smokeloader | 6b4d4a61ef4fbabcb304b9c5665cc3e6c2ea866fba7d848094fe93ee6580411f

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
27-03-2021 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe
Size

162KB
MD5

b4eb6b71786c58d41f2b719e5c102662
SHA1

3653372d26a08503acc0a3ffe66b67ed3bbc93e7
SHA256

6b4d4a61ef4fbabcb304b9c5665cc3e6c2ea866fba7d848094fe93ee6580411f
SHA512

c3a1a060249b51360c6c61a7ccb86e4df66837d759d96ace783b1afdc90189115e2b08c188170a4e31ca27aca656fca4ea38ba900683fbad60e4ba086920c9bc

Score

10^/10

smokeloader taurus_stealer tofsee vidar backdoor discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus_stealer
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 7 IoCs

pid	Process
780	21E2.exe
1148	2C5F.exe
372	3B2E.exe
2004	21E2.exe
1508	updatewin.exe
1328	5.exe
576	zbufmuiy.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Deletes itself 1 IoCs

pid	Process
1264	Process not Found

Loads dropped DLL 13 IoCs

pid	Process
644	SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe
1148	2C5F.exe
1148	2C5F.exe
1148	2C5F.exe
1148	2C5F.exe
780	21E2.exe
780	21E2.exe
2004	21E2.exe
1508	updatewin.exe
1508	updatewin.exe
1508	updatewin.exe
2004	21E2.exe
2004	21E2.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1316	icacls.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6c18ef88-938e-4db1-b0e1-1dd61ff434f0\\21E2.exe\" --AutoStart"	21E2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	api.2ip.ua
54	api.2ip.ua
31	api.2ip.ua

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2C5F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2C5F.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1532	timeout.exe
1936	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1992	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2C5F.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2C5F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	21E2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	21E2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	21E2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	21E2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	21E2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
644	SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe
644	SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
644	SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 780	1264	Process not Found	29
PID 1264 wrote to memory of 780	1264	Process not Found	29
PID 1264 wrote to memory of 780	1264	Process not Found	29
PID 1264 wrote to memory of 780	1264	Process not Found	29
PID 1264 wrote to memory of 1148	1264	Process not Found	30
PID 1264 wrote to memory of 1148	1264	Process not Found	30
PID 1264 wrote to memory of 1148	1264	Process not Found	30
PID 1264 wrote to memory of 1148	1264	Process not Found	30
PID 780 wrote to memory of 1316	780	21E2.exe	33
PID 780 wrote to memory of 1316	780	21E2.exe	33
PID 780 wrote to memory of 1316	780	21E2.exe	33
PID 780 wrote to memory of 1316	780	21E2.exe	33
PID 1264 wrote to memory of 372	1264	Process not Found	34
PID 1264 wrote to memory of 372	1264	Process not Found	34
PID 1264 wrote to memory of 372	1264	Process not Found	34
PID 1264 wrote to memory of 372	1264	Process not Found	34
PID 780 wrote to memory of 2004	780	21E2.exe	35
PID 780 wrote to memory of 2004	780	21E2.exe	35
PID 780 wrote to memory of 2004	780	21E2.exe	35
PID 780 wrote to memory of 2004	780	21E2.exe	35
PID 372 wrote to memory of 2012	372	3B2E.exe	37
PID 372 wrote to memory of 2012	372	3B2E.exe	37
PID 372 wrote to memory of 2012	372	3B2E.exe	37
PID 372 wrote to memory of 2012	372	3B2E.exe	37
PID 372 wrote to memory of 1952	372	3B2E.exe	39
PID 372 wrote to memory of 1952	372	3B2E.exe	39
PID 372 wrote to memory of 1952	372	3B2E.exe	39
PID 372 wrote to memory of 1952	372	3B2E.exe	39
PID 372 wrote to memory of 1732	372	3B2E.exe	41
PID 372 wrote to memory of 1732	372	3B2E.exe	41
PID 372 wrote to memory of 1732	372	3B2E.exe	41
PID 372 wrote to memory of 1732	372	3B2E.exe	41
PID 372 wrote to memory of 740	372	3B2E.exe	43
PID 372 wrote to memory of 740	372	3B2E.exe	43
PID 372 wrote to memory of 740	372	3B2E.exe	43
PID 372 wrote to memory of 740	372	3B2E.exe	43
PID 2004 wrote to memory of 1508	2004	21E2.exe	45
PID 2004 wrote to memory of 1508	2004	21E2.exe	45
PID 2004 wrote to memory of 1508	2004	21E2.exe	45
PID 2004 wrote to memory of 1508	2004	21E2.exe	45
PID 2004 wrote to memory of 1508	2004	21E2.exe	45
PID 2004 wrote to memory of 1508	2004	21E2.exe	45
PID 2004 wrote to memory of 1508	2004	21E2.exe	45
PID 2004 wrote to memory of 1328	2004	21E2.exe	46
PID 2004 wrote to memory of 1328	2004	21E2.exe	46
PID 2004 wrote to memory of 1328	2004	21E2.exe	46
PID 2004 wrote to memory of 1328	2004	21E2.exe	46
PID 372 wrote to memory of 1316	372	3B2E.exe	47
PID 372 wrote to memory of 1316	372	3B2E.exe	47
PID 372 wrote to memory of 1316	372	3B2E.exe	47
PID 372 wrote to memory of 1316	372	3B2E.exe	47
PID 372 wrote to memory of 968	372	3B2E.exe	50
PID 372 wrote to memory of 968	372	3B2E.exe	50
PID 372 wrote to memory of 968	372	3B2E.exe	50
PID 372 wrote to memory of 968	372	3B2E.exe	50

