Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
17-01-2024 16:43
General
-
Target
19f33f2561da52924b518b9f2c5638daaf4d6d338c6cfd2626035a7aae0dbef3.exe
-
Size
213KB
-
MD5
ab4ee8f128f6ea854145d49070bbd093
-
SHA1
a2faa78ac3424ff5f92a9687ddc30dba6f8942b4
-
SHA256
19f33f2561da52924b518b9f2c5638daaf4d6d338c6cfd2626035a7aae0dbef3
-
SHA512
bb61f8ffebbff733f35d78c0cb24b0451e910e3bab544647587d72862f036d4ae4abec9e97fc63f81027a2cf210afe9c52e60d703c2d5c07943b4e2b6a2f1178
-
SSDEEP
3072:e/zaebXLMJiuWI3CRNObqB5Mn+hpRKs6:xebXLYK0qP8
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19f33f2561da52924b518b9f2c5638daaf4d6d338c6cfd2626035a7aae0dbef3.exe"C:\Users\Admin\AppData\Local\Temp\19f33f2561da52924b518b9f2c5638daaf4d6d338c6cfd2626035a7aae0dbef3.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CEF8.exeC:\Users\Admin\AppData\Local\Temp\CEF8.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 10763⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\D785.exeC:\Users\Admin\AppData\Local\Temp\D785.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2248 -ip 22481⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
526KB
MD5fe95f34961c385c96adea447eae4677d
SHA1312041a4098e155dd727cb44ce2b31d6920fcdea
SHA256a0a1af56489756be971402eaa9b272b8ef88cfb300f872618da5a1c020346600
SHA512abf864be825813e1cdf9c7aeaf3e26f915474d0b094b44571523349cc581ad2c69f665b1ceb21e44f4bf89b8c6c2068585f69868564d333a4e2b49a1ce4ea38c
-
Filesize
763KB
MD5a5dfb71c0aea733da2e3d33a5ea8d714
SHA12deef870445ef93876f7b29b35fe782afb88f8d4
SHA25634372cef75c282388e4f2faa7b2ea26efbebd0dc2414ec5042a364488c325e34
SHA5128609d1f2aec3f0c4904efd8ff6b54f1a96aea7252f5da515d7d88f8ec380e7f35537628a723df2e2366ffd7a4e30b5ed8589eddd40c88d96b896d1f9d71964bc
-
Filesize
552KB
MD58e90e0700d20d00fb0cd1ac10571d0b6
SHA19639cd4cc9f179d1db5d5108b9b914dae2d99c9f
SHA256f61c1cedb8a023ea585688b870999274e79cf0b429d748bbf66e0afedc3684d4
SHA512d4258b8573a3b477d37b10c3c17519f165587ce0b6abb2a37d71f57e4ebf20edfa803635747c9fc2b33e6730820171c9080ba3f14f8dab86cd4597cacbd1aaeb
-
Filesize
297KB
MD539cd1a219d1e6df78151033886d1fd9d
SHA17b1a58da2ac3d067548d92b3aea82fa783dd8d7b
SHA2565944d1d158bbf31a7917811e72c33d976455a0927b5502f2e98bef34a584f031
SHA51224cb046798c2dd171bdcf2432f3b2840615c541257f627d37c252117479bda324aced28ad9c694e6f725e34697b5a126ca73568882f3572b5a4f840871202560
-
Filesize
359KB
MD54899662c6da1201fd85099ddcb4264d4
SHA1ed79ee9db0d75e7674ca0682dd60e183515f05fc
SHA2567d188af76fc6da7920819350c47b0310ec85108420c3cae0419b19a27fd8b0c2
SHA512d5d6cc55bb572df521cbb5b4c35aab5dba0bbb3234e709850ad150c31ea408daedff587ffdae3401e1aa97087dd552cc18be32045dcb538abe163116b157dca1
-
Filesize
276KB
MD5f0823f08f3778338fb6206ad39e2c09f
SHA1a4bd674b825d5d4c3622735d6e2976010c2d053e
SHA2560528bf79bc24bbbd206a1441e760ac11963e68776d65ef8b4fe7e0fefb225ed0
SHA5126e9248f4c52bd68cd77ad5892514db6e94ad1facb6c32f5907b344c925e78104f987d4f89d41fdc6ce16e2c67f40a57ea7ae333c919a7616c28b7ecdf2778924
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
8KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
784KB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
36KB
-
Filesize
236KB
-
Filesize
1024KB
-
Filesize
236KB
-
Filesize
88KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
5.6MB