Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
15-01-2024 11:53
General
-
Target
f053a903e0bbf05e985dea741187cfeb.exe
-
Size
255KB
-
MD5
f053a903e0bbf05e985dea741187cfeb
-
SHA1
e3a46ce6cbadd862373747054221322dff05d7f5
-
SHA256
d0cb3e1d35598d959dd03c288f0f55bc0e2368ca1172948a2bc4b7b1b848d11c
-
SHA512
9be6ffb348f60f40c290bd54136c5affdfaf57ea201547a5875fd12da01c097c4b610b530b181e5d77e445e827731a61e254a80f5dd1c07911ab3d74bb1a3568
-
SSDEEP
6144:dwLrDSWMZF53kVdVIZBrsv2WRTQs76BVs:mzI3ksBrs76
Malware Config
Extracted
smokeloader
t200
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f053a903e0bbf05e985dea741187cfeb.exe"C:\Users\Admin\AppData\Local\Temp\f053a903e0bbf05e985dea741187cfeb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 3682⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3220 -ip 32201⤵
-
C:\Users\Admin\AppData\Local\Temp\C6DA.exeC:\Users\Admin\AppData\Local\Temp\C6DA.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 11283⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\CBCD.exeC:\Users\Admin\AppData\Local\Temp\CBCD.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2756 -ip 27561⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
534KB
MD5a1a3df0417d08ead8a19867a0a0434dd
SHA17eadf6a872afbe9de20d79a4ab7e4c5a133e2ae8
SHA2565c382d768811f16e7124cc20c89411fa5d6059e07dc9c1918df5035a6df3d9f7
SHA512a727111cb88a8747d901a6cb63ab6ce0a365fa5be84bfc0f0768b9079dac0b31679363a4f75e6dd9b7146fbf362450b1f0240a973a71d03b920e1a75ecec9a08
-
Filesize
206KB
MD50efe3d0c40da7e1da3f162988c262676
SHA109652afb64fc477e99bc4f2caf687a7d33c9f86c
SHA256a7bd231949a2631b90042651ef9e9298ad62fe1c4454446077601234f9941a7c
SHA512847a27ccee6a4afc24c1bea8b54afd1c3e85b90f8f98192c06f09d31901571e24ce1945f62ee484c7af089600c3db653371651db293d7dda973c4bcd9da4783d
-
Filesize
35KB
MD53e1558788ba7dd824db596cb08c499b4
SHA175eae7cabcae1af7a796e19bb81b90ec22c73c07
SHA256d3dca03783cedc3c83cfab12d4007f114f611d76b056ca5bfd2c1a01a86eed81
SHA512cbd07b2e4f34b6c2f3b38eb216f40196e2ec6455205834f996981ff06e83b585ccedf68d508cc0577fec07687acc87098af808c1f886b950a2713a0c611d2d63
-
Filesize
557KB
MD585bd826b72088f5c0ad86d8a2bc83c41
SHA1b98fce735b359bd87cb705f50b541748c42843fe
SHA2567d3723bad33058f725a3cad6a5b3ef91e296f864a23fdb7158e42cbe623ec9fd
SHA5125fd50ebbb4a04b09fc44776f7590db734dcdc4bf1aa4e433ff743923316fc3aa593dfbc8f21a4a70fe1804e745e9005f4838b058c40bcff63fa0cadf305587f0
-
Filesize
734KB
MD567f9acfde323c38f7569c7f1e125fb9b
SHA1ae411876f0f4fe2449cff4574cbd8a344d3fe3ef
SHA256b13151f1967c8dca115ffaa130947820643b340d83a71f366b430577df39c33c
SHA512bebee6963f19b0baff423180f71be34240049e3d8cac10677f12e5b12e958e8043119b13911f2ab94aa8ba72b142810551ce54b5458e4fb3340c9021196a90c0
-
Filesize
481KB
MD53394e101ad6011208c1923291dfce99e
SHA1ade78fac1ddc8561edaa9d31557b97e0b55ac6ea
SHA256b3d8b8b187f00816d8089682ddd43612475e7826c8cc93ef177cfe2984e87e1b
SHA512d2e30f31c5ac00b35261ffdc7f854b76acd9a890b325695159a13a84666a639dea95a999135ff03993ea7da568b97e05d7fb32ba61e24bf32557c0e8388f3d82
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
8KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
88KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
4KB