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.GandCrypt-A.5674.24831.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:644

C:\Users\Admin\AppData\Local\Temp\21E2.exe
C:\Users\Admin\AppData\Local\Temp\21E2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\6c18ef88-938e-4db1-b0e1-1dd61ff434f0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:1316
- C:\Users\Admin\AppData\Local\Temp\21E2.exe
  "C:\Users\Admin\AppData\Local\Temp\21E2.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\9453e8d3-64e2-4ba7-a4f7-e17d37d79468\updatewin.exe
    "C:\Users\Admin\AppData\Local\9453e8d3-64e2-4ba7-a4f7-e17d37d79468\updatewin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\9453e8d3-64e2-4ba7-a4f7-e17d37d79468\updatewin.exe
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1936
- - C:\Users\Admin\AppData\Local\9453e8d3-64e2-4ba7-a4f7-e17d37d79468\5.exe
    "C:\Users\Admin\AppData\Local\9453e8d3-64e2-4ba7-a4f7-e17d37d79468\5.exe"
    3⤵
    - Executes dropped EXE
    PID:1328

C:\Users\Admin\AppData\Local\Temp\2C5F.exe
C:\Users\Admin\AppData\Local\Temp\2C5F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
PID:1148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 2C5F.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2C5F.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 2C5F.exe /f
    3⤵
    - Kills process with taskkill
    PID:1992
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1532

C:\Users\Admin\AppData\Local\Temp\3B2E.exe
C:\Users\Admin\AppData\Local\Temp\3B2E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xxxndtto\
  2⤵
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zbufmuiy.exe" C:\Windows\SysWOW64\xxxndtto\
  2⤵
  PID:1952
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create xxxndtto binPath= "C:\Windows\SysWOW64\xxxndtto\zbufmuiy.exe /d\"C:\Users\Admin\AppData\Local\Temp\3B2E.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:1732
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description xxxndtto "wifi internet conection"
  2⤵
  PID:740
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start xxxndtto
  2⤵
  PID:1316
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:968

C:\Windows\SysWOW64\xxxndtto\zbufmuiy.exe
C:\Windows\SysWOW64\xxxndtto\zbufmuiy.exe /d"C:\Users\Admin\AppData\Local\Temp\3B2E.exe"
1⤵
- Executes dropped EXE
PID:576
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-42-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/372-43-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/372-34-0x0000000002090000-0x00000000020A1000-memory.dmp

Filesize
68KB

Download
memory/576-81-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/576-73-0x0000000000E90000-0x0000000000EA1000-memory.dmp

Filesize
68KB

Download
memory/644-2-0x0000000002070000-0x0000000002081000-memory.dmp

Filesize
68KB

Download
memory/644-3-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/644-5-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/644-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/780-10-0x0000000001BA0000-0x0000000001BB1000-memory.dmp

Filesize
68KB

Download
memory/780-12-0x0000000001800000-0x000000000191A000-memory.dmp

Filesize
1.1MB

Download
memory/780-13-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1148-17-0x00000000021C0000-0x00000000021D1000-memory.dmp

Filesize
68KB

Download
memory/1148-19-0x0000000000AE0000-0x0000000000B75000-memory.dmp

Filesize
596KB

Download
memory/1148-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1264-7-0x0000000002C60000-0x0000000002C76000-memory.dmp

Filesize
88KB

Download
memory/1328-84-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1328-83-0x0000000002BF0000-0x0000000002C86000-memory.dmp

Filesize
600KB

Download
memory/1328-75-0x0000000002DE0000-0x0000000002DF1000-memory.dmp

Filesize
68KB

Download
memory/1608-16-0x000007FEF6350000-0x000007FEF65CA000-memory.dmp

Filesize
2.5MB

Download
memory/1732-77-0x00000000000C0000-0x00000000000D5000-memory.dmp

Filesize
84KB

Download
memory/2004-54-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2004-41-0x0000000001D60000-0x0000000001D71000-memory.dmp

Filesize
68KB

Download