Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
16-01-2024 07:00
General
-
Target
4d7e2a4ab9f09783e56841978e10cb46.exe
-
Size
229KB
-
MD5
4d7e2a4ab9f09783e56841978e10cb46
-
SHA1
ce52a86b7e843859f3284954d82ca239fe7e5eaf
-
SHA256
63719285660c135f9b71eecf5e5da4a4684471b9041dd36d6ee8b7aede2922db
-
SHA512
6d59e96fe4bc517a9696cb59c215fe6ddbb3f9f122e6f4586b764b4321055c2dc5c69a4a9d851ac7028bebe15dc5d20989bac8f6d4aefffaa2a521fc4d7dd7ea
-
SSDEEP
3072:znqLS1HySqzJLBdUSJiA/1KvZY4O74WpsvxaEZEkVWRG1XRTNZ/9rkWgl+J:znwFBB74qExaeEAjNZlrk
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4d7e2a4ab9f09783e56841978e10cb46.exe"C:\Users\Admin\AppData\Local\Temp\4d7e2a4ab9f09783e56841978e10cb46.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\959B.exeC:\Users\Admin\AppData\Local\Temp\959B.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\s1coa9aay_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\S1COA9~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9D69.exeC:\Users\Admin\AppData\Local\Temp\9D69.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
251KB
MD589c3ac288dfebc81a60b567a24345c7f
SHA1c7fc28c59e3215dd1bda381cff6dcac0108ebe01
SHA25607cdbb2aaf117e78da363057281077d35b54b4ea173be2b69a315aea36dc6d5a
SHA512630cb2a02f1fbfbbc34111d0ad141d2c6a9c15d4f4581603c7f6ce15b2fececf44c84b0be731db737fdbcaff8a10e47574b7a88e39cf962a7f38f377c800b43c
-
Filesize
162KB
MD5357b075e6afc9cbbbe63d489b58d1eee
SHA101cc2452ff64a265c08e67eb9ad82791507f2bc0
SHA2564044ea638f5e7fd1cfb490abc47b1ac11a0ffc0df20afaf01a8d933ba78ab26d
SHA512b8130ddc73e6d1524958eb7c862a84fcc7f8d2920bd6952c2f018d7fc34ddec777d24a4c65ac8a181a259bb91f0e29fbeecf78f238a195280d9a3d8abb9039cc
-
Filesize
119KB
MD568bb0c111e6fbb5feaa9e979575e3903
SHA128d386f91459a5f927202de4a719a969bea39be6
SHA256f7f7df2c9735e9b9ec84d9e021c1d748ecdba591e5ce1aaafc6141896d8a5a18
SHA512e8a743de4d3607efe7b12c362b0d3ac06640fa62b210fbdeedd83ca352dd556827386f4751dcf9314cb99741a2af1e9a759b6bc0cd6ca42017de77b7f3fba004
-
Filesize
121KB
MD5d35e77cafe737dbf2f40991bcf6946ba
SHA13ffc4a286c844c6ecfc8ddcc155e623d68079c78
SHA2563474c2e8b75ee041b28ee97eefe17300668a51bf857b96acd5412f0b9c359e45
SHA512afed655f5811296876bf852fcc639a42e4f37a17052a2bb138783ccb4637e9cc6967ebe8cfee706134078a075ee38e4b07e3afcb9d8be73aec2a2c0aaeadf7d7
-
Filesize
290KB
MD50100776a79564b331a4250301920c6a5
SHA1629471aae3bd441543757b596e374eecb7123d43
SHA25654bbb080d2aa8736ec3b767ba9f7f0ddbdf2373ce864ae84af8425629a2a206d
SHA512fdaf1819c7cdcc1ae40439edd30a0ccfe38e17f8bf0bfc0b038465113148218ad505a6020b49302ade6eb636cb60a8e4c241ecee349bd9f7335670cf8f3645cd
-
Filesize
229KB
MD54d7e2a4ab9f09783e56841978e10cb46
SHA1ce52a86b7e843859f3284954d82ca239fe7e5eaf
SHA25663719285660c135f9b71eecf5e5da4a4684471b9041dd36d6ee8b7aede2922db
SHA5126d59e96fe4bc517a9696cb59c215fe6ddbb3f9f122e6f4586b764b4321055c2dc5c69a4a9d851ac7028bebe15dc5d20989bac8f6d4aefffaa2a521fc4d7dd7ea
-
Filesize
189KB
MD5baccac0112446622f647dddce1951cd4
SHA10a2d19c98c23bc5048b35d8200b93d475938041d
SHA256e422befca60744590ba7c928b1f696d97d2092ff11abd3a258e41717e0426245
SHA5129c134f28e1cb79579a1f85166aeeb1067e8310e953adf31ff3bc29d6e8a1837a7ab38c1f503c115a0404a744e17efc07d48b125dc7955e7e521469e59809b161
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
248KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
248KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
404KB
-
Filesize
408KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
4KB