smokeloader | 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b

Target

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
Size

154KB
MD5

91879bdd73625ac38c31fe5225310e92
SHA1

a007b979483ee6b57b93a11340932a60f5781570
SHA256

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b
SHA512

22678f18385ed177ed34cac52fc8667c6d6cdc2953b1818a6e530411894aa6947b04408320137af8ebd5b1d6d733f374a1d962608e0e6c234e5a43b89fe9de3c

Score

10^/10

ransomware trojan backdoor smokeloader spyware stealer raccoon persistence discovery botnet zloader

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.09.08 - 19:06:26 GMT Bot_ID: 18823CA4-5761-4226-8787-CF36135F1C68_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 5 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.13 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: LZUKLIOU - Username: Admin - Windows version: NT 10.0 - Product name: Windows 10 Pro - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 4095 MB (712 MB used) - Screen resolution: 1280x720 - Display devices: 0) Microsoft Basic Display Adapter ============

Extracted

Family

smokeloader

Version

2020

http://dkajsdjiqwdwnfj.info/

http://2831ujedkdajsdj.info/

http://928eijdksasnfss.info/

https://dkajsdjiqwdwnfj.info/

https://2831ujedkdajsdj.info/

https://928eijdksasnfss.info/

rc4.i32

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

02.09.2020

https://fsakfkdsajdajskjajs.online/gate.php

https://fdsadjsadsdsa.online/gate.php

https://dlsafoslfskfsafad.online/gate.php

https://dsofkasfsakdsdsa.online/gate.php

https://dkjsjdsjdjasduiasida.online/gate.php

https://fqnvtmqsywublocpheas.ru/gate.php

https://fqnvtmqsywublocpheas.su/gate.php

https://fqnvtmqsywublocpheas.eu/gate.php

https://fqnvtmqsywublocpheas.net/gate.php

https://fqnvtmqsywublodscpheas.com/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule

raccoon_log_file
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Executes dropped EXE 1 IoCs

Processes:

F4C7.exe

pid process

3408 F4C7.exe

yara_rule
raccoon_log_file

pid	process
3408	F4C7.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\International\Geo\Nation	MicrosoftEdge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeCP.exe

Deletes itself 1 IoCs

Processes:

pid process

2964

pid	process
2964

Loads dropped DLL 8 IoCs

Processes:

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exeregsvr32.exeF4C7.exe

pid	process
3648	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
3956	regsvr32.exe
3408	F4C7.exe
3408	F4C7.exe
3408	F4C7.exe
3408	F4C7.exe
3408	F4C7.exe
3408	F4C7.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Amuzsyof = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Yqdaxy\\ukizi.dll"	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll	js

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 3956 set thread context of 1308 3956 regsvr32.exe msiexec.exe

description	pid	process	target process
PID 3956 set thread context of 1308	3956	regsvr32.exe	msiexec.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2572 timeout.exe
Modifies Control Panel 1 IoCs
evasion

Processes:

MicrosoftEdge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Colors MicrosoftEdge.exe

pid	process
2572	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Control Panel\Colors	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = bc819b001386d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 7f229b421386d601	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 12eca6571386d601	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Modifies registry class 163 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = f84f865c2260d601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 932cb8481386d601	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 164b79491386d601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000a6221168d04e19bd68363d6ed33bcc9a4ef71e23e46057b615508c3583fe02952f7f4e083b598d3e00b7dcdb1ad918323dbe9e96b92bdd142f8f0eacce60ad36c2f843d3a30c8d7eee3cbd21655de9a12afb26acd057329c9707	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 2594 IoCs

Processes:

