Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
17-01-2024 14:43
General
-
Target
efe103f9ccf08971d6d42c0a20c59e64e64d02999cebe8a3247e74f8a0ea439f.exe
-
Size
213KB
-
MD5
518fa1761d1903670c9c2a5cae38646d
-
SHA1
bc735ff81eb03d5b2e93e4c6edc1a0bf303bcd1e
-
SHA256
efe103f9ccf08971d6d42c0a20c59e64e64d02999cebe8a3247e74f8a0ea439f
-
SHA512
a23723830cc4e1ffd271d75aa9abdabbe658ba9f47e81ec69a7b10a65024ec90d631097c878fd45526921de0b671120a603440e5d74f184507b632a95dcacd12
-
SSDEEP
3072:SoMaibUPLJiUzDb2Q6weG7AkX6OSv+9pR5+:/ibUPnb2QveNk7+
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\efe103f9ccf08971d6d42c0a20c59e64e64d02999cebe8a3247e74f8a0ea439f.exe"C:\Users\Admin\AppData\Local\Temp\efe103f9ccf08971d6d42c0a20c59e64e64d02999cebe8a3247e74f8a0ea439f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 3682⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2588 -ip 25881⤵
-
C:\Users\Admin\AppData\Local\Temp\B093.exeC:\Users\Admin\AppData\Local\Temp\B093.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 11483⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\B789.exeC:\Users\Admin\AppData\Local\Temp\B789.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3020 -ip 30201⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
48KB
MD58bf46a2dd941c891671095285890f457
SHA13d2fb63e32fffe83a36fee52cc08686307c2d7b4
SHA2562e9c1f6aa28b7719acde5d039bd4c7914bc0577bd999cd9811d73a1a37ec4132
SHA5129526bbf057a542542abf6cb28079b59f286a04205f8714f237705f9aa23b2e07e9cc59d289d8307121272e5b7caec0245ad08871b2dc1887554fc70d818781a4
-
Filesize
292KB
MD5270310beab2743b6167ebf26adef43cc
SHA1576556d7a6612f1903d0ce812cf9fccd3a30dde7
SHA25621c80da91ffc50ef40c3dc8aa9588f3879806e81861027cce6f45fde1dfa19d5
SHA51259d697043fb3f21401b04b490ce33f3c7f96d28d773dfcd3a36f94ca1ed5768816bddafd4f62e61d6c96385c2a9b30bf0eca47814eec15aea541e0d69eab4158
-
Filesize
469KB
MD54abf8b7885a7ff1166b83a97f7a7057b
SHA1024d43a908b07d37db04b5656b484dea418f7b38
SHA256e55e9141b273ffe9da8ba0152aba41065dd42598c923b343ec34faabba904950
SHA5128a247caf8d74164f19b84b037d33962c601b6d81273d82d2142e677f5d871af89569e3c0d7037b94404ff9b0ec256c39457fb99c226b6a0b2fde4c03de91487a
-
Filesize
368KB
MD59a729024de5d0f383b8dc5b9ca078fe2
SHA15eca69043ae793870bf42ffba72bf4297f1f1455
SHA25654f635022b1bb487495511d96e52ff6bcd1bd907b1542aaf0536ab86b43715e0
SHA512348ccbb6a2587f324ec2ded24b7531c1459449d26e9035d1f1494822b420b52a0228480189fcc0f8afb91b8af74167a97be1920b4829ad027ec87b5f5b27ea07
-
Filesize
237KB
MD57e9082b6952bd903161aec755b65adc7
SHA15fd218fd1341f8b6086f0cc1c7a933d1e04417a3
SHA256ab97313c38e198a29b05f9f8fd510be5b73d0aac7aff56437169ce6cdec233e4
SHA512e3b6c558686278e196225c38fb6aa919ed8f78d4f686f8d6d2ea4f07c1f15c847bfbde762bfc339b0fb9f2107abb7ec52fb599972b585c3b3c87b9c503498218
-
Filesize
267KB
MD5d4d4c8b68e89aa5d85c757435c9e8033
SHA17ab1f25a509159310d08e76ef3f152c4d96087d4
SHA25611d4ebe102796d177ada551b174ee52a7dacf84e1c879d9d7345cd9c43096527
SHA512400a433e062579242fa07b5947d6ad2f70be49e37a15cab5106974c74eec2bece18e5336f9d02c6526354593b7e0ce0a1c9d072585c792e0d1488449a6d9112d
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
1024KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
36KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
88KB