smokeloader | 8501dc331081a8fdbb9f6a5789a8317acddd6ea7d5c0446f359df9c4922f9f72

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7v20201028
submitted
28-03-2021 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a27e10e9ae9c9322be87216d84ac718f.exe
Size

163KB
MD5

a27e10e9ae9c9322be87216d84ac718f
SHA1

41ef20744ae39b938dd45b9e0fc15f3215fe0ce5
SHA256

8501dc331081a8fdbb9f6a5789a8317acddd6ea7d5c0446f359df9c4922f9f72
SHA512

622f387a16066681ab59e54d8d8ba7a404682f7e27d1ddd5e0694717a5a136551a55e6dd2b62380a49ebdc67242fde600e1b8b3ee6261d589973045bb298b895

Score

10^/10

smokeloader taurus_stealer tofsee vidar backdoor discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus_stealer
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 7 IoCs

pid	Process
1652	CF60.exe
1160	DC6B.exe
756	CF60.exe
1256	F088.exe
1148	updatewin.exe
876	5.exe
2032	rielcbfj.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
1260	Process not Found

Loads dropped DLL 17 IoCs

pid	Process
1932	a27e10e9ae9c9322be87216d84ac718f.exe
1160	DC6B.exe
1160	DC6B.exe
1652	CF60.exe
1160	DC6B.exe
1160	DC6B.exe
1652	CF60.exe
756	CF60.exe
1148	updatewin.exe
1148	updatewin.exe
1148	updatewin.exe
756	CF60.exe
756	CF60.exe
876	5.exe
876	5.exe
876	5.exe
876	5.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1768	icacls.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4dd0c143-104c-4fd9-8db0-db9c5f1d06a9\\CF60.exe\" --AutoStart"	CF60.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	api.2ip.ua
31	api.2ip.ua
53	api.2ip.ua

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 820	2032	rielcbfj.exe	60

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a27e10e9ae9c9322be87216d84ac718f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a27e10e9ae9c9322be87216d84ac718f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a27e10e9ae9c9322be87216d84ac718f.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DC6B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DC6B.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
792	timeout.exe
1364	timeout.exe
800	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1996	taskkill.exe
760	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43b133d56c64e0524edb47d450dd49d084297dce82e72baa49917fde478771da7f2a58887cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691ddd8245703ae1ad644490bdb37820ea975400cef08d3c74bbc4103d35f8a66f10dc854d723cd4f10b4c90d8f6127db9a45e3494b48d6c2bd49e440b3cf9a65d579fc2223064b9f86400c68db47425ee925507cbc4e13b7e85c12b496da0f15d15d98d4d7235e0aa5119f459a444148eafb76cfdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4d9e44c8e98a46d34fdc741461ee4ad743c35f5a17316d880537534e4b3561cccbd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de6cc945d	svchost.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CF60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	DC6B.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	DC6B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CF60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CF60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CF60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CF60.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	a27e10e9ae9c9322be87216d84ac718f.exe
1932	a27e10e9ae9c9322be87216d84ac718f.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1932	a27e10e9ae9c9322be87216d84ac718f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeRestorePrivilege	1148	updatewin.exe
Token: SeBackupPrivilege	1148	updatewin.exe
Token: SeDebugPrivilege	760	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1652	1260	Process not Found	29
PID 1260 wrote to memory of 1652	1260	Process not Found	29
PID 1260 wrote to memory of 1652	1260	Process not Found	29
PID 1260 wrote to memory of 1652	1260	Process not Found	29
PID 1260 wrote to memory of 1160	1260	Process not Found	30
PID 1260 wrote to memory of 1160	1260	Process not Found	30
PID 1260 wrote to memory of 1160	1260	Process not Found	30
PID 1260 wrote to memory of 1160	1260	Process not Found	30
PID 1652 wrote to memory of 1768	1652	CF60.exe	33
PID 1652 wrote to memory of 1768	1652	CF60.exe	33
PID 1652 wrote to memory of 1768	1652	CF60.exe	33
PID 1652 wrote to memory of 1768	1652	CF60.exe	33
PID 1652 wrote to memory of 756	1652	CF60.exe	34
PID 1652 wrote to memory of 756	1652	CF60.exe	34
PID 1652 wrote to memory of 756	1652	CF60.exe	34
PID 1652 wrote to memory of 756	1652	CF60.exe	34
PID 1260 wrote to memory of 1256	1260	Process not Found	35
PID 1260 wrote to memory of 1256	1260	Process not Found	35
PID 1260 wrote to memory of 1256	1260	Process not Found	35
PID 1260 wrote to memory of 1256	1260	Process not Found	35
PID 756 wrote to memory of 1148	756	CF60.exe	36
PID 756 wrote to memory of 1148	756	CF60.exe	36
PID 756 wrote to memory of 1148	756	CF60.exe	36
PID 756 wrote to memory of 1148	756	CF60.exe	36
PID 756 wrote to memory of 1148	756	CF60.exe	36
PID 756 wrote to memory of 1148	756	CF60.exe	36
PID 756 wrote to memory of 1148	756	CF60.exe	36
PID 1160 wrote to memory of 1924	1160	DC6B.exe	37
PID 1160 wrote to memory of 1924	1160	DC6B.exe	37
PID 1160 wrote to memory of 1924	1160	DC6B.exe	37
PID 1160 wrote to memory of 1924	1160	DC6B.exe	37
PID 1924 wrote to memory of 1996	1924	cmd.exe	40
PID 1924 wrote to memory of 1996	1924	cmd.exe	40
PID 1924 wrote to memory of 1996	1924	cmd.exe	40
PID 1924 wrote to memory of 1996	1924	cmd.exe	40
PID 1256 wrote to memory of 1628	1256	F088.exe	41
PID 1256 wrote to memory of 1628	1256	F088.exe	41
PID 1256 wrote to memory of 1628	1256	F088.exe	41
PID 1256 wrote to memory of 1628	1256	F088.exe	41
PID 756 wrote to memory of 876	756	CF60.exe	44
PID 756 wrote to memory of 876	756	CF60.exe	44
PID 756 wrote to memory of 876	756	CF60.exe	44
PID 756 wrote to memory of 876	756	CF60.exe	44
PID 1924 wrote to memory of 1364	1924	cmd.exe	45
PID 1924 wrote to memory of 1364	1924	cmd.exe	45
PID 1924 wrote to memory of 1364	1924	cmd.exe	45
PID 1924 wrote to memory of 1364	1924	cmd.exe	45
PID 1256 wrote to memory of 1624	1256	F088.exe	46
PID 1256 wrote to memory of 1624	1256	F088.exe	46
PID 1256 wrote to memory of 1624	1256	F088.exe	46
PID 1256 wrote to memory of 1624	1256	F088.exe	46
PID 1256 wrote to memory of 692	1256	F088.exe	48
PID 1256 wrote to memory of 692	1256	F088.exe	48
PID 1256 wrote to memory of 692	1256	F088.exe	48
PID 1256 wrote to memory of 692	1256	F088.exe	48
PID 1256 wrote to memory of 760	1256	F088.exe	50
PID 1256 wrote to memory of 760	1256	F088.exe	50
PID 1256 wrote to memory of 760	1256	F088.exe	50
PID 1256 wrote to memory of 760	1256	F088.exe	50
PID 1256 wrote to memory of 440	1256	F088.exe	52
PID 1256 wrote to memory of 440	1256	F088.exe	52
PID 1256 wrote to memory of 440	1256	F088.exe	52
PID 1256 wrote to memory of 440	1256	F088.exe	52
PID 1148 wrote to memory of 848	1148	updatewin.exe	54

