smokeloader | fb2e2174a3ec526861932043c1aa5b5e62e3abed0bb73e88e495eab66635e758

Target

e0059c4ad73116bf0ea29d575ea2c175.exe
Size

162KB
MD5

e0059c4ad73116bf0ea29d575ea2c175
SHA1

a1316534bb8a3b52ec4f14d8c3172e49f6c5760f
SHA256

fb2e2174a3ec526861932043c1aa5b5e62e3abed0bb73e88e495eab66635e758
SHA512

b8a06dd6de28e6d29ebafe58bb6262412add147f01f3d3367dd7da95d083d92656e92a7bfce6a13179dc27b6ee346f5bcf98b0f067be2286a9cc741babd06de4

Score

10^/10

smokeloader tofsee backdoor bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 9 IoCs

Processes:

CE33.exeD74C.exeCE33.exeE382.exeupdatewin.exe5.exetphhetsg.exe33.exe63E.exe

pid process

208 CE33.exe
2936 D74C.exe
3040 CE33.exe
1480 E382.exe
2596 updatewin.exe
1624 5.exe
3880 tphhetsg.exe
1064 33.exe
3832 63E.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
208	CE33.exe
2936	D74C.exe
3040	CE33.exe
1480	E382.exe
2596	updatewin.exe
1624	5.exe
3880	tphhetsg.exe
1064	33.exe
3832	63E.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

33.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	33.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	33.exe

Deletes itself 1 IoCs

Processes:

pid process

3048
Loads dropped DLL 1 IoCs

Processes:

e0059c4ad73116bf0ea29d575ea2c175.exe

pid process

496 e0059c4ad73116bf0ea29d575ea2c175.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1072 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3048

pid	process
1072	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CE33.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\aab5f5a6-0d53-4317-b4a9-91e12fcb526b\\CE33.exe\" --AutoStart"	CE33.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

33.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 33.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.2ip.ua
34 api.2ip.ua
57 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

63E.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 63E.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

33.exe

pid process

1064 33.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tphhetsg.exe

description pid process target process

PID 3880 set thread context of 3736 3880 tphhetsg.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	33.exe

flow	ioc
33	api.2ip.ua
34	api.2ip.ua
57	api.2ip.ua

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	63E.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

pid	process
1064	33.exe

description	pid	process	target process
PID 3880 set thread context of 3736	3880	tphhetsg.exe	svchost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e0059c4ad73116bf0ea29d575ea2c175.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e0059c4ad73116bf0ea29d575ea2c175.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e0059c4ad73116bf0ea29d575ea2c175.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e0059c4ad73116bf0ea29d575ea2c175.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2276 timeout.exe

pid	process
2276	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e4ee073e5bb54f0524edb47d450dd49d084297dce82e72baa46d34fdc48d541db320552c86cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691ddd834a7c3fe4ae644490bdb57c21e9925b07c5f5b454758df21d5904fca76c1dda834b753ee29d084295d9e13f4bb4c06d07fdadfd542fd69f430a36fba769249ec60b1b79bdf0012dcd8cbc7a2ced965501fda8e2377c88f2005469a8946c10d4844a7335e6ad532d109dac4c74a57f3534fdc48d551de4ad035276a6cb2e569bb47d440dd49d642df5ba396f51dda46d34fe089f571de4ad750c3cf8ba6f11d99a4c7d3dfaaf5515f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74de05cd94	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

CE33.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CE33.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CE33.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e0059c4ad73116bf0ea29d575ea2c175.exe

pid	process
496	e0059c4ad73116bf0ea29d575ea2c175.exe
496	e0059c4ad73116bf0ea29d575ea2c175.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e0059c4ad73116bf0ea29d575ea2c175.exe

pid process

496 e0059c4ad73116bf0ea29d575ea2c175.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

63E.exe

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3832	63E.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

