Overview

overview

10

Static

static

10

461f0f86f5...mp.exe

windows7-x64

10

461f0f86f5...mp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2024 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe

  • Size

    32KB

  • MD5

    a24f02aa70607beea6af7963d2a51a4d

  • SHA1

    fdbf0458799b50f52b231151d84c5d68f6e6da95

  • SHA256

    9a77f554fbc23a4d71cbb980b5dcdef80291fa70849430a929a1e1bb9cebc2dc

  • SHA512

    2d8d64931184e5d202e097157fc783ba6245b78374a1baefed1abc31a0458acc486f389447bd7cdc7ed2f38a3f91ecbced50923575233e470837790590c52222

  • SSDEEP

    768:OAUqYpNSIoKpDd1KM02kQhx4hOtFceWzYqvz0bOS:HLo8LKtd1PBkQD4UtFceWnz

Score
10/10
betabotsmokeloaderup3backdoorbotnetevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe
    "C:\Users\Admin\AppData\Local\Temp\461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 364
      2⤵
      • Program crash
      PID:744
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 392 -ip 392
    1⤵
      PID:3324
    • C:\Users\Admin\AppData\Local\Temp\9EA1.exe
      C:\Users\Admin\AppData\Local\Temp\9EA1.exe
      1⤵
      • Sets file execution options in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:860
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1140
          3⤵
          • Program crash
          PID:4584
    • C:\Users\Admin\AppData\Local\Temp\A588.exe
      C:\Users\Admin\AppData\Local\Temp\A588.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3456
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 860 -ip 860
      1⤵
        PID:3976
      • C:\Users\Admin\AppData\Roaming\ebsdhja
        C:\Users\Admin\AppData\Roaming\ebsdhja
        1⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: MapViewOfSection
        PID:3540
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 364
          2⤵
          • Program crash
          PID:3956
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3540 -ip 3540
        1⤵
          PID:4020

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\9EA1.exe
          Filesize

          360KB

          MD5

          80c413180b6bd0dd664adc4e0665b494

          SHA1

          e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

          SHA256

          6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

          SHA512

          347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\A588.exe
          Filesize

          23KB

          MD5

          229f6ea2eface1ccef0df8ce7c07a549

          SHA1

          7401cfbf795fa44542190488968de09defc11c51

          SHA256

          3b591f134e724c5ee4c48ab446ac88087e419df351162345f6f7c42697e2eaf5

          SHA512

          6293bddc3578fd04bb8eac628ab56f2512344347f333610552ef67426eb686448c010abaa83e1aaa08401625e056605f31b6b3ce2f5081ab68261eebbedffb1b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\A588.exe
          Filesize

          32KB

          MD5

          94bf00b383053e958535d1c920aba8f2

          SHA1

          a36b76b172d3cfd5d18aded31c9e4d01f081f276

          SHA256

          f474e2624f78efba902c3a7f28929070736fdb7ab4e95eb306a0130be9552c8c

          SHA512

          74fd94e216ac8a2acc9933f76d8cb6f6480d4f0991628cf68d969f3e9f2764a2b9491dcf2a89e8b89c0cc32f0c11546a796d591ba28407c40eedef12e0d565ec

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          23KB

          MD5

          6725d85f119e0333fdb461d9e5388b55

          SHA1

          6279841f6a4a495344a20a6052b40b0ec4bcaa04

          SHA256

          563ba26007b5e29e11846506850af37324806623daf2174b2392b9326951a4e1

          SHA512

          3c4b8e9c9593f925d4b230e28d012c97004e7a3ce7aa1b126f747c8e3f5193ab6d7b5c443bcfea6245bc66121ac71c77c54eb313c696c41703a09a3bcfdfc295

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          443KB

          MD5

          869a09ec13c9511418bd68465cb847d5

          SHA1

          235dd69f0505c9f69ab1669666e176f33dfedc00

          SHA256

          381aa007a36c3c14c21d11ca53749883e01da29fbfc0f53f68130255af2264b1

          SHA512

          68dd1b160f9093d8d31ad9a379a01074e7342c48aeab23e9dc091a0c7eb5f486e1893aaae78e71315add826ecd0537eb4eb8f623f2483ed197d5732c2b48fa2d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          568KB

