smokeloader | d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

Analysis

max time kernel
1801s
max time network
1769s
platform
windows10_x64
resource
win10v20201028
submitted
20-11-2020 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0di3x.exe

Score

10^/10

smokeloader zloader r1 r1 backdoor botnet trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://etasuklavish.today/

http://mragyzmachnobesdi.today/

http://kimchinikuzims.today/

http://slacvostinrius.today/

http://straponuliusyn.today/

http://grammmdinss.today/

http://viprasputinsd.chimkent.su/

http://lupadypa.dagestan.su/

http://stoknolimchin.exnet.su/

http://musaroprovadnikov.live/

http://teemforyourexprensiti.life/

http://stolkgolmishutich.termez.su/

http://roompampamgandish.wtf/

rc4.i32

Extracted

Family

zloader

Botnet

Campaign

https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php

https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php

https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php

https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php

rc4.plain

rsa_pubkey.plain

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4804 created 1540 4804 WerFault.exe rwfuvfh
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

DEDC.tmp.exe

description pid process target process

PID 3084 created 2576 3084 DEDC.tmp.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

description	pid	process	target process
PID 4804 created 1540	4804	WerFault.exe	rwfuvfh

description	pid	process	target process
PID 3084 created 2576	3084	DEDC.tmp.exe	Explorer.EXE

Blocklisted process makes network request 26 IoCs

Processes:

msiexec.exe

flow	pid	process
55	4768	msiexec.exe
56	4768	msiexec.exe
57	4768	msiexec.exe
60	4768	msiexec.exe
63	4768	msiexec.exe
64	4768	msiexec.exe
69	4768	msiexec.exe
70	4768	msiexec.exe
71	4768	msiexec.exe
72	4768	msiexec.exe
73	4768	msiexec.exe
74	4768	msiexec.exe
76	4768	msiexec.exe
77	4768	msiexec.exe
80	4768	msiexec.exe
81	4768	msiexec.exe
82	4768	msiexec.exe
83	4768	msiexec.exe
86	4768	msiexec.exe
88	4768	msiexec.exe
89	4768	msiexec.exe
92	4768	msiexec.exe
97	4768	msiexec.exe
107	4768	msiexec.exe
111	4768	msiexec.exe
114	4768	msiexec.exe

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

DEDC.tmp.exeE0A2.tmp.exerwfuvfh

pid process

3084 DEDC.tmp.exe
560 E0A2.tmp.exe
1540 rwfuvfh
Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

2576 Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

0di3x.exe

pid process

4776 0di3x.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DEDC.tmp.exe

description pid process target process

PID 3084 set thread context of 4768 3084 DEDC.tmp.exe msiexec.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4804 1540 WerFault.exe rwfuvfh

pid	process
3084	DEDC.tmp.exe
560	E0A2.tmp.exe
1540	rwfuvfh

pid	process
2576	Explorer.EXE

description	pid	process	target process
PID 3084 set thread context of 4768	3084	DEDC.tmp.exe	msiexec.exe