CE33.exeCE33.exeE382.exeupdatewin.execmd.exetphhetsg.exe

description	pid	process	target process
PID 3048 wrote to memory of 208	3048		CE33.exe
PID 3048 wrote to memory of 208	3048		CE33.exe
PID 3048 wrote to memory of 208	3048		CE33.exe
PID 3048 wrote to memory of 2936	3048		D74C.exe
PID 3048 wrote to memory of 2936	3048		D74C.exe
PID 3048 wrote to memory of 2936	3048		D74C.exe
PID 208 wrote to memory of 1072	208	CE33.exe	icacls.exe
PID 208 wrote to memory of 1072	208	CE33.exe	icacls.exe
PID 208 wrote to memory of 1072	208	CE33.exe	icacls.exe
PID 208 wrote to memory of 3040	208	CE33.exe	CE33.exe
PID 208 wrote to memory of 3040	208	CE33.exe	CE33.exe
PID 208 wrote to memory of 3040	208	CE33.exe	CE33.exe
PID 3048 wrote to memory of 1480	3048		E382.exe
PID 3048 wrote to memory of 1480	3048		E382.exe
PID 3048 wrote to memory of 1480	3048		E382.exe
PID 3040 wrote to memory of 2596	3040	CE33.exe	updatewin.exe
PID 3040 wrote to memory of 2596	3040	CE33.exe	updatewin.exe
PID 3040 wrote to memory of 2596	3040	CE33.exe	updatewin.exe
PID 3040 wrote to memory of 1624	3040	CE33.exe	5.exe
PID 3040 wrote to memory of 1624	3040	CE33.exe	5.exe
PID 3040 wrote to memory of 1624	3040	CE33.exe	5.exe
PID 1480 wrote to memory of 4068	1480	E382.exe	cmd.exe
PID 1480 wrote to memory of 4068	1480	E382.exe	cmd.exe
PID 1480 wrote to memory of 4068	1480	E382.exe	cmd.exe
PID 1480 wrote to memory of 3144	1480	E382.exe	cmd.exe
PID 1480 wrote to memory of 3144	1480	E382.exe	cmd.exe
PID 1480 wrote to memory of 3144	1480	E382.exe	cmd.exe
PID 1480 wrote to memory of 3920	1480	E382.exe	sc.exe
PID 1480 wrote to memory of 3920	1480	E382.exe	sc.exe
PID 1480 wrote to memory of 3920	1480	E382.exe	sc.exe
PID 1480 wrote to memory of 1308	1480	E382.exe	sc.exe
PID 1480 wrote to memory of 1308	1480	E382.exe	sc.exe
PID 1480 wrote to memory of 1308	1480	E382.exe	sc.exe
PID 1480 wrote to memory of 2020	1480	E382.exe	sc.exe
PID 1480 wrote to memory of 2020	1480	E382.exe	sc.exe
PID 1480 wrote to memory of 2020	1480	E382.exe	sc.exe
PID 1480 wrote to memory of 1636	1480	E382.exe	netsh.exe
PID 1480 wrote to memory of 1636	1480	E382.exe	netsh.exe
PID 1480 wrote to memory of 1636	1480	E382.exe	netsh.exe
PID 3048 wrote to memory of 1064	3048		33.exe
PID 3048 wrote to memory of 1064	3048		33.exe
PID 3048 wrote to memory of 1064	3048		33.exe
PID 2596 wrote to memory of 3168	2596	updatewin.exe	cmd.exe
PID 2596 wrote to memory of 3168	2596	updatewin.exe	cmd.exe
PID 2596 wrote to memory of 3168	2596	updatewin.exe	cmd.exe
PID 3048 wrote to memory of 3832	3048		63E.exe
PID 3048 wrote to memory of 3832	3048		63E.exe
PID 3048 wrote to memory of 3832	3048		63E.exe
PID 3168 wrote to memory of 2276	3168	cmd.exe	timeout.exe
PID 3168 wrote to memory of 2276	3168	cmd.exe	timeout.exe
PID 3168 wrote to memory of 2276	3168	cmd.exe	timeout.exe
PID 3880 wrote to memory of 3736	3880	tphhetsg.exe	svchost.exe
PID 3880 wrote to memory of 3736	3880	tphhetsg.exe	svchost.exe
PID 3880 wrote to memory of 3736	3880	tphhetsg.exe	svchost.exe
PID 3880 wrote to memory of 3736	3880	tphhetsg.exe	svchost.exe
PID 3880 wrote to memory of 3736	3880	tphhetsg.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e0059c4ad73116bf0ea29d575ea2c175.exe
"C:\Users\Admin\AppData\Local\Temp\e0059c4ad73116bf0ea29d575ea2c175.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:496

