Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
15-01-2024 05:35
General
-
Target
toolspub1.exe
-
Size
204KB
-
MD5
1312fc2e043e2347c3de8a9a6907c430
-
SHA1
075a04bc32a70aeedb23ee83842dd32fe691ba58
-
SHA256
4b3f4607405154b8182848324699427778605dd52afabaff7a0fd542a4bc9212
-
SHA512
108be06b849ded957240b52b006961f4bb01a9684ac0f2a81d70008f9b3a6cf1c2ee657cfe5ea6f566772735dabbc1c505342f37df6985296ddcebf3e917694f
-
SSDEEP
3072:EkI0nM3Jq/AmlEkJiAj1K/2stqLiP+k9IYBn7Q97fsRLx8yM+cmk:EkICXlETZ2kx7QoxJcL
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 3682⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2500 -ip 25001⤵
-
C:\Users\Admin\AppData\Local\Temp\A112.exeC:\Users\Admin\AppData\Local\Temp\A112.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 11483⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\A5F5.exeC:\Users\Admin\AppData\Local\Temp\A5F5.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2120 -ip 21201⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
453KB
MD56448fc9da28279914ffc316ac3e60c45
SHA16bb0c065d7dc55a4816886ef4a4fd242d505404c
SHA2564ce1ef82235a64de6f9144b2cf0e4cbff121c493ce7d95f5e9048dd876bd8ae6
SHA512ad4de12b017347108d01f09b93d3db8345d3784c367114c4c4251d51d596f77c66e3fca936b8ab214651bc236923e5af66b1f36239eedd70ee037b41edece06d
-
Filesize
369KB
MD543ad5892a4c9b281ecaa613e8f753369
SHA187e55b29f4a344bd5bb483d3b461ef81533a7a37
SHA25657ea3a4f69bbcc94bb3eaf6e12e79f6a919aaff40c1b7bbd86b51c463c4de253
SHA512cbc669072739ce2dc6ae99de65a03a3728d0fcdc81aa5e9d0e2844f7a2ca485cc98d7886f2ac73dad2b9e7ccd6e03a2f188443fe647cee3a9987227af3beced4
-
Filesize
286KB
MD54af35b0561598d254939d55ba8470d81
SHA1b33383b800b19ea27aec132f676fdfcf5fec022f
SHA2562f3a9be351265698a1a5fcfe79e09fe22b9d8e9d48962cc0e5388738480fa6a6
SHA51284e47600b48ed99a2e8225e0fcf3a017bde466c0a93d7e4d644a51ae566d54df9763c1f9c01561979801e1b03056b7e90f079b5d1a83219962fabab731b5276d
-
Filesize
408KB
MD57054ce6ae707bdf4dd40fc2015f4835f
SHA1d2abe76cd65e1e16f6db8912a41832b11a0c7c77
SHA2564dc22904015aabe5d6157c2cbca62ab92e1db053f571ee74340151832e0a0f34
SHA512ee05779225ba2e57920830ad67c0a193b59e8fac13788c2bc7bd6af727f5fc1ba1d0949ee6d7a77352c994f023b8702434c401a8f246eba4061dbf812c5eba3b
-
Filesize
455KB
MD50b971eb37c7460ae2f7f1d3e507cbe3d
SHA1d90b7bd578c674b7422797a735de8e12ffa3a871
SHA25654692e35e90d489b3dee0d2eac736e5a29e66c17a9d8bed0874634b70d34e53a
SHA5129176f6f415e9b58da587ce36d1ae6b69bf9e85620e1dce0fa8e6466cbe662d4313190324511f2c7554b3ff49ef371471be08cd7585496836b2eaf241ea0b64b5
-
Filesize
454KB
MD5b4982e70d588f8ef3cbdb91e78610f3a
SHA12d02617fa92996be2f8eec842897f6d1be661ad3
SHA2566ce6f8e3351229181a9eba07a6b2a648e58d442e2afb712954171b2b129f4d1c
SHA5125ab2e7e5da78337f6d5c5d9c3b28484f6d762cb664b37b22b76d1e3ee3a6ec1a9d7fb0652692e1345fd6bc5991b7892f63a655de11af595e896ffd1d69d3bd47
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
8KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
224KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
224KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
52KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
88KB
-
Filesize
7.1MB
-
Filesize
7.1MB