smokeloader | d4e1c7562172f7e075f9c87630d6e4e363514157ef85b2cef463799354466d6f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7v20201028
submitted
28-03-2021 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

101e9314ddfdcb495a150c58f152f172.exe
Size

162KB
MD5

101e9314ddfdcb495a150c58f152f172
SHA1

806c6f4a8f9c97b0af94d96a51629b32829fc147
SHA256

d4e1c7562172f7e075f9c87630d6e4e363514157ef85b2cef463799354466d6f
SHA512

577a821b9eff1f7caf5c3e5c7b60071df6be71d37cad961e4146ab12126bc94f8072e9928b5268686104ca08f8031dd06d57379ecfb5115ba62c7626f65afe92

Score

10^/10

smokeloader taurus_stealer tofsee vidar backdoor discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus_stealer
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 7 IoCs

pid	Process
292	F3A2.exe
1928	FAB5.exe
1476	30F.exe
1900	F3A2.exe
324	edrthefx.exe
1544	updatewin.exe
1008	5.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
1260	Process not Found

Loads dropped DLL 17 IoCs

pid	Process
744	101e9314ddfdcb495a150c58f152f172.exe
1928	FAB5.exe
1928	FAB5.exe
1928	FAB5.exe
1928	FAB5.exe
292	F3A2.exe
292	F3A2.exe
1900	F3A2.exe
1544	updatewin.exe
1544	updatewin.exe
1544	updatewin.exe
1900	F3A2.exe
1900	F3A2.exe
1008	5.exe
1008	5.exe
1008	5.exe
1008	5.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1632	icacls.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c2f5da54-bbb7-4cc5-a83e-3fa6639428f5\\F3A2.exe\" --AutoStart"	F3A2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	api.2ip.ua
42	api.2ip.ua
56	api.2ip.ua

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 324 set thread context of 1468	324	edrthefx.exe	55

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	101e9314ddfdcb495a150c58f152f172.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	101e9314ddfdcb495a150c58f152f172.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	101e9314ddfdcb495a150c58f152f172.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FAB5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FAB5.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2044	timeout.exe
1696	timeout.exe
1476	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1204	taskkill.exe
1500	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43b1e3db4c04e0524edb47d450dd49d084297dce82e72baa4991cfd44787c1d28ea2a3c87cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691ddd8245713ee1ab644490bdb67d24ed935400c9f38d3c74bbc4103d29f9a16a12dd834e753ad4f10b4c90d8f6127db9a45e3494b48d6c2bd49e440b3cf9a65d579fc2223064b9f86400c585b77e24e4965901cdc4e13b7e85c12b496da0f15d15d98d4d7235e1ae521df459a444146ca9b76cfdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4eb1492b998a46d34fdc741461ee4ad743c35f5a17316d880537534e4b3561cccbd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de3cc945d	svchost.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	F3A2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	F3A2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	F3A2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	FAB5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	FAB5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	F3A2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	F3A2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
744	101e9314ddfdcb495a150c58f152f172.exe
744	101e9314ddfdcb495a150c58f152f172.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
744	101e9314ddfdcb495a150c58f152f172.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeRestorePrivilege	1544	updatewin.exe
Token: SeBackupPrivilege	1544	updatewin.exe
Token: SeDebugPrivilege	1500	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 292	1260	Process not Found	29
PID 1260 wrote to memory of 292	1260	Process not Found	29
PID 1260 wrote to memory of 292	1260	Process not Found	29
PID 1260 wrote to memory of 292	1260	Process not Found	29
PID 1260 wrote to memory of 1928	1260	Process not Found	30
PID 1260 wrote to memory of 1928	1260	Process not Found	30
PID 1260 wrote to memory of 1928	1260	Process not Found	30
PID 1260 wrote to memory of 1928	1260	Process not Found	30
PID 1260 wrote to memory of 1476	1260	Process not Found	33
PID 1260 wrote to memory of 1476	1260	Process not Found	33
PID 1260 wrote to memory of 1476	1260	Process not Found	33
PID 1260 wrote to memory of 1476	1260	Process not Found	33
PID 1476 wrote to memory of 1720	1476	30F.exe	34
PID 1476 wrote to memory of 1720	1476	30F.exe	34
PID 1476 wrote to memory of 1720	1476	30F.exe	34
PID 1476 wrote to memory of 1720	1476	30F.exe	34
PID 1476 wrote to memory of 1980	1476	30F.exe	36
PID 1476 wrote to memory of 1980	1476	30F.exe	36
PID 1476 wrote to memory of 1980	1476	30F.exe	36
PID 1476 wrote to memory of 1980	1476	30F.exe	36
PID 292 wrote to memory of 1632	292	F3A2.exe	38
PID 292 wrote to memory of 1632	292	F3A2.exe	38
PID 292 wrote to memory of 1632	292	F3A2.exe	38
PID 292 wrote to memory of 1632	292	F3A2.exe	38
PID 1476 wrote to memory of 1948	1476	30F.exe	39
PID 1476 wrote to memory of 1948	1476	30F.exe	39
PID 1476 wrote to memory of 1948	1476	30F.exe	39
PID 1476 wrote to memory of 1948	1476	30F.exe	39
PID 1476 wrote to memory of 1092	1476	30F.exe	41
PID 1476 wrote to memory of 1092	1476	30F.exe	41
PID 1476 wrote to memory of 1092	1476	30F.exe	41
PID 1476 wrote to memory of 1092	1476	30F.exe	41
PID 292 wrote to memory of 1900	292	F3A2.exe	43
PID 292 wrote to memory of 1900	292	F3A2.exe	43
PID 292 wrote to memory of 1900	292	F3A2.exe	43
PID 292 wrote to memory of 1900	292	F3A2.exe	43
PID 1476 wrote to memory of 1368	1476	30F.exe	44
PID 1476 wrote to memory of 1368	1476	30F.exe	44
PID 1476 wrote to memory of 1368	1476	30F.exe	44
PID 1476 wrote to memory of 1368	1476	30F.exe	44
PID 1476 wrote to memory of 1576	1476	30F.exe	48
PID 1476 wrote to memory of 1576	1476	30F.exe	48
PID 1476 wrote to memory of 1576	1476	30F.exe	48
PID 1476 wrote to memory of 1576	1476	30F.exe	48
PID 1900 wrote to memory of 1544	1900	F3A2.exe	50
PID 1900 wrote to memory of 1544	1900	F3A2.exe	50
PID 1900 wrote to memory of 1544	1900	F3A2.exe	50
PID 1900 wrote to memory of 1544	1900	F3A2.exe	50
PID 1900 wrote to memory of 1544	1900	F3A2.exe	50
PID 1900 wrote to memory of 1544	1900	F3A2.exe	50
PID 1900 wrote to memory of 1544	1900	F3A2.exe	50
PID 1900 wrote to memory of 1008	1900	F3A2.exe	51
PID 1900 wrote to memory of 1008	1900	F3A2.exe	51
PID 1900 wrote to memory of 1008	1900	F3A2.exe	51
PID 1900 wrote to memory of 1008	1900	F3A2.exe	51
PID 1928 wrote to memory of 576	1928	FAB5.exe	54
PID 1928 wrote to memory of 576	1928	FAB5.exe	54
PID 1928 wrote to memory of 576	1928	FAB5.exe	54
PID 1928 wrote to memory of 576	1928	FAB5.exe	54
PID 576 wrote to memory of 1204	576	cmd.exe	53
PID 576 wrote to memory of 1204	576	cmd.exe	53
PID 576 wrote to memory of 1204	576	cmd.exe	53
PID 576 wrote to memory of 1204	576	cmd.exe	53
PID 324 wrote to memory of 1468	324	edrthefx.exe	55