C:\Users\Admin\AppData\Local\Temp\CE33.exe
C:\Users\Admin\AppData\Local\Temp\CE33.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\aab5f5a6-0d53-4317-b4a9-91e12fcb526b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:1072

C:\Users\Admin\AppData\Local\Temp\CE33.exe
"C:\Users\Admin\AppData\Local\Temp\CE33.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\914c36e4-efc5-40b2-ac48-819dcdbde0f8\updatewin.exe
"C:\Users\Admin\AppData\Local\914c36e4-efc5-40b2-ac48-819dcdbde0f8\updatewin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\914c36e4-efc5-40b2-ac48-819dcdbde0f8\updatewin.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:2276

C:\Users\Admin\AppData\Local\914c36e4-efc5-40b2-ac48-819dcdbde0f8\5.exe
"C:\Users\Admin\AppData\Local\914c36e4-efc5-40b2-ac48-819dcdbde0f8\5.exe"
3⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\D74C.exe
C:\Users\Admin\AppData\Local\Temp\D74C.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Users\Admin\AppData\Local\Temp\E382.exe
C:\Users\Admin\AppData\Local\Temp\E382.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uxkzevg\
2⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tphhetsg.exe" C:\Windows\SysWOW64\uxkzevg\
2⤵
PID:3144

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create uxkzevg binPath= "C:\Windows\SysWOW64\uxkzevg\tphhetsg.exe /d\"C:\Users\Admin\AppData\Local\Temp\E382.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:3920

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description uxkzevg "wifi internet conection"
2⤵
PID:1308

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start uxkzevg
2⤵
PID:2020

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1636

C:\Windows\SysWOW64\uxkzevg\tphhetsg.exe
C:\Windows\SysWOW64\uxkzevg\tphhetsg.exe /d"C:\Users\Admin\AppData\Local\Temp\E382.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3736

C:\Users\Admin\AppData\Local\Temp\33.exe
C:\Users\Admin\AppData\Local\Temp\33.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1064

C:\Users\Admin\AppData\Local\Temp\63E.exe
C:\Users\Admin\AppData\Local\Temp\63E.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

New Service

T1050

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
54e60fd0149fe960a1bb51d1a63724b3

SHA1
8edc3d0d641441a72c642c3e96dabfe8aa9877a8

SHA256
7cdb049d052b55ee9c2ba9096e8cf7e1f9117d2898c1679ab2ef2e8683356309

SHA512
090766a3ae2e7d091ee0f22ce954373327d9642e10451f55342b76b1aa444c8e16cc4102957570e08d7fa19b1e17fe34f8a764f8c041c82f799d095ccf0f357b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3be96afd7b9e0ff481b665d594167224

SHA1
aff8ca9cc93425b2c20b55aaf1c1e0b56f347144

SHA256
36981629cd13aef6fa93a598db9dd7745d491fb7bee57b235ddcb66f1a8c5799

SHA512
76df4e5a44f6be6e75136550ebdc4bad504cafeef08c2a3f3730343f43b22771b8a3f9ba6ea5b755ed4e674257754bf29b2b8197f9bc0894219dde5f34821299

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
e1b17cb36e7813e48c590622bc15252b

SHA1
6dfc7033c04075f8925ffed5a3c13a242825c0db

SHA256
e0cfd73d9d91f8b78fd95262a42ec028eb804c6f8ea6b150debbf31d187ab47a

SHA512
95bd7f3752dc2676c577a7da203bf790635cb5fb54a4658377096908d6366ee065697dbcc0c92f93620e07a568935960b2682891a5d3b0c36483c96ebf286c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
bd8bc7c199c190c502ef1376a9801527

SHA1
0a88d104ebcdac958e91aa7a79bdd751213b4984

SHA256
e38d42ba83f46df484d48b25f9ba60423b8248379c859fdb035a6c3323784fcc

SHA512
6a6cc1b6d4e452f4650e289a64af2d8cffd3649d4e75b105d0a818d4a718f82da3e5d411ec7a66aca24c5147bc84a388f82690885a2c02128b5e3854b95e3441

