Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16-01-2024 03:52
General
-
Target
d9077796101f063d05d1b18ef03639d8.exe
-
Size
203KB
-
MD5
d9077796101f063d05d1b18ef03639d8
-
SHA1
035d12383b9bcdbba8393fa643a375a19cbab559
-
SHA256
17d15c3e994b704c8b11393ee9e83dc7ecc3cdfd981820501beaf98c6e34cc94
-
SHA512
c79350993ced4a8e18b071e866a69b664143e35c5f6704afe4ff5f70437522d90722b29f0fd9bf6c66ddd331c5ebc65378915a3de062fd26ae213fbb252ac2ad
-
SSDEEP
3072:pfUB/bLaZdXUNc8iirJiM21K7uLX6Qn+62oM42fL4iBNkRDxs+cmH:pfUVclVrXpbGEx7co
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9077796101f063d05d1b18ef03639d8.exe"C:\Users\Admin\AppData\Local\Temp\d9077796101f063d05d1b18ef03639d8.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C14C.exeC:\Users\Admin\AppData\Local\Temp\C14C.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 10683⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\C797.exeC:\Users\Admin\AppData\Local\Temp\C797.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1496 -ip 14961⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
321KB
MD51125b315c69626788696e6a03491ceb4
SHA11252d5bea1ba7951d15ae7c0cda23abbddf2c00f
SHA256eada560ce6a0074853fdcd046268288b115a8a101c515853ba6bcc0eb40f1e95
SHA5129200acb31d1674c3ae526b2e35dd460280f4480ccbaea071b012f38efd0612e35a5cbaae9e4a960fd5cba7ed183b17a075e24fc2de0475224491433b6410071b
-
Filesize
331KB
MD5f6660e3807506efbb60709e849fdd00a
SHA1bf0c0c1cd9f89ecc584738f29b65222bc495e1cd
SHA256aa17e3feb34a29f711d3907917649327e29c567877b715a969712414cecf8fe2
SHA5122fbefd6e928869443297ceef6ea6fce7bf90e6494cc7a02f1a87aa60efaec93009ab3a3dc9dfb171bb2bd4535c20be1a5664960c9d2fcc6e033e533c55ef6ad7
-
Filesize
357KB
MD5b38682f7d14298951724ad37229b75a2
SHA13803cfa85e8f027f4193668620f0227b3f6a06f9
SHA256ae99e7d9e46b443175615e2169ff67a5964cdc8a739a26bc5a9391c54fec9604
SHA512ec5d110c537e9373266112aa47d1b35eccf7dd8baab150c2d65ad1e03403cb985705b3e14d83ed829e3865a120bb5a9a3199e2509a208212414b3c615a58c02c
-
Filesize
583KB
MD51d190dcdbbcebe1d7959ba345f116eef
SHA1dcb51182488d978f048d09f168b15931e54ffeee
SHA256d74120bd344966d0cd1ec643db449321cc92e3cebe0a38eb703993a5019a2530
SHA51230270109fbb337a645939f5c7a1e0f6bd75737b6a3c91c7646ac92188a288060f4970babeed4530ac9bef0c406ca1a2790b9c972d5fc6893f1f6aeacf44bdb85
-
Filesize
160KB
MD5f987c82e7de9089152b51acdd8fceb16
SHA164a28795019ca8b5c347f76784531167cf40f830
SHA256d4750f6fcc8af45836f12ef1ead2dce78a8a2d0c2384d9b9761908eaa377d92a
SHA512adbab6a60306f6d64e276a1d823258ca8eb3fc441c1839ed9d713a4ad88e50afe89cd32f24ac052d90d10de1f86b6a344b6ae6725c969187b86662e12b6cdcbd
-
Filesize
151KB
MD5dc3beb842d706fa841c702a250334c7e
SHA10d73448720876fee0d220bc4696ef45cea607465
SHA25688a2ad58659c9a488a62b4792014bae1803eae5f53ba68f671d78a672c475a32
SHA5123b3455425f7b5673cd61fd88e240b8b579a74b7d46db85334101c73137e710cb187ed616774c613b83b851332005cd6be669e7b7b2035577aa5a4c277d480bfc
-
Filesize
205KB
MD503f2efb9d110c7fe400c930ad96e9987
SHA19cb13d2ef3c8ea1d66281cd3f0910817882dc801
SHA2561ce3e971819f9fc217350aa69ae08ba391d5b8e5f4c0c480ab4e21c91dd77fd2
SHA512567c7e520902a2416fa800a710d3a2f3b6645edc5eceac5ab7cd98eef6b415416e216fe9ce3c0650e4649e7a0c9784483c39be5d26e725b7202511c7e0973bf7
-
Filesize
17KB
MD5d86e666a6cec7c9cd722083348b5b263
SHA1bc43e5aeeb20547401d6fe8b3229dc055e82c750
SHA25697f4616493612bffe90d01e1a78985cadbb8cdc20747cea6a0d37cf240bda12c
SHA512962a8ae930ecd468cafae63ff4d4451a36ef4208164bc9f65a6a2449317a371c9f07fe31af16b68b55a1b4f6d02e7de221c33d2e5a616cf0575d2099020a1d4d
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
36KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
8KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
88KB
-
Filesize
7.1MB
-
Filesize
7.1MB