pid	pid_target	process	target process
4804	1540	WerFault.exe	rwfuvfh

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0di3x.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0di3x.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0di3x.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0di3x.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7053647F-2B3F-11EB-BEBD-F648E9E4AC23} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06820334cbfd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30850892"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30850892"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000007c6d06d0e2e43317f119a298ebfb1fab9a0fe3da5bf8161c1d2661ae0723ca21000000000e80000000020000200000002c7d3b83e06512c3f48788a278f5dbcb81bc110f39a65e74e54466deb5a29f9b20000000e2f312d9babb1776b97fb3b1e7a7d69abb6cc47999320d9324561724b870b29240000000a2853e71af2ae2224c9bd6ba7eb6dd0dfebb229bc13801be2ea7ae1610d0dad476ea01fb5c7aa855ef1bba839cdae676d70927c6a9587bdb254edd19970a596d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e92b264cbfd601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d00000000020000000000106600000001000020000000666158bb67b1f25a9b8e3017bfb5041f6bcc05eeae8e6a1d5c1b51006e81c350000000000e80000000020000200000000a9e7b44875546edb95a778595c9c5d97c1a4861f902c7fe50419edc5a3f2a2c20000000d9b46c8cdf0050a5557d5f51c91f5aee2242f57b81def897481de8cbf805a22340000000af29c2885bec192f5b8f1a61872be5bd9c579c6b44d3ddb4f42d6a4cbd8a9f1fe2c8cbd542c008e46b2b4fc9546a74b7976c5bd73503635c89ac1e1948d1c91a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7D34C9D7-2B3F-11EB-BEBD-F648E9E4AC23} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "512763678"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d00000000020000000000106600000001000020000000c20055d6df635e6d7bad1df833b4270e75222dab50b61de2f027b5b1e3655d0f000000000e8000000002000020000000108036856bcc40b05decdcbd4aeaa9102b9bc95b7310e87ebf29aafcd363ea4520000000625f8e87d1b68546564d74a5a9711964c9080c5a4a8ca6d179762f500ac5af7d4000000046fa45449850159548bf56c8a097e170f1e2612d45926603aac0c06f6012074d3263353eeb225577aa1544e4684f1420d21097f4ec4acfbdcc07d98e6766fc22	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d66d1f4cbfd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "512763678"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60ef611f4cbfd601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6357D5ED-2B3F-11EB-BEBD-F648E9E4AC23} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49EFC616-2B3F-11EB-BEBD-F648E9E4AC23} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70348b414cbfd601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000002bcc5ba0265a28a837a71fe7cbf361853e53746382f04fe425d4db2ed3f5d4b2000000000e800000000200002000000099603bfc16b49717979e6679537f4f84db0b2a088dea3cee2b3d7cdda8d2efe620000000f971b759c556cb8712397bcda47a124c674e09c7a977b6fdc546f36c89a4d93b40000000df6b5692751369a725620d1869070aedf63ef13d66833228fc85e4b469b10e0adbe8420dc8006e83c67260d767a1e064a751da8c2774e3c6ae8221cc47cd8e00	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000004e0ab7c88c7d24b1c61ece5b392a399ac4b808276d04036a7949362fc2a28a10000000000e80000000020000200000003daa069c70378a4a9f55811facd00e8da8a7b87d6fcb560f7d0cdd6ab0dd358c2000000035833b5746fa29963f07e8737cf398106cd859a8dd8a34783df52e970ed86aef400000005dc0d074b20e407a29fe2daa083a1ea9aa1d8a7aa64cdbfd60a1bac7486b033e6bae5a9948c6afdc4dc1d213a4992d07d4cce1f843bc049ad59c09b46baf6572	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0di3x.exeExplorer.EXE

pid	process
4776	0di3x.exe
4776	0di3x.exe
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE
2576	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2576 Explorer.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0di3x.exe

pid process

4776 0di3x.exe

pid	process
2576	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

1116 iexplore.exe
3144 iexplore.exe
4580 iexplore.exe
3632 iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1116	iexplore.exe
1116	iexplore.exe
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
3144	iexplore.exe
3144	iexplore.exe
4492	IEXPLORE.EXE
4492	IEXPLORE.EXE
4580	iexplore.exe
4580	iexplore.exe
2364	IEXPLORE.EXE
2364	IEXPLORE.EXE
3632	iexplore.exe
3632	iexplore.exe
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2576 Explorer.EXE

pid	process
2576	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Explorer.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeDEDC.tmp.exe

