Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16-01-2024 07:00
General
-
Target
4d7e2a4ab9f09783e56841978e10cb46.exe
-
Size
229KB
-
MD5
4d7e2a4ab9f09783e56841978e10cb46
-
SHA1
ce52a86b7e843859f3284954d82ca239fe7e5eaf
-
SHA256
63719285660c135f9b71eecf5e5da4a4684471b9041dd36d6ee8b7aede2922db
-
SHA512
6d59e96fe4bc517a9696cb59c215fe6ddbb3f9f122e6f4586b764b4321055c2dc5c69a4a9d851ac7028bebe15dc5d20989bac8f6d4aefffaa2a521fc4d7dd7ea
-
SSDEEP
3072:znqLS1HySqzJLBdUSJiA/1KvZY4O74WpsvxaEZEkVWRG1XRTNZ/9rkWgl+J:znwFBB74qExaeEAjNZlrk
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d7e2a4ab9f09783e56841978e10cb46.exe"C:\Users\Admin\AppData\Local\Temp\4d7e2a4ab9f09783e56841978e10cb46.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 3682⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4948 -ip 49481⤵
-
C:\Users\Admin\AppData\Local\Temp\9BE2.exeC:\Users\Admin\AppData\Local\Temp\9BE2.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 10723⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\A0E4.exeC:\Users\Admin\AppData\Local\Temp\A0E4.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2028 -ip 20281⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
176KB
MD5f6e2056c53eb1db77bfbe5aae34441c0
SHA17e04d5cc3c2539b15ef0fd4679ace55e93c2e4bd
SHA256a69df6375d00d117d033acc2c71f5d69383742f958e668de8ed3b50185b5c6e4
SHA5127475bae22a2bdd919ee2f515f77d01557a9c7b084e3f0c040c46cab57ce1e3b1b6b791720945caaae92c2396bf8ef2a1f47178fbe7f795ec7183c19b39aa5a8c
-
Filesize
136KB
MD5c3d0d513c44161ef1c4d724714afc85c
SHA1b1be7e991732ae29d3a97b4b4e38abb7e143c28b
SHA25684bd22865d0eef56ab0317f5da8bfa1ba8fba23f2c1005f08cb3b4076bb8906c
SHA51251274a06874ee1830df53498a2f6b4bb371ac7f5e09ae2ba2ec1ceca6fffa331b0d6b467408956bc877108a64756920e1658ebc57819694ad7bab39663feea47
-
Filesize
141KB
MD5b977361b97937973ec04b79f54e5b4ed
SHA13310abe696aae32d722c64025aa8c96a8ac46fbf
SHA2565732de5b9d4aa76e7947db5262c5a7d4da231f2e1912e7d21b12401d550c290c
SHA5121b0c382d3bb0ad88cfec7e08c29764628bcfa50864ea0908ded281f1d43a4cd4f2621c202abd6f44d8ef674fca22f85e875a2f151d3649c52374e1332e8ab86a
-
Filesize
92KB
MD5ef56c12deb8209769397f7b80c44e140
SHA1ad440dd9679d31a47146c0a0b67b90bd98e9a004
SHA2563392b039c59c67af1660c4ce92eb3b22ddd3d053f5d42623a14b1fd72f7e8921
SHA512ed600a734d45d544c1aad629d5dfac627c24eb5ec00372c881a55375c0514ba454c9c32510194756db31b24984d225fda31ebe0aded351157dc95f6c29e8917f
-
Filesize
613KB
MD5d3945eeb39bb7519ffd7149bdc6185f0
SHA1aeec89970f1a308429a5b2abb378a0a132e48098
SHA25646599c4e18dafcab8c14045bf9973614eece92574c78244cee517b9a5935c323
SHA512b39c1d7176d7fcd50d2ef8e02333dcebd0cd7132ab3608d656a805939d7d3b7310e47136ebc16c8224b66dc63a13f7aa478a82268a46693622a9334fd6b36f17
-
Filesize
452KB
MD527ac765a275c6ccf7f90fc5d13948a78
SHA10fc603e7f4df20e67218efad638078d867121fed
SHA2565209b23cc0692d8f981caaa2c8c5ecdc58a076dd5c5dd0418a0ecaf3240808a8
SHA512852321deec2f5a7cc80c939cd45fecc37740a3c83bb0ef0dce6e98259287518db81ede0458e6352b01ee4f1a9b3f19678826fd8fdd471e8ce241f0485913ad22
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
8KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
88KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
36KB
-
Filesize
248KB
-
Filesize
1024KB
-
Filesize
248KB