Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2024 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    204KB

  • MD5

    4a6c5ebd678fce81e4bceea1fac6a476

  • SHA1

    1b42eee9f4534c37e7f674ed0825dcfceca48a66

  • SHA256

    5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7

  • SHA512

    8ecf2672f538fd778f0f06da81d2dccf0d9e0bdb7b66699f993ad00095046523ccbfba23041fc66a8317274f33324b9ee3c0e1911883f6a976ae969a1843317f

  • SSDEEP

    3072:6mfHB/kLaZdXUNc8iirJiM21K7uthv1ejSbxJ1zRlH91SNBN7RDxaIp+cmH:6mfHiclVPv1wSbx/zRldIxQco

Score
10/10
betabotsmokeloadert100backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

t100

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4956
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 368
      2⤵
      • Program crash
      PID:4448
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4956 -ip 4956
    1⤵
      PID:1300
    • C:\Users\Admin\AppData\Local\Temp\A5C5.exe
      C:\Users\Admin\AppData\Local\Temp\A5C5.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 1140
          3⤵
          • Program crash
          PID:2548
    • C:\Users\Admin\AppData\Local\Temp\B334.exe
      C:\Users\Admin\AppData\Local\Temp\B334.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1120
        2⤵
        • Program crash
        PID:468
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2444 -ip 2444
      1⤵
        PID:4888
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5116 -ip 5116
        1⤵
          PID:2188
        • C:\Users\Admin\AppData\Roaming\datbwiv
          C:\Users\Admin\AppData\Roaming\datbwiv
          1⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:2452
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 368
            2⤵
            • Program crash
            PID:4808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2452 -ip 2452
          1⤵
            PID:3548

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\A5C5.exe
            Filesize

            234KB

            MD5

            fb65176aaaa48877f5e84a1069bc0cdf

            SHA1

            ca34d66993e7eba7ff3c4e48c13429902b25039d

            SHA256

            01dae60bde51c507de728369f44912b4ba57d624e80df78a58c77e4e2887ca8f

            SHA512

            abcae28de3450c973c5998076ea45c6c31c1c8586bdf54feeb00b1a8ef982906a5386acff2f41dede93a73118eb2e6e1e724b8335484032458de93376fdd3f4f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\A5C5.exe
            Filesize

            360KB

            MD5

            80c413180b6bd0dd664adc4e0665b494

            SHA1

            e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

            SHA256

            6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

            SHA512

            347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\B334.exe
            Filesize

            202KB

            MD5

            8b8f061150f2d795060d779462dab608

            SHA1

            7111bb39b63d6b143d2cb0722f57084bd4709a57

            SHA256

            cb2f260412743b43ae4609976fcd6644e2d1c14c54c31853811a93bc77e8f5f1

            SHA512

            4a4fb0ef839f61f21d2bd8c97ab8db433458b553ddbdfb92aca0aa9d8f2f2a2943520c33a4060404ed02639cbfda43687466efbda7729101bc3c33c88440b88e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\B334.exe
            Filesize

            319KB

            MD5

            586c25330315254e5548c0d150a5922d

            SHA1

            8d9c139f794be82e34708d3d65900e702f3b1f8d

            SHA256

            dca8fe75f533fa0097c0e477bdf9f8bce0a75277104da265195944a3a1ddd85c

            SHA512

            4e965ed311b626e460eed1a24932aaabc8d2ec27a44868ecf22fc703d5be1bc4f62a57734f428aff5db724220943ef745076a7615fb22babed939eaf32bd7f2b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
            Filesize

            409KB

            MD5

            8e0596d6b2bf80eaf2b22942d518839d

            SHA1

            cced7a8413d8778da6d5e7dddca553f8c01a4732

            SHA256

            12c2e3005affd105928857c90bce2d356d2f337ba1cf6e293d52264c09a6c3c8

            SHA512

            03cc16f508b3e432d8ddb20298b9545f5ce05d180fde8516525706928a768ebc40a75cbfdbb5eff54f94fe6ecc555d9509349cccd55e55c7aae7147091b4c48e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
            Filesize

            169KB

            MD5

            8bfe6d3e5ebf2af241adce4eb345238d

            SHA1

            83356327874a7946d8e780a6e10873e3361034d4

            SHA256

            419b39d82736858a1b5814cccf74959a410533bfd47f8bfd68962b33d8129be0

            SHA512

            6be7676b66fd9411d13a7049254c09957b97692d1cd9f5fc662a9adb7d5bf9cfffe331e003133b52dde93924722eafec5dae9040081d2172cbc1c286553b0851