description	pid	process	target process
PID 2576 wrote to memory of 3084	2576	Explorer.EXE	DEDC.tmp.exe
PID 2576 wrote to memory of 3084	2576	Explorer.EXE	DEDC.tmp.exe
PID 2576 wrote to memory of 3084	2576	Explorer.EXE	DEDC.tmp.exe
PID 2576 wrote to memory of 560	2576	Explorer.EXE	E0A2.tmp.exe
PID 2576 wrote to memory of 560	2576	Explorer.EXE	E0A2.tmp.exe
PID 2576 wrote to memory of 560	2576	Explorer.EXE	E0A2.tmp.exe
PID 1116 wrote to memory of 1316	1116	iexplore.exe	IEXPLORE.EXE
PID 1116 wrote to memory of 1316	1116	iexplore.exe	IEXPLORE.EXE
PID 1116 wrote to memory of 1316	1116	iexplore.exe	IEXPLORE.EXE
PID 3144 wrote to memory of 4492	3144	iexplore.exe	IEXPLORE.EXE
PID 3144 wrote to memory of 4492	3144	iexplore.exe	IEXPLORE.EXE
PID 3144 wrote to memory of 4492	3144	iexplore.exe	IEXPLORE.EXE
PID 4580 wrote to memory of 2364	4580	iexplore.exe	IEXPLORE.EXE
PID 4580 wrote to memory of 2364	4580	iexplore.exe	IEXPLORE.EXE
PID 4580 wrote to memory of 2364	4580	iexplore.exe	IEXPLORE.EXE
PID 3632 wrote to memory of 2588	3632	iexplore.exe	IEXPLORE.EXE
PID 3632 wrote to memory of 2588	3632	iexplore.exe	IEXPLORE.EXE
PID 3632 wrote to memory of 2588	3632	iexplore.exe	IEXPLORE.EXE
PID 3084 wrote to memory of 4768	3084	DEDC.tmp.exe	msiexec.exe
PID 3084 wrote to memory of 4768	3084	DEDC.tmp.exe	msiexec.exe
PID 3084 wrote to memory of 4768	3084	DEDC.tmp.exe	msiexec.exe
PID 3084 wrote to memory of 4768	3084	DEDC.tmp.exe	msiexec.exe
PID 3084 wrote to memory of 4768	3084	DEDC.tmp.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\0di3x.exe
  "C:\Users\Admin\AppData\Local\Temp\0di3x.exe"
  2⤵
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4776
- C:\Users\Admin\AppData\Local\Temp\DEDC.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\DEDC.tmp.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\E0A2.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\E0A2.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - Blocklisted process makes network request
  PID:4768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1116 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3144 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4580 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3632 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2588

C:\Users\Admin\AppData\Roaming\rwfuvfh
C:\Users\Admin\AppData\Roaming\rwfuvfh
1⤵
- Executes dropped EXE
PID:1540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 476
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F6.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEDC.tmp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEDC.tmp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0A2.tmp.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0A2.tmp.exe

Download Submit
C:\Users\Admin\AppData\Roaming\rwfuvfh

Download Submit
C:\Users\Admin\AppData\Roaming\rwfuvfh

Download Submit
\Users\Admin\AppData\Local\Temp\2F6.tmp

Download Submit
memory/560-12-0x00000000030D8000-0x00000000030D9000-memory.dmp

Filesize
4KB

Download
memory/560-7-0x0000000000000000-mapping.dmp

Download
memory/560-13-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1316-14-0x0000000000000000-mapping.dmp

Download
memory/1540-23-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1540-22-0x0000000003318000-0x0000000003319000-memory.dmp

Filesize
4KB

Download
memory/2364-16-0x0000000000000000-mapping.dmp

Download
memory/2576-3-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/2588-17-0x0000000000000000-mapping.dmp

Download
memory/3084-4-0x0000000000000000-mapping.dmp

Download
memory/3084-11-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3084-10-0x0000000003178000-0x0000000003179000-memory.dmp

Filesize
4KB

Download
memory/4492-15-0x0000000000000000-mapping.dmp

Download
memory/4768-18-0x0000000000120000-0x0000000000148000-memory.dmp

Filesize
160KB

Download
memory/4768-19-0x0000000000000000-mapping.dmp

Download
memory/4776-0-0x00000000031C8000-0x00000000031C9000-memory.dmp

Filesize
4KB

Download
memory/4776-1-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/4804-61-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-49-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-28-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/4804-32-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-62-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-25-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4804-60-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-59-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-58-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-57-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-56-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-55-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-54-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-53-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-52-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-51-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-50-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-26-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4804-48-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-47-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-46-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-45-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-44-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-43-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-42-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-41-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-40-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-39-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-38-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-37-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-36-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-35-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-34-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/4804-33-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4804-64-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download