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe

pid	process
3648	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
3648	23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2964
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe

pid process

3648 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe

pid	process
2964

Suspicious use of AdjustPrivilegeToken 69 IoCs

Processes:

svchost.exemsiexec.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeShutdownPrivilege	3520	svchost.exe
Token: SeCreatePagefilePrivilege	3520	svchost.exe
Token: SeSecurityPrivilege	1308	msiexec.exe
Token: SeSecurityPrivilege	1308	msiexec.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeTakeOwnershipPrivilege	2964
Token: SeRestorePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeDebugPrivilege	572	MicrosoftEdge.exe
Token: SeDebugPrivilege	572	MicrosoftEdge.exe
Token: SeDebugPrivilege	572	MicrosoftEdge.exe
Token: SeDebugPrivilege	572	MicrosoftEdge.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeDebugPrivilege	572	MicrosoftEdge.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeDebugPrivilege	804	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	804	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	804	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	804	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964
Token: SeCreatePagefilePrivilege	2964
Token: SeShutdownPrivilege	2964

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

2964
2964
2964
2964
2964
2964
Suspicious use of SendNotifyMessage 34 IoCs

Processes:

pid process

2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

2964
572 MicrosoftEdge.exe
1048 MicrosoftEdgeCP.exe
1048 MicrosoftEdgeCP.exe

pid	process
2964
2964
2964
2964
2964
2964

pid	process
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964
2964

pid	process
2964
572	MicrosoftEdge.exe
1048	MicrosoftEdgeCP.exe
1048	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

regsvr32.exeF4C7.execmd.exeregsvr32.exe

description	pid	process	target process
PID 2964 wrote to memory of 3260	2964		regsvr32.exe
PID 2964 wrote to memory of 3260	2964		regsvr32.exe
PID 3260 wrote to memory of 3956	3260	regsvr32.exe	regsvr32.exe
PID 3260 wrote to memory of 3956	3260	regsvr32.exe	regsvr32.exe
PID 3260 wrote to memory of 3956	3260	regsvr32.exe	regsvr32.exe
PID 2964 wrote to memory of 3408	2964		F4C7.exe
PID 2964 wrote to memory of 3408	2964		F4C7.exe
PID 2964 wrote to memory of 3408	2964		F4C7.exe
PID 3408 wrote to memory of 3644	3408	F4C7.exe	cmd.exe
PID 3408 wrote to memory of 3644	3408	F4C7.exe	cmd.exe
PID 3408 wrote to memory of 3644	3408	F4C7.exe	cmd.exe
PID 3644 wrote to memory of 2572	3644	cmd.exe	timeout.exe
PID 3644 wrote to memory of 2572	3644	cmd.exe	timeout.exe
PID 3644 wrote to memory of 2572	3644	cmd.exe	timeout.exe
PID 3956 wrote to memory of 1308	3956	regsvr32.exe	msiexec.exe
PID 3956 wrote to memory of 1308	3956	regsvr32.exe	msiexec.exe
PID 3956 wrote to memory of 1308	3956	regsvr32.exe	msiexec.exe
PID 3956 wrote to memory of 1308	3956	regsvr32.exe	msiexec.exe
PID 3956 wrote to memory of 1308	3956	regsvr32.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe
"C:\Users\Admin\AppData\Local\Temp\23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F38D.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\F38D.dll
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:1308

C:\Users\Admin\AppData\Local\Temp\F4C7.exe
C:\Users\Admin\AppData\Local\Temp\F4C7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F4C7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2572

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:572

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F38D.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4C7.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4C7.exe

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\210A.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\F38D.dll

Download Submit
memory/1308-22-0x0000000000E00000-0x0000000000E2C000-memory.dmp

Filesize
176KB

Download
memory/1308-23-0x0000000000000000-mapping.dmp

Download
memory/2572-21-0x0000000000000000-mapping.dmp

Download
memory/2964-3-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/3260-4-0x0000000000000000-mapping.dmp

Download
memory/3408-11-0x0000000006086000-0x0000000006087000-memory.dmp

Filesize
4KB

Download
memory/3408-12-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/3408-7-0x0000000000000000-mapping.dmp

Download
memory/3644-20-0x0000000000000000-mapping.dmp

Download
memory/3648-0-0x0000000000B81000-0x0000000000B82000-memory.dmp

Filesize
4KB

Download
memory/3648-1-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3956-6-0x0000000000000000-mapping.dmp

Download