Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
16-01-2024 03:52
General
-
Target
d9077796101f063d05d1b18ef03639d8.exe
-
Size
203KB
-
MD5
d9077796101f063d05d1b18ef03639d8
-
SHA1
035d12383b9bcdbba8393fa643a375a19cbab559
-
SHA256
17d15c3e994b704c8b11393ee9e83dc7ecc3cdfd981820501beaf98c6e34cc94
-
SHA512
c79350993ced4a8e18b071e866a69b664143e35c5f6704afe4ff5f70437522d90722b29f0fd9bf6c66ddd331c5ebc65378915a3de062fd26ae213fbb252ac2ad
-
SSDEEP
3072:pfUB/bLaZdXUNc8iirJiM21K7uLX6Qn+62oM42fL4iBNkRDxs+cmH:pfUVclVrXpbGEx7co
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d9077796101f063d05d1b18ef03639d8.exe"C:\Users\Admin\AppData\Local\Temp\d9077796101f063d05d1b18ef03639d8.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\9ECF.exeC:\Users\Admin\AppData\Local\Temp\9ECF.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iwaa51qmkms3u_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\IWAA51~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A7E4.exeC:\Users\Admin\AppData\Local\Temp\A7E4.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
371KB
MD511f60ae3e73be4e9ae7c1778cae7933e
SHA1cc3e1de92339b039215a5d8c3cf01db41502b2b9
SHA25605e06b7ac0fdbef4afd778dcf11b34bb4521e88f4849f1b1182f016d9441e910
SHA512fded8ffde6fb5bf4eac0f5c36f543f82b8582ab73611a29da5eda8899f1e3b9a85ad1770d85e489b0d773a5282b647224ce3f90464bca17f54fb18b84b8ba3b2
-
Filesize
320KB
MD5a89c8d227a541de4227f839646244132
SHA114d0a8d50c664c3ce18a94fd7ba61d8691223442
SHA2563ddcfc4ea5bab122987f32f19d8e2c6e78833acbc0ac3626c5523bcd1fee10b6
SHA5122aac45c9ddea6b6701f67ea787495d46c93c127089a03482323158d724e779850650e188ae0bd61d898f21804b142fedebffc55818136a7a3f4b156423eee2fe
-
Filesize
229KB
MD573555577b5583f1b489da8f5fce2eda1
SHA10afadc286352067c3a4ec269efb5bc0e86745b2b
SHA256d4e8e183d96d7ffbb8046253227c9f98e61d7abbf390f5e63f7dc4a3fc2ecbc8
SHA5128c392eeeb2be3fbb20cdb56791421d7054086dcc163fd189c54bdf6e6a4b217cffe3b6c36a4deeea3bf010d651edbabb45cc086ba514ca86b578f062aee5d8bd
-
Filesize
1KB
MD574abeca6c738f2ff3555461c1c618ea8
SHA144920576a89ed34a67d65976538fd4bd1465e502
SHA256d86f24b7cd9a5ff217739e5604f21c44d28d160e665bfd9c053591faec687124
SHA512ba7d8bbef8648104ba1651d1d8cbf80e768133350e665462c302fab7b594b305edcff810e88fd366b2fcbf31332ba0772e265c9322f1436f7a173b10fbc26c84
-
Filesize
203KB
MD5d9077796101f063d05d1b18ef03639d8
SHA1035d12383b9bcdbba8393fa643a375a19cbab559
SHA25617d15c3e994b704c8b11393ee9e83dc7ecc3cdfd981820501beaf98c6e34cc94
SHA512c79350993ced4a8e18b071e866a69b664143e35c5f6704afe4ff5f70437522d90722b29f0fd9bf6c66ddd331c5ebc65378915a3de062fd26ae213fbb252ac2ad
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
372KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
44KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
224KB
-
Filesize
36KB
-
Filesize
224KB
-
Filesize
1024KB