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
bbecc81efd3a40c49ccc3c245894b122

SHA1
2493c1560ab9003266aa1bc111ecbd822099131f

SHA256
04fa5960b098a18afaf70fb1425d8ff874e411dba19b322621e64b60e3853dda

SHA512
b0d4e15f2db0759d2cdc6e158c3da43d282d2ba79a3ee4a25a465a8669e4f06a85ac54e1b0784b241134383889c3f59f8b4181b77c070805307cf1958b8a3a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
11d61c28e241d6d6c55c81a9ce61d477

SHA1
078d89e629e788f79fa13d8c1fd09c3704992675

SHA256
0aa05142e32a246fae5889ac86f171be55b2acace86aef7cfbf6c3b4a8fbdd5d

SHA512
c346e6f31c0f6d515f8aa5a57b534c03af05c7214da1a9b43c42064b2ad9b1dae75b4688d3bc8e0c737cfc80a8ab92b325c5f6d66ed1fd6771bce46bdd1785a4

Download Submit
C:\Users\Admin\AppData\Local\914c36e4-efc5-40b2-ac48-819dcdbde0f8\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\914c36e4-efc5-40b2-ac48-819dcdbde0f8\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\914c36e4-efc5-40b2-ac48-819dcdbde0f8\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\914c36e4-efc5-40b2-ac48-819dcdbde0f8\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\xeronxik123[1].json
MD5
c368ec7ae20fd11786416ff6c9b1017a

SHA1
5b1e24f8ecba4742a5f330aad81a8db918a568bb

SHA256
f417542b2b37c8bcdc88b4c3132e3417e3ec8b0c991434066fe3cea7dd9e23db

SHA512
1c1aaca05b740ef8aeba9869aa005c102a20dc6b93c7789140cda701244e34526486e2510f4387369502e79299d0554d1d28eec53861f06f0a4a3daf579df38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OOLOEFPD.cookie
MD5
84041655dcacd695f8e81f9e23fd46d3

SHA1
985ffb8acf9fe6ef19e9842f5d2aadb53dde2656

SHA256
3047d403cd06035890eb1ccb575dda51be8c8aa26c32a5f33e43e3a265707fda

SHA512
3ab9eadc4da69034a6e5c67f6a62ff6bb5943bf102607faf2da7ca0bb09250c29366bba53881103f3ae3fb8ada8204bdcf7b707f0b0fdc89c49582ed81a462ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\33.exe
MD5
ac229a86dd4f26f164d2a3fc644aa82f

SHA1
00616fb12a461213bb67caa8ddaef47710d0e21d

SHA256
90eaf187a5d561327c663d76727fc1dff5b1efdb6746fb680eeac254a9f5795e

SHA512
420c35bb22c86e12147084e411da785db7e0a8d4a85d8ecf21fab896257ab454ac2eab02ca8b6ec9d9176801d201595da7cfe36235688d6a3c61fd484806e526

Download Submit
C:\Users\Admin\AppData\Local\Temp\63E.exe
MD5
9866604e6a4eb4fce58553700dcb5834

SHA1
58f0571b583dda88a2dc56976b1d8654a51a96c0

SHA256
240967b5dfa83d9c937ee2b419aaaedb587b785aaeff9428dd9b334714461622

SHA512
7a585ddf38f18ba8de7906f5570538d69306850d4a1cdfd40e3b5a6ba70b37e8cf2ccf31c5c869d21fb3d532e3ec4ec571e0bd0aa08982bdad60ee072828e89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\63E.exe
MD5
9866604e6a4eb4fce58553700dcb5834

SHA1
58f0571b583dda88a2dc56976b1d8654a51a96c0

SHA256
240967b5dfa83d9c937ee2b419aaaedb587b785aaeff9428dd9b334714461622

SHA512
7a585ddf38f18ba8de7906f5570538d69306850d4a1cdfd40e3b5a6ba70b37e8cf2ccf31c5c869d21fb3d532e3ec4ec571e0bd0aa08982bdad60ee072828e89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE33.exe
MD5
f3f35dcb69fca49ae55a22812770ecb2