C:\Users\Admin\AppData\Local\Temp\101e9314ddfdcb495a150c58f152f172.exe
"C:\Users\Admin\AppData\Local\Temp\101e9314ddfdcb495a150c58f152f172.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:744

C:\Users\Admin\AppData\Local\Temp\F3A2.exe
C:\Users\Admin\AppData\Local\Temp\F3A2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\c2f5da54-bbb7-4cc5-a83e-3fa6639428f5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\F3A2.exe
  "C:\Users\Admin\AppData\Local\Temp\F3A2.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\9b152989-d723-446b-9344-746d0ce96bb5\updatewin.exe
    "C:\Users\Admin\AppData\Local\9b152989-d723-446b-9344-746d0ce96bb5\updatewin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\9b152989-d723-446b-9344-746d0ce96bb5\updatewin.exe
      4⤵
      PID:1656
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1696
- - C:\Users\Admin\AppData\Local\9b152989-d723-446b-9344-746d0ce96bb5\5.exe
    "C:\Users\Admin\AppData\Local\9b152989-d723-446b-9344-746d0ce96bb5\5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\9b152989-d723-446b-9344-746d0ce96bb5\5.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:1476

C:\Users\Admin\AppData\Local\Temp\FAB5.exe
C:\Users\Admin\AppData\Local\Temp\FAB5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im FAB5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\FAB5.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:2044

C:\Users\Admin\AppData\Local\Temp\30F.exe
C:\Users\Admin\AppData\Local\Temp\30F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dtkcthmy\
  2⤵
  PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\edrthefx.exe" C:\Windows\SysWOW64\dtkcthmy\
  2⤵
  PID:1980
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create dtkcthmy binPath= "C:\Windows\SysWOW64\dtkcthmy\edrthefx.exe /d\"C:\Users\Admin\AppData\Local\Temp\30F.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:1948
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description dtkcthmy "wifi internet conection"
  2⤵
  PID:1092
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start dtkcthmy
  2⤵
  PID:1368
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:1576

C:\Windows\SysWOW64\dtkcthmy\edrthefx.exe
C:\Windows\SysWOW64\dtkcthmy\edrthefx.exe /d"C:\Users\Admin\AppData\Local\Temp\30F.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1468

C:\Windows\SysWOW64\taskkill.exe
taskkill /im FAB5.exe /f
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-12-0x00000000019B0000-0x0000000001ACA000-memory.dmp

Filesize
1.1MB

Download
memory/292-10-0x00000000019B0000-0x00000000019C1000-memory.dmp

Filesize
68KB

Download
memory/292-13-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/324-74-0x0000000000F90000-0x0000000000FA1000-memory.dmp

Filesize
68KB

Download
memory/324-84-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/744-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/744-4-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/744-3-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/744-2-0x00000000022E0000-0x00000000022F1000-memory.dmp

Filesize
68KB

Download
memory/1008-90-0x0000000002D60000-0x0000000002D71000-memory.dmp

Filesize
68KB

Download
memory/1008-93-0x00000000002A0000-0x0000000000336000-memory.dmp

Filesize
600KB

Download
memory/1008-94-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1260-7-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/1348-17-0x000007FEF7590000-0x000007FEF780A000-memory.dmp

Filesize
2.5MB

Download
memory/1468-80-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1476-27-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1476-26-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/1476-23-0x00000000021F0000-0x0000000002201000-memory.dmp

Filesize
68KB

Download
memory/1900-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1900-51-0x00000000019C0000-0x00000000019D1000-memory.dmp

Filesize
68KB

Download
memory/1928-22-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1928-19-0x0000000002210000-0x0000000002221000-memory.dmp

Filesize
68KB

Download
memory/1928-21-0x0000000000330000-0x00000000003C5000-memory.dmp

Filesize
596KB

Download