C:\Users\Admin\AppData\Local\Temp\a27e10e9ae9c9322be87216d84ac718f.exe
"C:\Users\Admin\AppData\Local\Temp\a27e10e9ae9c9322be87216d84ac718f.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1932

C:\Users\Admin\AppData\Local\Temp\CF60.exe
C:\Users\Admin\AppData\Local\Temp\CF60.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\4dd0c143-104c-4fd9-8db0-db9c5f1d06a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\CF60.exe
  "C:\Users\Admin\AppData\Local\Temp\CF60.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Users\Admin\AppData\Local\c26517e9-c09e-473f-b4b6-1a301f10c08e\updatewin.exe
    "C:\Users\Admin\AppData\Local\c26517e9-c09e-473f-b4b6-1a301f10c08e\updatewin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\c26517e9-c09e-473f-b4b6-1a301f10c08e\updatewin.exe
      4⤵
      PID:848
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:800
- - C:\Users\Admin\AppData\Local\c26517e9-c09e-473f-b4b6-1a301f10c08e\5.exe
    "C:\Users\Admin\AppData\Local\c26517e9-c09e-473f-b4b6-1a301f10c08e\5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\c26517e9-c09e-473f-b4b6-1a301f10c08e\5.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:692
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:792

C:\Users\Admin\AppData\Local\Temp\DC6B.exe
C:\Users\Admin\AppData\Local\Temp\DC6B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im DC6B.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DC6B.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im DC6B.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:1364

C:\Users\Admin\AppData\Local\Temp\F088.exe
C:\Users\Admin\AppData\Local\Temp\F088.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hyykemnu\
  2⤵
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rielcbfj.exe" C:\Windows\SysWOW64\hyykemnu\
  2⤵
  PID:1624
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create hyykemnu binPath= "C:\Windows\SysWOW64\hyykemnu\rielcbfj.exe /d\"C:\Users\Admin\AppData\Local\Temp\F088.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:692
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description hyykemnu "wifi internet conection"
  2⤵
  PID:760
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start hyykemnu
  2⤵
  PID:440
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:1268

C:\Windows\SysWOW64\hyykemnu\rielcbfj.exe
C:\Windows\SysWOW64\hyykemnu\rielcbfj.exe /d"C:\Users\Admin\AppData\Local\Temp\F088.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2032
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-35-0x00000000019E0000-0x00000000019F1000-memory.dmp

Filesize
68KB

Download
memory/756-47-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/820-104-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/876-70-0x0000000002F50000-0x0000000002F61000-memory.dmp

Filesize
68KB

Download
memory/876-82-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/876-81-0x0000000000340000-0x00000000003D6000-memory.dmp

Filesize
600KB

Download
memory/1064-16-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmp

Filesize
2.5MB

Download
memory/1160-20-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1160-19-0x0000000000220000-0x00000000002B5000-memory.dmp

Filesize
596KB

Download
memory/1160-17-0x0000000002410000-0x0000000002421000-memory.dmp

Filesize
68KB

Download
memory/1256-53-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1256-50-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1256-46-0x0000000002380000-0x0000000002391000-memory.dmp

Filesize
68KB

Download
memory/1260-7-0x0000000003670000-0x0000000003686000-memory.dmp

Filesize
88KB

Download
memory/1652-13-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1652-10-0x0000000001980000-0x0000000001991000-memory.dmp

Filesize
68KB

Download
memory/1652-12-0x0000000001980000-0x0000000001A9A000-memory.dmp

Filesize
1.1MB

Download
memory/1932-2-0x0000000002210000-0x0000000002221000-memory.dmp

Filesize
68KB

Download
memory/1932-5-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1932-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1932-3-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/2032-108-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2032-101-0x0000000000E80000-0x0000000000E91000-memory.dmp

Filesize
68KB

Download