SHA1
eb8c95dc050978d10c05073b0d5311f86da986ed

SHA256
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2

SHA512
098d6f2f768811004ef87b51074fbbd9d36ee483cce637efe1f97dae0bec1bcc7c37e737d9ddb082cd1870c7c0952b334b4dbd07a7eb2b293b7a2646a7e10632

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE33.exe
MD5
f3f35dcb69fca49ae55a22812770ecb2

SHA1
eb8c95dc050978d10c05073b0d5311f86da986ed

SHA256
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2

SHA512
098d6f2f768811004ef87b51074fbbd9d36ee483cce637efe1f97dae0bec1bcc7c37e737d9ddb082cd1870c7c0952b334b4dbd07a7eb2b293b7a2646a7e10632

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE33.exe
MD5
f3f35dcb69fca49ae55a22812770ecb2

SHA1
eb8c95dc050978d10c05073b0d5311f86da986ed

SHA256
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2

SHA512
098d6f2f768811004ef87b51074fbbd9d36ee483cce637efe1f97dae0bec1bcc7c37e737d9ddb082cd1870c7c0952b334b4dbd07a7eb2b293b7a2646a7e10632

Download Submit
C:\Users\Admin\AppData\Local\Temp\D74C.exe
MD5
6c1a69a9e18b98cfb5785df241f0594c

SHA1
de5736e5ed2c74b14f73564e0487a67135826028

SHA256
6a9c8196948a83cf1d12891b639d5fd27fa04ec5e418600cf8429184b464258e

SHA512
004725c80d44475bc59899da974dc0ac6d3b4a2cb39b8d850cd8e21e357794f674fcf267f29b1b79d499e3493fa1e60e96a3154bb18eef60a30913f9289bdd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D74C.exe
MD5
6c1a69a9e18b98cfb5785df241f0594c

SHA1
de5736e5ed2c74b14f73564e0487a67135826028

SHA256
6a9c8196948a83cf1d12891b639d5fd27fa04ec5e418600cf8429184b464258e

SHA512
004725c80d44475bc59899da974dc0ac6d3b4a2cb39b8d850cd8e21e357794f674fcf267f29b1b79d499e3493fa1e60e96a3154bb18eef60a30913f9289bdd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E382.exe
MD5
4e34484acc2dca82861b7c093e6725e6

SHA1
9086b5b62ea11b8130a4287221a6261abaf4a7b6

SHA256
f20b356209c6bfb249c15b756306e563b2ad6263dda15bb1eef2671e06a34d13

SHA512
207669d9d21b03f49cb8ead0136affe55201fe660d240b558313c976585279fa770b40c2ab72cb1ca11126221de4986c12a60e7c711ab507ec05fed062be2379

Download Submit
C:\Users\Admin\AppData\Local\Temp\E382.exe
MD5
4e34484acc2dca82861b7c093e6725e6

SHA1
9086b5b62ea11b8130a4287221a6261abaf4a7b6

SHA256
f20b356209c6bfb249c15b756306e563b2ad6263dda15bb1eef2671e06a34d13

SHA512
207669d9d21b03f49cb8ead0136affe55201fe660d240b558313c976585279fa770b40c2ab72cb1ca11126221de4986c12a60e7c711ab507ec05fed062be2379

Download Submit
C:\Users\Admin\AppData\Local\Temp\tphhetsg.exe
MD5
d52cd77caeb2b90ae38988441c4bde72

SHA1
f9ca3af18a277a9261971873e117dfe0aae302c2

SHA256
d6b64b26a3362e88a962424b5a193e37a78d83ed42efa48f059a247df3543817

SHA512
24e35af1940cf5ec474742b1ec99478ddd0b3f9709781b7d6467d72e28596eef87bd32bde3c41314752f3e3a737880c6e9a17419f60cd7e206604319cac112c5

Download Submit
C:\Users\Admin\AppData\Local\aab5f5a6-0d53-4317-b4a9-91e12fcb526b\CE33.exe
MD5
f3f35dcb69fca49ae55a22812770ecb2

SHA1
eb8c95dc050978d10c05073b0d5311f86da986ed

SHA256
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2

SHA512
098d6f2f768811004ef87b51074fbbd9d36ee483cce637efe1f97dae0bec1bcc7c37e737d9ddb082cd1870c7c0952b334b4dbd07a7eb2b293b7a2646a7e10632

