Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16-01-2024 06:57
General
-
Target
4d7e2a4ab9f09783e56841978e10cb46.exe
-
Size
229KB
-
MD5
4d7e2a4ab9f09783e56841978e10cb46
-
SHA1
ce52a86b7e843859f3284954d82ca239fe7e5eaf
-
SHA256
63719285660c135f9b71eecf5e5da4a4684471b9041dd36d6ee8b7aede2922db
-
SHA512
6d59e96fe4bc517a9696cb59c215fe6ddbb3f9f122e6f4586b764b4321055c2dc5c69a4a9d851ac7028bebe15dc5d20989bac8f6d4aefffaa2a521fc4d7dd7ea
-
SSDEEP
3072:znqLS1HySqzJLBdUSJiA/1KvZY4O74WpsvxaEZEkVWRG1XRTNZ/9rkWgl+J:znwFBB74qExaeEAjNZlrk
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d7e2a4ab9f09783e56841978e10cb46.exe"C:\Users\Admin\AppData\Local\Temp\4d7e2a4ab9f09783e56841978e10cb46.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 3682⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3744 -ip 37441⤵
-
C:\Users\Admin\AppData\Local\Temp\A2C8.exeC:\Users\Admin\AppData\Local\Temp\A2C8.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 11403⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\A6FF.exeC:\Users\Admin\AppData\Local\Temp\A6FF.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3324 -ip 33241⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
185KB
MD545ca463aea4e1aee0a8ab3eaba1ae9fb
SHA1ca1c9fe5beb44728d7ea7416aef28c1a352ba82d
SHA256e2e7987f3555801b55e5273db6d6acdc521b40f12c5b1fe1e97751e61a11884d
SHA5127c72014998eccd5c9032f7105d202d592bdd0555f63e1feb8b3b4e841ae3bc7baf2a5f370f47ae11973a6ac53de5e4651519a0bcc8eae6c14dbc86a89ed92121
-
Filesize
176KB
MD5893e1085b7f35449e812ff669bc2c376
SHA193bd76a9e8a79eced63d4d2db519b2eafcdb78c4
SHA256f10f51f44ba53c69968bdbb21fbb8d11496fbe5bd0c47094a69a4db38eb07e72
SHA51259dd9026f88f3187742d5a75890cb5634f753df087e516ed02418dc7e028b08233173c1525cff4782c7a898b62aba0bacba05d10f3107928d20d578b9b3608e4
-
Filesize
128KB
MD5a61d881bc01e4062a0dfe5999867d660
SHA199271faf35467f4f4eb34fabbef8b72ffb75dc50
SHA2567bf50e93fd5fdf9a898c6995449419b4fe13cccd75336c2565c7062e6d14d123
SHA512486734b310063ceb768340e37428eeef0541c485a477b72cc58f2f623b5f126c6ec0253086a8f7438e013c05cc846f22e0464eedfd7cef5ad29eb2829f7c0005
-
Filesize
69KB
MD5103b71c499e1717f88bee53b4150ceea
SHA18e5464cedfd13766067a0a5b1ac72cf4b842ff7e
SHA256fe99ddc355b2d8ae7c6dde1fde6fb2c8766db0bce0f025f54df99c5b0295dc72
SHA512db9cc1f9c0234ef5fb903003f77b2daa922130f1298a9f3a161b616f0922dd700d8a0a9d413dadecc75351ba1f3449263e69cb60204121eba794a5e20bc32bb5
-
Filesize
8KB
MD52f99b1dd42880842ad975d080c012711
SHA1e4948d944a564a52880a64ec6dd5d4aa48621fe7
SHA256be3dd4375479a1a2461d5391be742f1c0c69542238ec142e8ff89b4b9f92a2c4
SHA512eaab490eaea19affe82070dcfcbed04b9e98aef5a421e1a82c99964165929058f38c29792bfff2978688b1761770aed11d8be336c5e7a17717eb4f170ab9765e
-
Filesize
43KB
MD5b1426b56371e625f63e7bf64c5419e0e
SHA119cd0e50f8c92bd6067dcf4a6a87412b65463983
SHA256835b9cbc5acd23df3fd3ec27a0623d5c6c904eeb1a7140d1191a8ad314120618
SHA512fe25a30fe4d5b1c2fbfa095315407043c7a5a5270432ebf96f67cf825eae7f10f20bb305a57f88f137628f6dad84b01361193650f7d3fc8daaa75af2b0dfb725
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
248KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
248KB
-
Filesize
5.6MB
-
Filesize
5.6MB