          MD5

          96418cdd38366879eeac6a965baa080f

          SHA1

          f1f4039b6711ba7d3050d557fccd454d505aa0b1

          SHA256

          c41373d5f85521897e628000ac984041ed18c904a30bb688b33ae4c35568a207

          SHA512

          ec984c0f78da56d99cc90b12c0bd1b9104629abf9e5f836e24a0384c96b74c298312efdb8e0b3468e409f2bffc79ae51eaa79f95df1fd7792988c5426ac73eb3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\lib.dll
          Filesize

          490KB

          MD5

          6f060b82b0e0b3ff81f8aaf49e7a0dbe

          SHA1

          2792aa63965ad3c72ee813f1d9014b9080f46735

          SHA256

          80818a1f8208b78a21c027690d76825966e3db24c96d65861ac24f86f8f1dee6

          SHA512

          fe59ff2ff982b6a70f1675d0addc25ddb60501f735ecec1d77dd3cb0ad358391e93f4a600459273fcec0fe946c9c557ebd6ace1919bc9d2ecb21c3817b127a7e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsnA682.tmp\System.dll
          Filesize

          12KB

          MD5

          dd87a973e01c5d9f8e0fcc81a0af7c7a

          SHA1

          c9206ced48d1e5bc648b1d0f54cccc18bf643a14

          SHA256

          7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

          SHA512

          4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ebsdhja
          Filesize

          32KB

          MD5

          a24f02aa70607beea6af7963d2a51a4d

          SHA1

          fdbf0458799b50f52b231151d84c5d68f6e6da95

          SHA256

          9a77f554fbc23a4d71cbb980b5dcdef80291fa70849430a929a1e1bb9cebc2dc

          SHA512

          2d8d64931184e5d202e097157fc783ba6245b78374a1baefed1abc31a0458acc486f389447bd7cdc7ed2f38a3f91ecbced50923575233e470837790590c52222

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ebsdhja
          Filesize

          31KB

          MD5

          a6136ec8c16655514bfb22974d2c6f68

          SHA1

          b1681974e0297594af70b009c53d27e4f9949542

          SHA256

          b6e96145057db5954c55b7b7ed46f346dd1718b0be7044097e8ff29b139f9e97

          SHA512

          46a8657df3d9d0714948bca02dff29bf868a9f1e6cb6c7a3c570c8cc93f9a52d1bf6edde0901f4bf50a3b09797f83206a03da3b7a54c417d053c41a659bb6f86

          Download Submit

        • memory/392-4-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/392-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/860-55-0x0000000004840000-0x0000000004842000-memory.dmp

          Filesize

          8KB

          Download

        • memory/860-23-0x00000000007F0000-0x0000000000C24000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/860-27-0x0000000000D30000-0x0000000000DF4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/860-25-0x0000000000D30000-0x0000000000DF4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/860-24-0x0000000000D30000-0x0000000000DF4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/860-28-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/860-21-0x00000000007F0000-0x0000000000C24000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/860-58-0x0000000000D30000-0x0000000000DF4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/860-57-0x00000000007F0000-0x0000000000C23000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/3472-62-0x0000000000F60000-0x0000000000F76000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3472-1-0x0000000002E40000-0x0000000002E56000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3540-61-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3540-65-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3936-17-0x00000000775C4000-0x00000000775C5000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3936-30-0x0000000000830000-0x0000000000896000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3936-14-0x00000000005A0000-0x00000000005AD000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3936-15-0x0000000000830000-0x0000000000896000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3936-18-0x0000000002800000-0x0000000002801000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3936-19-0x0000000002830000-0x000000000283C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3936-20-0x0000000000830000-0x0000000000896000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3936-13-0x0000000000830000-0x0000000000896000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3936-11-0x0000000000010000-0x000000000006D000-memory.dmp

          Filesize

          372KB

          Download

        • memory/4972-43-0x00000000006F0000-0x0000000000C86000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4972-36-0x00000000006F0000-0x0000000000C86000-memory.dmp

          Filesize

          5.6MB

          Download