smokeloader | 84e8caaf836da889b6f7c4d7e53c682274d23fdfa84011efe29c1894b7b16bd3

Resubmissions

16-11-2020 11:26

201116-96rt48lgr2 10

16-11-2020 11:22

201116-da9ygl58js 10

Analysis

max time kernel
194s
max time network
302s
platform
windows7_x64
resource
win7v20201028
submitted
16-11-2020 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0di3x.bin.exe
Size

111KB
MD5

bd97f762750d0e38e38d5e8f7363f66a
SHA1

9ae3d7053246289ff908758f9d60d79586f7fc9f
SHA256

d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158
SHA512

d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39

Score

10^/10

smokeloader zloader r1 r1 backdoor botnet trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://etasuklavish.today/

http://mragyzmachnobesdi.today/

http://kimchinikuzims.today/

http://slacvostinrius.today/

http://straponuliusyn.today/

http://grammmdinss.today/

http://viprasputinsd.chimkent.su/

http://lupadypa.dagestan.su/

http://stoknolimchin.exnet.su/

http://musaroprovadnikov.live/

http://teemforyourexprensiti.life/

http://stolkgolmishutich.termez.su/

http://roompampamgandish.wtf/

rc4.i32

Extracted

Family

zloader

Botnet

Campaign

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain

rsa_pubkey.plain

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Executes dropped EXE 2 IoCs

pid	Process
1216	AB8B.tmp.exe
968	AD7F.tmp.exe

Deletes itself 1 IoCs

pid	Process
1256	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1056	0di3x.bin.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0di3x.bin.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0di3x.bin.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0di3x.bin.exe

Modifies Internet Explorer settings 1 TTPs 78 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64292F41-27FF-11EB-A5C0-D2F6D50BABC0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000000678c1908393e52415aae021ce4d85d8968aaf0801d82dbb400497e5deb6105f000000000e800000000200002000000075581c3f6c2a1348f362b48b447332b3e7cee5d66c914092c60d4329caa59959900000004d52ac4c1b15d49594b3152c5192b00d8c4fbad59b6f41d756685f567f13d601e9771fde5db583d881b045526763a32ab329603d3070529873ad2a92fa49ba151112c63e9d2479a8cd6225081ee76633a41d6f685d4f6f7f5d7b6d80ae0b354d9ce2ee3b642991cd1467d0d89793aaf6f9542b982dc0e649f0ee8c2908140faebbf66b09a15dc4f18c88b0612b6d3413400000001fc84950d02e7b65438d38ec8721e11a3df63d6996f137d999b5ca76f9e098ade45bbab1432df1df01b1c8e833ef907b6322676fb9d0231521e0e8ea0e9a3e24	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a026743d0cbcd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8188C6E1-27FF-11EB-A5C0-D2F6D50BABC0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000b871d9d85fe225816b6e9cdd3c01c0b855d16c23e2791a5afab154eef9598ea3000000000e8000000002000020000000ce55b1d9a36313be9b3ff545c9da8294676bbe6fc827613b4da7f55304f97356200000006326d44ea57c6d410fd42e627bb249480a8ff1a5f2a0776f1d5183b6c6477390400000003f432544d3fe54869fde44ed77d61359a976247d7c39154bff9d8e81ef2695f683cdefc53ac6d68027e9bc284caa7065df5130597ead7a0564f6fb8c60da41ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8ECB2FA1-27FF-11EB-A5C0-D2F6D50BABC0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 989 IoCs

pid	Process
1056	0di3x.bin.exe
1056	0di3x.bin.exe
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1256	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1056	0di3x.bin.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found
1064	iexplore.exe
1560	iexplore.exe
1492	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1256	Process not Found
1256	Process not Found
1256	Process not Found
1256	Process not Found

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1064	iexplore.exe
1064	iexplore.exe
680	IEXPLORE.EXE
680	IEXPLORE.EXE
1560	iexplore.exe
1560	iexplore.exe
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1492	iexplore.exe
1492	iexplore.exe
332	IEXPLORE.EXE
332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1216	1256	Process not Found	29
PID 1256 wrote to memory of 1216	1256	Process not Found	29
PID 1256 wrote to memory of 1216	1256	Process not Found	29
PID 1256 wrote to memory of 1216	1256	Process not Found	29
PID 1256 wrote to memory of 968	1256	Process not Found	30
PID 1256 wrote to memory of 968	1256	Process not Found	30
PID 1256 wrote to memory of 968	1256	Process not Found	30
PID 1256 wrote to memory of 968	1256	Process not Found	30
PID 1064 wrote to memory of 680	1064	iexplore.exe	34
PID 1064 wrote to memory of 680	1064	iexplore.exe	34
PID 1064 wrote to memory of 680	1064	iexplore.exe	34
PID 1064 wrote to memory of 680	1064	iexplore.exe	34
PID 1560 wrote to memory of 1628	1560	iexplore.exe	37
PID 1560 wrote to memory of 1628	1560	iexplore.exe	37
PID 1560 wrote to memory of 1628	1560	iexplore.exe	37
PID 1560 wrote to memory of 1628	1560	iexplore.exe	37
PID 1492 wrote to memory of 332	1492	iexplore.exe	39
PID 1492 wrote to memory of 332	1492	iexplore.exe	39
PID 1492 wrote to memory of 332	1492	iexplore.exe	39
PID 1492 wrote to memory of 332	1492	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\0di3x.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0di3x.bin.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1056

C:\Users\Admin\AppData\Local\Temp\AB8B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\AB8B.tmp.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Users\Admin\AppData\Local\Temp\AD7F.tmp.exe
C:\Users\Admin\AppData\Local\Temp\AD7F.tmp.exe
1⤵
- Executes dropped EXE
PID:968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-12-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmp

Filesize
2.5MB

Download
memory/680-14-0x0000000005F60000-0x0000000005F83000-memory.dmp

Filesize
140KB

Download
memory/968-9-0x0000000004940000-0x0000000004951000-memory.dmp

Filesize
68KB

Download
memory/968-8-0x000000000313B000-0x000000000313C000-memory.dmp

Filesize
4KB

Download
memory/1056-0-0x000000000340B000-0x000000000340C000-memory.dmp

Filesize
4KB

Download
memory/1056-1-0x00000000048F0000-0x0000000004901000-memory.dmp

Filesize
68KB

Download
memory/1216-11-0x0000000004A90000-0x0000000004AA1000-memory.dmp

Filesize
68KB

Download
memory/1216-19-0x0000000004A90000-0x0000000004AA1000-memory.dmp

Filesize
68KB

Download
memory/1216-10-0x00000000030EB000-0x00000000030EC000-memory.dmp

Filesize
4KB

Download
memory/1256-3-0x0000000002F80000-0x0000000002F96000-memory.dmp

Filesize
88KB

Download
memory/1672-23-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1672-22-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1672-24-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download