Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
19-01-2024 18:10
General
-
Target
684bcee9dcb5326013108c4f4fb40dce8d98bc937a00b64e9d9f9754d0c78377.exe
-
Size
311KB
-
MD5
6842403982c36b6c450fde3035eb7043
-
SHA1
d40806e8623b10811703aadf27d5b055da6e98a5
-
SHA256
684bcee9dcb5326013108c4f4fb40dce8d98bc937a00b64e9d9f9754d0c78377
-
SHA512
2d10d7bb85475a86f85019228a88cebf0da92ed5cb24102facbb34a875f3666d0ebf0783b1db1b996f2087feb672f337e91cb72c8b899c632496344a42e4ab37
-
SSDEEP
3072:uQLPli/LX0eRJibugxk++1iyvoBgDym4BV9JxNcdOOQVmRZ+pfTK7KVDrc+B5f2B:uQLPwkvB+iIoBoSVPW3ofTgYn79oUq
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
NSIS installer 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\684bcee9dcb5326013108c4f4fb40dce8d98bc937a00b64e9d9f9754d0c78377.exe"C:\Users\Admin\AppData\Local\Temp\684bcee9dcb5326013108c4f4fb40dce8d98bc937a00b64e9d9f9754d0c78377.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5EB3.exeC:\Users\Admin\AppData\Local\Temp\5EB3.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\97e5koc9k15_1.exe/suac4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\97E5KO~1.EXE" /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6394.exeC:\Users\Admin\AppData\Local\Temp\6394.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
352KB
MD530d18c0408b46035627a2c98856b1016
SHA105ac7712ceaebbc700dbb5eb48f71fc5cfd969a3
SHA256acf81e7741158976f648e3a2a58cb670df1df138c52606b195cbd685fe1eb8ba
SHA512134c48fb6e390e9c80612c7297c83da8a13ac18b7af01018846e89c44e02339a5a5f8003e1e0b175ff2420cf12fe0f645d7130c292c933163099f2c217f903cf
-
Filesize
430KB
MD5429f4fb6c635e0b8fb9d156ab5029432
SHA116d2a1d62039ef4777240f56ceae86ebaf0ac557
SHA2565d2dfc056b5883fc6e7b47855a16d2fdb90276b3f3d69fa412939bbcdfa35614
SHA51222454b659319e9155ca17044dc296b9d984ba6062f08fd052c787b86c1b48e34fe6d5b420d8a9dc621363b543884e2ce15db2eec88bbbb16f2c76d908d59fef2
-
Filesize
410KB
MD5384df6477cba1f52dcced9e465ab3064
SHA1104875925c94358b4901c7efe94e7c610b4af9bf
SHA256fdd447767a80c1af7105a629657cc1c744f39433c62486697497d485b8b9c4b9
SHA51284ef8a6ab128ce0ff4a6a4c784fd8b6b57abe80e191e04b7bcc3a293df25657d83cd8e70fc150fe5dbb85b3be2584fbd2f65c0b1783abb52f4d5feeb9d28e832
-
Filesize
311KB
MD56842403982c36b6c450fde3035eb7043
SHA1d40806e8623b10811703aadf27d5b055da6e98a5
SHA256684bcee9dcb5326013108c4f4fb40dce8d98bc937a00b64e9d9f9754d0c78377
SHA5122d10d7bb85475a86f85019228a88cebf0da92ed5cb24102facbb34a875f3666d0ebf0783b1db1b996f2087feb672f337e91cb72c8b899c632496344a42e4ab37
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
44KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
336KB
-
Filesize
1024KB
-
Filesize
336KB
-
Filesize
36KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
4KB