Download Submit
C:\Windows\SysWOW64\uxkzevg\tphhetsg.exe
MD5
d52cd77caeb2b90ae38988441c4bde72

SHA1
f9ca3af18a277a9261971873e117dfe0aae302c2

SHA256
d6b64b26a3362e88a962424b5a193e37a78d83ed42efa48f059a247df3543817

SHA512
24e35af1940cf5ec474742b1ec99478ddd0b3f9709781b7d6467d72e28596eef87bd32bde3c41314752f3e3a737880c6e9a17419f60cd7e206604319cac112c5

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/208-14-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/208-13-0x0000000001BB0000-0x0000000001CCA000-memory.dmp

Filesize
1.1MB

Download
memory/208-10-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/208-7-0x0000000000000000-mapping.dmp

Download
memory/496-2-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/496-4-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/496-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1064-87-0x0000000005523000-0x0000000005524000-memory.dmp

Filesize
4KB

Download
memory/1064-66-0x0000000000400000-0x0000000000BDD000-memory.dmp

Filesize
7.9MB

Download
memory/1064-74-0x0000000070B30000-0x000000007121E000-memory.dmp

Filesize
6.9MB

Download
memory/1064-64-0x0000000000000000-mapping.dmp

Download
memory/1064-90-0x0000000005524000-0x0000000005526000-memory.dmp

Filesize
8KB

Download
memory/1064-88-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/1064-86-0x0000000005522000-0x0000000005523000-memory.dmp

Filesize
4KB

Download
memory/1064-85-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/1064-82-0x0000000003060000-0x000000000308B000-memory.dmp

Filesize
172KB

Download
memory/1064-79-0x0000000002FC0000-0x0000000002FED000-memory.dmp

Filesize
180KB

Download
memory/1064-80-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/1064-68-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/1064-67-0x0000000077194000-0x0000000077195000-memory.dmp

Filesize
4KB

Download
memory/1072-18-0x0000000000000000-mapping.dmp

Download
memory/1308-60-0x0000000000000000-mapping.dmp

Download
memory/1480-27-0x0000000000000000-mapping.dmp

Download
memory/1480-45-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1480-43-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1480-44-0x0000000000920000-0x0000000000933000-memory.dmp

Filesize
76KB

Download
memory/1480-42-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1624-39-0x0000000000000000-mapping.dmp

Download
memory/1624-58-0x0000000002500000-0x0000000002595000-memory.dmp

Filesize
596KB

Download
memory/1624-59-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1624-51-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1636-63-0x0000000000000000-mapping.dmp

Download
memory/2020-61-0x0000000000000000-mapping.dmp

Download
memory/2276-73-0x0000000000000000-mapping.dmp

Download
memory/2596-49-0x0000000000A70000-0x0000000000AA6000-memory.dmp

Filesize
216KB

Download
memory/2596-47-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2596-50-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2596-36-0x0000000000000000-mapping.dmp

Download
memory/2936-22-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/2936-25-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2936-15-0x0000000000000000-mapping.dmp

Download
memory/2936-23-0x0000000002640000-0x00000000026D4000-memory.dmp

Filesize
592KB

Download
memory/2936-24-0x00000000023A0000-0x0000000002435000-memory.dmp

Filesize
596KB

Download
memory/3040-26-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/3040-20-0x0000000000000000-mapping.dmp

Download
memory/3040-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3048-6-0x0000000001230000-0x0000000001246000-memory.dmp

Filesize
88KB

Download
memory/3144-48-0x0000000000000000-mapping.dmp

Download
memory/3168-69-0x0000000000000000-mapping.dmp

Download
memory/3736-77-0x0000000001270000-0x0000000001285000-memory.dmp

Filesize
84KB

Download
memory/3736-78-0x0000000001279A6B-mapping.dmp

Download
memory/3832-70-0x0000000000000000-mapping.dmp

Download
memory/3832-89-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3832-91-0x00000000023A0000-0x000000000240B000-memory.dmp

Filesize
428KB

Download
memory/3832-92-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3880-75-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3920-57-0x0000000000000000-mapping.dmp

Download
memory/4068-46-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads