Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
17-01-2024 14:43
General
-
Target
efe103f9ccf08971d6d42c0a20c59e64e64d02999cebe8a3247e74f8a0ea439f.exe
-
Size
213KB
-
MD5
518fa1761d1903670c9c2a5cae38646d
-
SHA1
bc735ff81eb03d5b2e93e4c6edc1a0bf303bcd1e
-
SHA256
efe103f9ccf08971d6d42c0a20c59e64e64d02999cebe8a3247e74f8a0ea439f
-
SHA512
a23723830cc4e1ffd271d75aa9abdabbe658ba9f47e81ec69a7b10a65024ec90d631097c878fd45526921de0b671120a603440e5d74f184507b632a95dcacd12
-
SSDEEP
3072:SoMaibUPLJiUzDb2Q6weG7AkX6OSv+9pR5+:/ibUPnb2QveNk7+
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\efe103f9ccf08971d6d42c0a20c59e64e64d02999cebe8a3247e74f8a0ea439f.exe"C:\Users\Admin\AppData\Local\Temp\efe103f9ccf08971d6d42c0a20c59e64e64d02999cebe8a3247e74f8a0ea439f.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\F9D9.exeC:\Users\Admin\AppData\Local\Temp\F9D9.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11eyo1917a3_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\11EYO1~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\AD.exeC:\Users\Admin\AppData\Local\Temp\AD.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
291KB
MD56d80724bf6fd14a0a54bd324d27dcfe2
SHA12c96057da45693f5eb15746f1a5dca654842f898
SHA256255146b79ef2bd36c57a07894a399193c01333a1da2d8f1d400fd4374f0caa44
SHA512343164d635c0ae313e94cf297e80a0d19aafb442d3b8984e1f7d885f1b9a275e601dc4e60e9133ce6ad6c027335113ae4ddb6a3104c2774c0469ac8d9fb17cc7
-
Filesize
696KB
MD55c7894c84b80771e9df97232eff61e00
SHA17ad205652de3a2d579e4e671e253e440c081e5cf
SHA2563efa23d25af6cdeee8881735401d79ae5a9e8376cdedb8ec84c5958a6b1687b9
SHA512c4c340e1bc5e7e57c9faabc3419cbe9a2cf2c9b0c55e1f6ec11cdbf5aad0e8df92286e621b3135c36fdc71486e31d181bc24d76f81983fb4f21318b19c2fe07c
-
Filesize
736KB
MD53dc101bff3445a375c0b1d1f38af95eb
SHA18f567e89218dade620d1325adfeb5cc11ba50b12
SHA256ea3845c183541cc3448a4fd7899f3185ef407554fb30efa5088c1a71bcb4b77f
SHA512a9e2e0bf3f925cb96612c161eac5664860c84bc694e4630ae524106192c87b653ac7ab75a8d743e99a0f34a2ffdd7f05703408eb7c46ef9f378953733fb359f9
-
Filesize
374KB
MD57ebe01a05c7cb31698202f512e36d10e
SHA169854d7507752edc60ce31826e50c8f5ec4f67fa
SHA256afd25e9727d17f274b302c5aba1a036dc9008926f61c1c47900cb7814c33549d
SHA5125cbd24b8f9851c703c7bd1de7637ed20dca2dda709be244cc3c6d8a7d5a32f8e5714ce4f650ccf488f3ca5cdbb01df66ef19c767b9fcd4a5df65b1e9bf39a5f1
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
207KB
MD5ea86d8039327ffa3ee010e820dab5b4b
SHA1db493b9c82ce4f44b1ce434a97f36c1d7b145804
SHA256b2898f4562eec4c67b607b489b8ec7d591009c6aabc4b123ecf31ebbd456e993
SHA5120412c678e8922809738ce51c07ea2daa458377ca4b36669bfbe9212905b33f3250ed949a75c83f7d422930054ad3bea99e3c77b6adf561467c9e09db9a9e593a
-
Filesize
288KB
MD50573e3b62640bf7499f2bf0f17beada7
SHA12255d1ecff21899f4ba27cf62a5f36c010c53010
SHA256bf1ec5be6512eb014175b45676e8d7736bd2b3969421fd7b62129292e45f8b27
SHA5125d8cb5dfcd17b6fe4f26b36e75f72f59f653b1c86be65d245a3685a6eff5518e6817dbcf5b66b55133e58f439c22e2c257e6ba8b987b6896099994d77557749c
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
404KB
-
Filesize
44KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
24KB
-
Filesize
408KB