Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
15-01-2024 11:54
General
-
Target
f053a903e0bbf05e985dea741187cfeb.exe
-
Size
255KB
-
MD5
f053a903e0bbf05e985dea741187cfeb
-
SHA1
e3a46ce6cbadd862373747054221322dff05d7f5
-
SHA256
d0cb3e1d35598d959dd03c288f0f55bc0e2368ca1172948a2bc4b7b1b848d11c
-
SHA512
9be6ffb348f60f40c290bd54136c5affdfaf57ea201547a5875fd12da01c097c4b610b530b181e5d77e445e827731a61e254a80f5dd1c07911ab3d74bb1a3568
-
SSDEEP
6144:dwLrDSWMZF53kVdVIZBrsv2WRTQs76BVs:mzI3ksBrs76
Malware Config
Extracted
smokeloader
t200
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f053a903e0bbf05e985dea741187cfeb.exe"C:\Users\Admin\AppData\Local\Temp\f053a903e0bbf05e985dea741187cfeb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 3722⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4008 -ip 40081⤵
-
C:\Users\Admin\AppData\Local\Temp\C227.exeC:\Users\Admin\AppData\Local\Temp\C227.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 11483⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\C600.exeC:\Users\Admin\AppData\Local\Temp\C600.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1228 -ip 12281⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
182KB
MD5f13705ab4dfea68d2f2a87b29e4b2d54
SHA1ba394042e5e8cdc7aa929378a454ce13a4960b79
SHA25631f88fbf7c3bdf5056cb4c5873ac88d28b2cfc1620fc7804f94d714fd0749cf8
SHA512fc8382c5ef7f4636802d8426a154f447ae4c0bd4af518ddbb5d591ac9b6ab895790bed03d6528f19fe9543f9f64e4531b0eba0c56060bd0cb6264175aada7453
-
Filesize
179KB
MD59d407c05d7ff07b5986c37daa6e8af94
SHA18c8712f198255af33ada82cbf9d2d9c79f90e9fd
SHA2564999ca419c50727823af86b54ae7263b4004c7167f5159ca76c2cdd71732dc8f
SHA512a8fdd01c18ec016da8816587a19f86b248fa5d278bc2a2ddeb9fe598305a70155a00281273f182b7fdb85b5ca3e9c4e5f9b9f7c2045ba40d8a0069d2c259b63f
-
Filesize
75KB
MD5092efc48b297bcf5bb8edc8b8552ade8
SHA1bddee58b123c9821a5867ef825e1adceb3286fe5
SHA25668585d6040fa7cbbc73ab0df732b29d2ec64b306fd0a7cc1e24923f6792db164
SHA512cd593ad6c84318f2ea6099e4f0c4e617205e41288090acccf7b2658a3af7d0d653a2194a85148f4421da9310706f3649240d961b7828cf49f932af323a2b6adf
-
Filesize
71KB
MD54ecc7a93b1a5f8ad6ba20d46fb7dca0f
SHA1cecf92f381466b2bd8487624809ebedcaec0a8dc
SHA256d3c6e0638c4c9777d79f788eddbc4815f5dea3f5b4940801481ad56ce0bbab8c
SHA51242e60e19112db539e500b3b8e4224d9c07037d865ce62f61072688ea4ddff9f2f1100700dbe87efc7ddbf682d8b075210e410a373274bb12c66d71b7d37db066
-
Filesize
1KB
MD58463834b4af83abb6db5a6c60b97ef2b
SHA10d7326b63a3c124b92885673a8208e8c7c212be7
SHA256f406c646cace8f4005b4aa9da51cc4deb18cd7fa78d899a6a4e3372821d1b49f
SHA5120742f96986db265dba3bbd6e7f3d199ab9be8fe25d5c2c5c30aa06d983bf3ec6eddb7864cc78bc3bbebfc768dcb8982becba21f6c3f2c63fa90b217ea197b2d4
-
Filesize
732KB
MD5e467bd3891b6718d1af6aedc4a917414
SHA13bf38e96fdab0f0eaaaa8b35143b11b2550b451a
SHA256dfce4bab025a40598fea38cf0e1037feca282916662176ead3732484bb849862
SHA51267d9ffcf8f5032b8a433fcac7bfb964bcbfa6c2b7180352860e0d0d0744fcb8a0c07b5f13d812af3b842a77f11540a46a4e3c2f48d24478e3138f232b40634bd
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
8KB
-
Filesize
784KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
1024KB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
5.6MB
-
Filesize
5.6MB