f2f137654475fe6bad2ae0938a7fcc8c
SHA5128153dce4bacd71cb1e1499fe51275c9cefaee94574ab2bdede89ce44065897d726055c33a72e2d45e36396fd7197446edc5fc6a1335c32db063fc6762909c0ad
-
Filesize
76KB
MD5800fc43b8b6b2f54fff950076d64db86
SHA18d9cf0a7f6fab587a8bfcd672a89298d2b5991df
SHA25612feeefc58c0c1f8979fd3b24a9966308afc72c6f9d4e76b059b7104cfc5cf4d
SHA51253e4843d3cb6dc94981e5554345c0a7f7b310f733baf197ba3d422037cf98c507ed397b94dd24722bde52eb8c6a857b01a2ba827c2032b1adf18683208d28036
-
Filesize
424KB
MD520c07eb0dec1242113b209ed9cf73b83
SHA1e405c344592565108c8b8cb394f80ace22d3e75f
SHA25673652344f91a360bfe22068999475561464b93e628439b36fa1fadc6cec0d7db
SHA51268c67f9a0e8c4d6c47b7b15fb44261f19134169e2bd3534efe0df896fa7d735acc4874a617bd303f81fbc90d90908dc780d1006597515d6254bbd1458ef395c8
-
Filesize
796KB
MD5f3860605a71940c405274f100019b535
SHA17d9385a4372f329613106256bf99ee8c2ed0dca9
SHA256fb98922b538826bad0c43dc3ee47aa842bcce4be986ca97d6cd01c3111f4b978
SHA512efd67bf9292a69d956329a55cb1e214c10f5a5692f6f251c7c3283cc502a456a21a760123e3b9df6bf379e8b40bb8cbb6d6b6284d8791972fc8d19ce3d5e1464
-
Filesize
625KB
MD5990cb8dc7ea18bb2c1b19e52e6916a03
SHA1456e5023883a0737e9ab8713fb2bc1a23fa374f6
SHA2565d82446b11eadb9183e52d723f462a14061198e79bf3b1486b4c12c0d12363a3
SHA51238d954cc946db65a295413f5470712882c5447c2a0cd88f6c3a95adc2f5c30bbe44a82d121eddc5343d0072b11e0edae4b71482dbd0fef76ae17dcc84a771e25
-
Filesize
12KB
MD5940c0141e7df985f737c453366d97588
SHA15cb9bd15d7886c3bd3f407c38302dc7fe4a79ccd
SHA25660a5456e998635140aff03909be05b3a712fb5dae356fdc8e4377e60e8ab14ae
SHA5124067d2d38627dcda588ae549e555a9d59a353ee555ca6fcb6663ee779449140baa7ad463b9345c2cc9ce3c4e26ec6c6062dcdb8f2cce2b8abfb8e18c311b82a2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
116KB
MD5057162b3325f44757a0c182b76e79e90
SHA1f1404bb597b1a8979e4cccf554ef7a076ebb8e0b
SHA25610eb53bf324874ab990a792fbe6b025122007a4854a8f575fae5c429b6abb3db
SHA51288e4d737c00f4d44862e48be2067ef14d4d1a78b08340c0421aff98c109aa97922a8d217ebfe554be88ce769348ed7c90fbebe29ef8c30b9944b1caf6bfd4358
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
1024KB
-
Filesize
224KB
-
Filesize
36KB
-
Filesize
224KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.7MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
784KB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB