smokeloader | 178fb69c394a6d86a3695acbb025bc2f3be31dea683ee6e5016af0566eef8111

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
10-03-2021 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ed271e10ba37319d01d44acd33489a7.exe
Size

284KB
MD5

5ed271e10ba37319d01d44acd33489a7
SHA1

7130a850b50d5fccc1401f57ad95cac863a02062
SHA256

178fb69c394a6d86a3695acbb025bc2f3be31dea683ee6e5016af0566eef8111
SHA512

882d1adf9f2513d5578a72dcc50f0ef510def30c2c1ed0af5f051752e299a72be79c48660038aa852a39007c8286c6ea2ba2886cf0d8e4a859573faedf1ca27f

Score

10^/10

smokeloader vidar backdoor discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://jibw.top/

http://lakf.top/

http://yapv.top/

http://pqdb.top/

http://bpqx.top/

http://gyuw.top/

http://vafc.top/

http://qgam.top/

http://viio.top/

http://chpp.top/

http://csji.top/

http://xxql.top/

http://vtxa.top/

http://ggoz.top/

http://crpa.top/

http://vuss.top/

http://coal.top/

http://fymm.top/

http://roaf.top/

http://aeus.top/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 3 IoCs

Processes:

9953.exe9953.exe5.exe

pid	Process
396	9953.exe
1604	9953.exe
2004	5.exe

Deletes itself 1 IoCs

Processes:

pid	Process
1268

Loads dropped DLL 9 IoCs

Processes:

5ed271e10ba37319d01d44acd33489a7.exe9953.exe9953.exe5.exe

pid	Process
292	5ed271e10ba37319d01d44acd33489a7.exe
396	9953.exe
396	9953.exe
1604	9953.exe
1604	9953.exe
2004	5.exe
2004	5.exe
2004	5.exe
2004	5.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
1672	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9953.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7919b2d9-45b7-444b-afb4-60650d8b0cf9\\9953.exe\" --AutoStart"	9953.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
11	api.2ip.ua
19	api.2ip.ua
10	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5ed271e10ba37319d01d44acd33489a7.exe

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ed271e10ba37319d01d44acd33489a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ed271e10ba37319d01d44acd33489a7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ed271e10ba37319d01d44acd33489a7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
1692	timeout.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1064	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9953.exe9953.exe5.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	9953.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9953.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9953.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	9953.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9953.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5ed271e10ba37319d01d44acd33489a7.exe

pid	Process
292	5ed271e10ba37319d01d44acd33489a7.exe
292	5ed271e10ba37319d01d44acd33489a7.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

5ed271e10ba37319d01d44acd33489a7.exe

pid	Process
292	5ed271e10ba37319d01d44acd33489a7.exe
1268
1268

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description	pid	Process
Token: SeDebugPrivilege	1064	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid	Process
1268
1268
1268
1268

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid	Process
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

9953.exe9953.exe5.execmd.exe

description	pid	Process	procid_target
PID 1268 wrote to memory of 396	1268		29
PID 1268 wrote to memory of 396	1268		29
PID 1268 wrote to memory of 396	1268		29
PID 1268 wrote to memory of 396	1268		29
PID 1268 wrote to memory of 268	1268		30
PID 1268 wrote to memory of 268	1268		30
PID 1268 wrote to memory of 268	1268		30
PID 1268 wrote to memory of 268	1268		30
PID 1268 wrote to memory of 268	1268		30
PID 396 wrote to memory of 1672	396	9953.exe	33
PID 396 wrote to memory of 1672	396	9953.exe	33
PID 396 wrote to memory of 1672	396	9953.exe	33
PID 396 wrote to memory of 1672	396	9953.exe	33
PID 396 wrote to memory of 1604	396	9953.exe	34
PID 396 wrote to memory of 1604	396	9953.exe	34
PID 396 wrote to memory of 1604	396	9953.exe	34
PID 396 wrote to memory of 1604	396	9953.exe	34
PID 1604 wrote to memory of 2004	1604	9953.exe	35
PID 1604 wrote to memory of 2004	1604	9953.exe	35
PID 1604 wrote to memory of 2004	1604	9953.exe	35
PID 1604 wrote to memory of 2004	1604	9953.exe	35
PID 2004 wrote to memory of 840	2004	5.exe	37
PID 2004 wrote to memory of 840	2004	5.exe	37
PID 2004 wrote to memory of 840	2004	5.exe	37
PID 2004 wrote to memory of 840	2004	5.exe	37
PID 840 wrote to memory of 1064	840	cmd.exe	39
PID 840 wrote to memory of 1064	840	cmd.exe	39
PID 840 wrote to memory of 1064	840	cmd.exe	39
PID 840 wrote to memory of 1064	840	cmd.exe	39
PID 840 wrote to memory of 1692	840	cmd.exe	41
PID 840 wrote to memory of 1692	840	cmd.exe	41
PID 840 wrote to memory of 1692	840	cmd.exe	41
PID 840 wrote to memory of 1692	840	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\5ed271e10ba37319d01d44acd33489a7.exe
"C:\Users\Admin\AppData\Local\Temp\5ed271e10ba37319d01d44acd33489a7.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:292

C:\Users\Admin\AppData\Local\Temp\9953.exe
C:\Users\Admin\AppData\Local\Temp\9953.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\7919b2d9-45b7-444b-afb4-60650d8b0cf9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\9953.exe
  "C:\Users\Admin\AppData\Local\Temp\9953.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Local\bbd6d0cb-d1a1-42b8-a1dd-296855db84a4\5.exe
    "C:\Users\Admin\AppData\Local\bbd6d0cb-d1a1-42b8-a1dd-296855db84a4\5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\bbd6d0cb-d1a1-42b8-a1dd-296855db84a4\5.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:1692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
4c9af35a7edd6351ed1b0369aa5fdaad

SHA1
a31deacfdba98949799105169f460234a356d1b6

SHA256
272b1eae7ab0152427b63c9f44b954394ce8e69b39e60f4d768b00b1d6365d6c

SHA512
928cc4be39b1dca84af72b09067b1553ce04cac8020aba3e2f37023fb396a792ddacde4d68121d4736311aa8dd761fcc161f52224d243ae68cd6d5f6fe8a038d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
a4f1a3227ff7283cc8dd2f9e68025e12

SHA1
67c2de733b15f65c5157a6d495534ebdd00311c2

SHA256
f0e3107fe54fa10875ee7b53675713b6835c31e21d4f2c6c00880fa1b7166982

SHA512
3d66e1cc35685bb0ceac80e368b0743582046f3d3a6566486aeb4f956473f17dde1ef1dbd6a584ef2492e6bf0555068e0d672fa34194a6b9f37a19134670f10e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
53c2b2db890ab34d0e0c484f8038212f

SHA1
db7e81eb8c2d217f88ab2ce1a2fbc3d60bed22c3

SHA256
dab4e94d5747ce7a59bd7b118af989c46df730ae4267388f284512c67dc37051

SHA512
c661018bc2cfdf97f237c02e50f8aaeeaff2c3692acb7f90d4927400c172843b315575dee0704f0ebf4532dece469df00df797233e3433a9c8f95f28339e720d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
a9deb4e0ed57a5cd5eae826f9846039e

SHA1
7d7e3bb919e7c31e0e8911983188b80cb29bb1ab

SHA256
c6d17506461cd91412a39b484f5f4320fe2795ef1230541a6cf5075e4853fc1a

SHA512
8f3eeaeb814f1dcbc2b4b4afbfc759f8e2e149fa00cb6c144adc45ba2b18fa5e5775300eb922fd003f191944da8d4a5fbdaa1a9de4ec77cad54b55da037386de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
005a88711f2f19bf79b44bc9e6c04667

SHA1
5799fe3031e06f7f97b91fd7a9126e89ca7f9c3e

SHA256
0708111d45cc1c0ba59a5f583115178d381ef716ab3c527336687be837a54045

SHA512
7d4d3e99b3d454e17bea93c8a0fc00b3c190d39450c712ddff8523b1bf3cd2d1aea3578ff5365c0d6ea57e6ac24a21b6771bae53e0992384c6017b37c416d5eb

Download Submit
C:\Users\Admin\AppData\Local\7919b2d9-45b7-444b-afb4-60650d8b0cf9\9953.exe

MD5
88b29ee23b6c477081190d36ce3d0aa0

SHA1
6dca33831aa1a80afc068672844f2cb33b3e83ec

SHA256
d94fb12c0a097610b396be6e049c33819e9138d0f8cf62771fb4c201f4b449fc

SHA512
93a4d578f313fd824eaee1f8db5eb39d69d9ce67660be109961925a4ffa0ed7ba33483a729e81078cbc0b25f21202479efa15d0887c30662cb7f3a6a586a59be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9953.exe

MD5
88b29ee23b6c477081190d36ce3d0aa0

SHA1
6dca33831aa1a80afc068672844f2cb33b3e83ec

SHA256
d94fb12c0a097610b396be6e049c33819e9138d0f8cf62771fb4c201f4b449fc

SHA512
93a4d578f313fd824eaee1f8db5eb39d69d9ce67660be109961925a4ffa0ed7ba33483a729e81078cbc0b25f21202479efa15d0887c30662cb7f3a6a586a59be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9953.exe

MD5
88b29ee23b6c477081190d36ce3d0aa0

SHA1
6dca33831aa1a80afc068672844f2cb33b3e83ec

SHA256
d94fb12c0a097610b396be6e049c33819e9138d0f8cf62771fb4c201f4b449fc

SHA512
93a4d578f313fd824eaee1f8db5eb39d69d9ce67660be109961925a4ffa0ed7ba33483a729e81078cbc0b25f21202479efa15d0887c30662cb7f3a6a586a59be

Download Submit
C:\Users\Admin\AppData\Local\Temp\9953.exe

MD5
88b29ee23b6c477081190d36ce3d0aa0

SHA1
6dca33831aa1a80afc068672844f2cb33b3e83ec

SHA256
d94fb12c0a097610b396be6e049c33819e9138d0f8cf62771fb4c201f4b449fc

SHA512
93a4d578f313fd824eaee1f8db5eb39d69d9ce67660be109961925a4ffa0ed7ba33483a729e81078cbc0b25f21202479efa15d0887c30662cb7f3a6a586a59be

Download Submit
C:\Users\Admin\AppData\Local\bbd6d0cb-d1a1-42b8-a1dd-296855db84a4\5.exe

MD5
6a50d5e91b193be284aa02106ee35e97

SHA1
097137cb64eb18ce55c13f1e841d5312d07fbbf4

SHA256
82c1ccbd7db7615a982f7b8072784575972aff3f0ab4597efda9d2e7ca17b961

SHA512
7f79ef4c3b2cd32e6e1fe6c64d1a693115789665f705144cb912500f25f669f28ac61f709d29057b66bf2a6c1f8376b3a8ef7ccb95668cabf2d15455745f1f03

Download Submit
C:\Users\Admin\AppData\Local\bbd6d0cb-d1a1-42b8-a1dd-296855db84a4\5.exe

MD5
6a50d5e91b193be284aa02106ee35e97

SHA1
097137cb64eb18ce55c13f1e841d5312d07fbbf4

SHA256
82c1ccbd7db7615a982f7b8072784575972aff3f0ab4597efda9d2e7ca17b961

SHA512
7f79ef4c3b2cd32e6e1fe6c64d1a693115789665f705144cb912500f25f669f28ac61f709d29057b66bf2a6c1f8376b3a8ef7ccb95668cabf2d15455745f1f03

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\1F19.tmp

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\9953.exe

MD5
88b29ee23b6c477081190d36ce3d0aa0

SHA1
6dca33831aa1a80afc068672844f2cb33b3e83ec

SHA256
d94fb12c0a097610b396be6e049c33819e9138d0f8cf62771fb4c201f4b449fc

SHA512
93a4d578f313fd824eaee1f8db5eb39d69d9ce67660be109961925a4ffa0ed7ba33483a729e81078cbc0b25f21202479efa15d0887c30662cb7f3a6a586a59be

Download Submit
\Users\Admin\AppData\Local\Temp\9953.exe

MD5
88b29ee23b6c477081190d36ce3d0aa0

SHA1
6dca33831aa1a80afc068672844f2cb33b3e83ec

SHA256
d94fb12c0a097610b396be6e049c33819e9138d0f8cf62771fb4c201f4b449fc

SHA512
93a4d578f313fd824eaee1f8db5eb39d69d9ce67660be109961925a4ffa0ed7ba33483a729e81078cbc0b25f21202479efa15d0887c30662cb7f3a6a586a59be

Download Submit
\Users\Admin\AppData\Local\bbd6d0cb-d1a1-42b8-a1dd-296855db84a4\5.exe

MD5
6a50d5e91b193be284aa02106ee35e97

SHA1
097137cb64eb18ce55c13f1e841d5312d07fbbf4

SHA256
82c1ccbd7db7615a982f7b8072784575972aff3f0ab4597efda9d2e7ca17b961

SHA512
7f79ef4c3b2cd32e6e1fe6c64d1a693115789665f705144cb912500f25f669f28ac61f709d29057b66bf2a6c1f8376b3a8ef7ccb95668cabf2d15455745f1f03

Download Submit
\Users\Admin\AppData\Local\bbd6d0cb-d1a1-42b8-a1dd-296855db84a4\5.exe

MD5
6a50d5e91b193be284aa02106ee35e97

SHA1
097137cb64eb18ce55c13f1e841d5312d07fbbf4

SHA256
82c1ccbd7db7615a982f7b8072784575972aff3f0ab4597efda9d2e7ca17b961

SHA512
7f79ef4c3b2cd32e6e1fe6c64d1a693115789665f705144cb912500f25f669f28ac61f709d29057b66bf2a6c1f8376b3a8ef7ccb95668cabf2d15455745f1f03

Download Submit
memory/268-10-0x0000000000000000-mapping.dmp

Download
memory/268-14-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/268-13-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/268-12-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/292-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/292-5-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/292-3-0x0000000076861000-0x0000000076863000-memory.dmp

Filesize
8KB

Download
memory/292-2-0x0000000000A40000-0x0000000000A51000-memory.dmp

Filesize
68KB

Download
memory/396-17-0x0000000002DA0000-0x0000000002EBA000-memory.dmp

Filesize
1.1MB

Download
memory/396-18-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/396-15-0x0000000002DA0000-0x0000000002DB1000-memory.dmp

Filesize
68KB

Download
memory/396-8-0x0000000000000000-mapping.dmp

Download
memory/840-46-0x0000000000000000-mapping.dmp

Download
memory/1064-47-0x0000000000000000-mapping.dmp

Download
memory/1104-19-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmp

Filesize
2.5MB

Download
memory/1268-7-0x0000000002980000-0x0000000002996000-memory.dmp

Filesize
88KB

Download
memory/1604-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1604-27-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1604-25-0x0000000000000000-mapping.dmp

Download
memory/1672-21-0x0000000000000000-mapping.dmp

Download
memory/1692-48-0x0000000000000000-mapping.dmp

Download
memory/2004-39-0x0000000000000000-mapping.dmp

Download