Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
16-01-2024 09:05
General
-
Target
461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe
-
Size
32KB
-
MD5
a24f02aa70607beea6af7963d2a51a4d
-
SHA1
fdbf0458799b50f52b231151d84c5d68f6e6da95
-
SHA256
9a77f554fbc23a4d71cbb980b5dcdef80291fa70849430a929a1e1bb9cebc2dc
-
SHA512
2d8d64931184e5d202e097157fc783ba6245b78374a1baefed1abc31a0458acc486f389447bd7cdc7ed2f38a3f91ecbced50923575233e470837790590c52222
-
SSDEEP
768:OAUqYpNSIoKpDd1KM02kQhx4hOtFceWzYqvz0bOS:HLo8LKtd1PBkQD4UtFceWnz
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe"C:\Users\Admin\AppData\Local\Temp\461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BCD8.exeC:\Users\Admin\AppData\Local\Temp\BCD8.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 11403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\C574.exeC:\Users\Admin\AppData\Local\Temp\C574.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3648 -ip 36481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BCD8.exeFilesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
C:\Users\Admin\AppData\Local\Temp\C574.exeFilesize
574KB
MD572f39a3f785f5d837528fd4c0ab8ba54
SHA137eb3d6dad893ba9d74dcbed1c1f1c5d6fe7d282
SHA256d5af0e73a9efb3010b5826a46b8ad0c19271a06e767cd3c98de698905dd78bf3
SHA512bca18bba4edce285d752f463d71fd8cf5043642cfc1f4edc63332ac90c11f1e52b122b8b9f921d305a1dd40fecf28650328efcfe852b3cae5e9c4935fafc4922
-
C:\Users\Admin\AppData\Local\Temp\C574.exeFilesize
819KB
MD54f5387d3117efbfa7212d565c1150954
SHA167488c93e7bfac5336ec6e8946c7417e6beac32d
SHA256da06818da731bd6744d5699f93d5ff49dd131d644fb8778355e94b4b8ecbd79f
SHA5122a795ab7da79dde77d103f8641bbaf2152f881607bc4cf796671774f1170022e3fd0e5f8c8131373677cf4150cd9de3a9218f46f4a59fb1717247af167f6f1cf
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
264KB
MD56deb1684810100f5bfb91afddc0c44b5
SHA1a026111c52f1ab4d3c895e83a023beb4bcd9d83d
SHA2568774da5010e0447f03bb2d7d6000a9507d720b839fac854f560ee6237fefb96b
SHA51272daa80130b52553e052be4900c2801ca700d5b6234d515b449340419e619f5df71e60ef5b8b769d3c57496c3d9f7a2b6f49f9cb9e4018349928640b5625132e
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
269KB
MD5044c2aee6711e57b66203f4bc2c82219
SHA165e5c0c52c8f20e512f89c7f57001c0b0223b479
SHA256c5b7e10605807840f43eac6d1376235a2c88af9077d677b830417c2b597d2778
SHA512605761c582202a7ba0e178426c98de800dbe6c1e80fb984177a133e583e94c29fdc604ff9835ed2af09f6339a7b026c9d6fdaccd75de0c9d39429d89b2b93c90
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
262KB
MD586c82e84f7112605109d032f8eee2b94
SHA1f9375c45e41b7087c9181411d7d059ebb7c9cfb2
SHA256fbb518b1ac6fc71785df47586c6368f5cbcecee3a23dc28ea0d4c2b48c701a9b
SHA512c5891ce8b2a184450d3ff3a3d324052c3682e5d523b306bc664c5abdf47c77d55e150d4150d0cfaef443c9076e547571fa3d56b744b57628a26e139f264afd14
-
C:\Users\Admin\AppData\Local\Temp\lib.dllFilesize
317KB
MD55f3f06f3809d5cb7bcc9c0dabb7bdb16
SHA137ba926f731b5926c1354f4f907f72f989bf01cb
SHA2566de50b01f5ddc6faf963a499ac9c75d75f94d1565a48ef493fa599a45099b850
SHA512e17c75b4098039bda7ab4a1d1835615591dd78c51e394055cc0057d373ab846f81a163409dad82406e7543cf6c56a9d30df66690af3026cf128b15eec1c23b38
-
C:\Users\Admin\AppData\Local\Temp\nsrC90E.tmp\System.dllFilesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
memory/1808-13-0x0000000000920000-0x0000000000986000-memory.dmpFilesize
408KB
-
memory/1808-15-0x0000000077B04000-0x0000000077B05000-memory.dmpFilesize
4KB
-
memory/1808-20-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/1808-19-0x0000000000920000-0x0000000000986000-memory.dmpFilesize
408KB
-
memory/1808-18-0x0000000002830000-0x000000000283C000-memory.dmpFilesize
48KB
-
memory/1808-16-0x0000000000920000-0x0000000000986000-memory.dmpFilesize
408KB
-
memory/1808-14-0x0000000002640000-0x000000000264D000-memory.dmpFilesize
52KB
-
memory/1808-11-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/1808-29-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/1808-30-0x0000000000920000-0x0000000000986000-memory.dmpFilesize
408KB
-
memory/2656-0-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2656-3-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3560-1-0x0000000000B90000-0x0000000000BA6000-memory.dmpFilesize
88KB
-
memory/3648-27-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/3648-25-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/3648-24-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/3648-23-0x0000000000C50000-0x0000000001084000-memory.dmpFilesize
4.2MB
-
memory/3648-21-0x0000000000C50000-0x0000000001084000-memory.dmpFilesize
4.2MB
-
memory/3648-57-0x0000000004CA0000-0x0000000004CA2000-memory.dmpFilesize
8KB
-
memory/3648-56-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/3648-59-0x0000000000C50000-0x0000000001083000-memory.dmpFilesize
4.2MB
-
memory/3648-60-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/4204-36-0x0000000000500000-0x0000000000A96000-memory.dmpFilesize
5.6MB
-
memory/4204-43-0x0000000000500000-0x0000000000A96000-memory.dmpFilesize
5.6MB
-
memory/5004-55-0x00000000732E0000-0x00000000739F7000-memory.dmpFilesize
7.1MB
-
memory/5004-61-0x00000000732E0000-0x00000000739F7000-memory.dmpFilesize
7.1MB