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
            Filesize

            137KB

            MD5

            ef4161ebc7b4bab6eb0e27b73db4e1da

            SHA1

            48587cced922302fb763ea41ea22572ddd7716fa

            SHA256

            806d686ecf2fecb6ed1f350b1762aca47b823f057081f08596ebb779a560b6fe

            SHA512

            ff56d0e83df842561697c060540105798b2b44a391d58d1d61395716ed6ea1569abc7a13f079e89d8f5c0ec24c3c15e8d869be17b94b65e13ea31487c22155ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\lib.dll
            Filesize

            143KB

            MD5

            ac9fbd53309898dc50b8a1167a891f96

            SHA1

            92fc6bc6223cf2eea589be8109b984b888f4b36a

            SHA256

            adc17e179a4c8e5b076b2dc6bdf9327578d36e5ed85193d600382d0f31f54100

            SHA512

            76923cf97ef2750ac1fd89c31c91716fa38359349400425e1bc39eb0d8280e7f0aa3b83926a45a6afb16b3cd5dc068dede3c96aa6041f2c92b1d740515dee948

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsyB4F9.tmp\System.dll
            Filesize

            12KB

            MD5

            dd87a973e01c5d9f8e0fcc81a0af7c7a

            SHA1

            c9206ced48d1e5bc648b1d0f54cccc18bf643a14

            SHA256

            7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

            SHA512

            4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\datbwiv
            Filesize

            204KB

            MD5

            4a6c5ebd678fce81e4bceea1fac6a476

            SHA1

            1b42eee9f4534c37e7f674ed0825dcfceca48a66

            SHA256

            5471697f35a07a9fd686d85d2381e9c5d9c8ea863757e4e4a943ef168775a4c7

            SHA512

            8ecf2672f538fd778f0f06da81d2dccf0d9e0bdb7b66699f993ad00095046523ccbfba23041fc66a8317274f33324b9ee3c0e1911883f6a976ae969a1843317f

            Download Submit

          • memory/2444-61-0x00000000007A0000-0x0000000000D36000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2444-40-0x0000000003520000-0x00000000035E4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/2444-42-0x0000000077263000-0x0000000077264000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2444-41-0x0000000003520000-0x00000000035E4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/2444-39-0x00000000007A0000-0x0000000000D36000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2452-70-0x0000000000440000-0x0000000000540000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2452-71-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/2452-75-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/2860-17-0x00000000005D0000-0x00000000005DD000-memory.dmp

            Filesize

            52KB

            Download

          • memory/2860-22-0x00000000027F0000-0x00000000027FC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2860-32-0x00000000022E0000-0x0000000002346000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2860-16-0x00000000022E0000-0x0000000002346000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2860-14-0x0000000000010000-0x000000000006D000-memory.dmp

            Filesize

            372KB

            Download

          • memory/2860-18-0x0000000077294000-0x0000000077295000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2860-19-0x00000000022E0000-0x0000000002346000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2860-23-0x00000000022E0000-0x0000000002346000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2860-21-0x0000000000A60000-0x0000000000A61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3404-72-0x0000000001130000-0x0000000001146000-memory.dmp

            Filesize

            88KB

            Download

          • memory/3404-4-0x0000000001170000-0x0000000001186000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4956-7-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/4956-2-0x00000000007A0000-0x00000000007A9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4956-3-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

            Download

          • memory/4956-1-0x00000000007E0000-0x00000000008E0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/5116-24-0x0000000000240000-0x0000000000674000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/5116-62-0x0000000000A00000-0x0000000000AC4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/5116-66-0x0000000000A00000-0x0000000000AC4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/5116-65-0x0000000000240000-0x0000000000673000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/5116-63-0x0000000004210000-0x0000000004212000-memory.dmp

            Filesize

            8KB

            Download

          • memory/5116-30-0x0000000000A00000-0x0000000000AC4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/5116-26-0x0000000000240000-0x0000000000674000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/5116-28-0x0000000000A00000-0x0000000000AC4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/5116-27-0x0000000000A00000-0x0000000000AC4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/5116-33-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

            Filesize

            4KB

            Download