smokeloader | 7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91

General

Target

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
Size

181KB
MD5

80d3605d4b180cdd2fef6cb6312942bd
SHA1

12386eee0db55c3c612c92b7912d6f5eceaaffdc
SHA256

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91
SHA512

cfb0f5785978586aeaec6a832f0dfae13039c07f977f0afb63fcdbb27981b7bc95ecaf202c7a5ddfec9b47bbf1c5c00c2cfdbc471035311b2458dec6a2e65fd9

Score

10^/10

trojan backdoor smokeloader ransomware dharma persistence

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rexstat35x.xyz/statweb955/

http://dexspot2x.xyz/statweb955/

http://atxspot20x.xyz/statweb955/

http://rexspot7x.xyz/statweb955/

http://fdmail85.club/statweb955/

http://servicem977x.xyz/statweb955/

http://advertxman7x.xyz/statweb955/

http://starxpush7x.xyz/statweb955/

rc4.i32

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 4 IoCs

Processes:

6E31.exe6EFD.exe715F.exe76FE.exe

pid process

2132 6E31.exe
2452 6EFD.exe
2184 715F.exe
3024 76FE.exe
Deletes itself 1 IoCs

Processes:

pid process

3000
Drops startup file 1 IoCs

Processes:

6E31.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6E31.exe 6E31.exe
Loads dropped DLL 1 IoCs

Processes:

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

pid process

1576 7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

pid	process
2132	6E31.exe
2452	6EFD.exe
2184	715F.exe
3024	76FE.exe

pid	process
3000

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6E31.exe	6E31.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6E31.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6E31.exe = "C:\\Windows\\System32\\6E31.exe"	6E31.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

6E31.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini	6E31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	6E31.exe
File opened for modification	C:\Program Files\desktop.ini	6E31.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
59 api.ipify.org
60 api.ipify.org
Drops file in System32 directory 1 IoCs

Processes:

6E31.exe

description ioc process

File created C:\Windows\System32\6E31.exe 6E31.exe

flow	ioc
16	ip-api.com
59	api.ipify.org
60	api.ipify.org

description	ioc	process
File created	C:\Windows\System32\6E31.exe	6E31.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

description	pid	process	target process
PID 3020 set thread context of 1576	3020	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

Drops file in Program Files directory 2686 IoCs

Processes:

6E31.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	6E31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\msvcr100.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\hprof.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\nio.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\InitializeSync.xsl.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\decora_sse.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	6E31.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	6E31.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll	6E31.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\JavaAccessBridge-64.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	6E31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml	6E31.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	6E31.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	6E31.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html.id-DEBA67B1.[telegram_@spacedatax].ROGER	6E31.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = eb8c2ee9897cd601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 352 IoCs

Processes:

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

pid	process
1576	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
1576	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe

pid process

1576 7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeShutdownPrivilege 996 svchost.exe
Token: SeCreatePagefilePrivilege 996 svchost.exe

description	pid	process
Token: SeShutdownPrivilege	996	svchost.exe
Token: SeCreatePagefilePrivilege	996	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe6E31.execmd.exe

description	pid	process	target process
PID 3020 wrote to memory of 1576	3020	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
PID 3020 wrote to memory of 1576	3020	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
PID 3020 wrote to memory of 1576	3020	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
PID 3020 wrote to memory of 1576	3020	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
PID 3020 wrote to memory of 1576	3020	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
PID 3020 wrote to memory of 1576	3020	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe	7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
PID 3000 wrote to memory of 2132	3000		6E31.exe
PID 3000 wrote to memory of 2132	3000		6E31.exe
PID 3000 wrote to memory of 2132	3000		6E31.exe
PID 3000 wrote to memory of 2452	3000		6EFD.exe
PID 3000 wrote to memory of 2452	3000		6EFD.exe
PID 3000 wrote to memory of 2452	3000		6EFD.exe
PID 3000 wrote to memory of 2184	3000		715F.exe
PID 3000 wrote to memory of 2184	3000		715F.exe
PID 2132 wrote to memory of 2544	2132	6E31.exe	cmd.exe
PID 2132 wrote to memory of 2544	2132	6E31.exe	cmd.exe
PID 3000 wrote to memory of 3024	3000		76FE.exe
PID 3000 wrote to memory of 3024	3000		76FE.exe
PID 3000 wrote to memory of 3024	3000		76FE.exe
PID 2544 wrote to memory of 8	2544	cmd.exe	mode.com
PID 2544 wrote to memory of 8	2544	cmd.exe	mode.com

C:\Users\Admin\AppData\Local\Temp\7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
"C:\Users\Admin\AppData\Local\Temp\7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
  "C:\Users\Admin\AppData\Local\Temp\7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe"
  2⤵
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Users\Admin\AppData\Local\Temp\6E31.exe
C:\Users\Admin\AppData\Local\Temp\6E31.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:8

C:\Users\Admin\AppData\Local\Temp\6EFD.exe
C:\Users\Admin\AppData\Local\Temp\6EFD.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Users\Admin\AppData\Local\Temp\715F.exe
C:\Users\Admin\AppData\Local\Temp\715F.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Local\Temp\76FE.exe
C:\Users\Admin\AppData\Local\Temp\76FE.exe
1⤵
- Executes dropped EXE
PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6E31.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E31.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EFD.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EFD.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\715F.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\715F.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\76FE.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\76FE.exe

Download Submit
\Users\Admin\AppData\Local\Temp\D47F.tmp

Download Submit
memory/8-25-0x0000000000000000-mapping.dmp

Download
memory/1576-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1576-3-0x0000000000402C70-mapping.dmp

Download
memory/2132-12-0x0000000003383000-0x0000000003384000-memory.dmp

Filesize
4KB

Download
memory/2132-13-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/2132-6-0x0000000000000000-mapping.dmp

Download
memory/2184-15-0x0000000000000000-mapping.dmp

Download
memory/2452-14-0x0000000003563000-0x0000000003564000-memory.dmp

Filesize
4KB

Download
memory/2452-9-0x0000000000000000-mapping.dmp

Download
memory/2452-20-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/2544-18-0x0000000000000000-mapping.dmp

Download
memory/3000-5-0x0000000000C70000-0x0000000000C86000-memory.dmp

Filesize
88KB

Download
memory/3020-0-0x000000000334C000-0x000000000334D000-memory.dmp

Filesize
4KB

Download
memory/3020-1-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3024-21-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads