Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16-01-2024 22:28
General
-
Target
6108a95e50db1fa3a44f8bf63673e8db.exe
-
Size
273KB
-
MD5
6108a95e50db1fa3a44f8bf63673e8db
-
SHA1
6fad762a7be367571ea8b23bc10ff5ca87ce07c6
-
SHA256
1ff7dd12f75692a1807c6c9b321615c00639cdeff0ea087751fb8d116ae09200
-
SHA512
0c2e2ba3a4a7e1cf929417b2b9d0f10beba66498a06b29c2190b3be960277dffea63f129209d8ff08f2205da7c5c020497a696d7f7cf30c652feb8013fbb84c1
-
SSDEEP
6144:Pf3JE8LYFX8H5vSqTZUJ61gYw+Y3adQ5/aTCdH1+:XJHQX8H5NTZUJ6JwR3v5/amA
Malware Config
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
gozi
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6108a95e50db1fa3a44f8bf63673e8db.exe"C:\Users\Admin\AppData\Local\Temp\6108a95e50db1fa3a44f8bf63673e8db.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4F82.exeC:\Users\Admin\AppData\Local\Temp\4F82.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 11403⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\5A61.exeC:\Users\Admin\AppData\Local\Temp\5A61.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1960 -ip 19601⤵
-
C:\Users\Admin\AppData\Roaming\hjbccaiC:\Users\Admin\AppData\Roaming\hjbccai1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD50c819dd27a128d9234daa3d772fb8c20
SHA1d5d36492818872da8e70dc28cc85389b8e0f3819
SHA256ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2
SHA512f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7
-
Filesize
6.8MB
MD56c764b44fa70a6278585d73aa9628e92
SHA1164cb720560831360e3387b49ce30661af5e00db
SHA25670855a2ce47a41d098654191f371425f5cbe5ef427808672c8e9adbde9b921d8
SHA512a9ce70f566a020759e1bc37f9bf704f88443fbb0b6a552e62ca4db0fee1c80caebec98bdaf037cd8eed89fe70646040335bb6ad36d38dacbdbe62c0f4a00fead
-
Filesize
2.2MB
MD50badb0e573d95db49ac23c11163d9386
SHA1d86dd20e4498ba5576272df07cd71dd9ed40bf8d
SHA2565ebb608342d1306743d1ab56bb587b00d7e14737f5af48be3fa738a98cf29668
SHA512a83d397fdcf2b749aac8f1db38a991b06a70c58d21c84d09cd8a732ee744287e7d7d58edeb817006b6ee245ed313993a3280aea32fd4c5a079b4f960ab35eff8
-
Filesize
1.9MB
MD54c2fd0a3d7758a208af0d49f075eb4b3
SHA1e8187147b0c6f87043f8bb3432952bda093e8531
SHA256776841464363f65094e1f37610b508a674407ef2278be780b7ce946f73dd0fb4
SHA512c8609480d2cbaf783ba9c933e1fca1f5f9844f0ab75dff0daf1a76dc6c9702f17e8d8bbabdb58a249eeea55bcf5e2fa72c00f06ba2285b42564a02599f007fbf
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
273KB
MD56108a95e50db1fa3a44f8bf63673e8db
SHA16fad762a7be367571ea8b23bc10ff5ca87ce07c6
SHA2561ff7dd12f75692a1807c6c9b321615c00639cdeff0ea087751fb8d116ae09200
SHA5120c2e2ba3a4a7e1cf929417b2b9d0f10beba66498a06b29c2190b3be960277dffea63f129209d8ff08f2205da7c5c020497a696d7f7cf30c652feb8013fbb84c1
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
1024KB
-
Filesize
31.7MB
-
Filesize
31.7MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
52KB
-
Filesize
4.2MB
-
Filesize
8KB
-
Filesize
784KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
6.8MB
-
Filesize
6.8MB
-
Filesize
31.7MB
-
Filesize
36KB
-
Filesize
31.7MB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
31.7MB