smokeloader | 1c259208bdea5d896335c7a22d7a3048e4cfe0c7578a466f8faad880446f4e02

Analysis

max time kernel
59s
max time network
60s
platform
windows10_x64
resource
win10v20201028
submitted
29-03-2021 07:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

874bcf36482b83f3df470655e985e29b.exe
Size

162KB
MD5

874bcf36482b83f3df470655e985e29b
SHA1

bbcfeea3e3b437680cbf14c8016b3954cac1398a
SHA256

1c259208bdea5d896335c7a22d7a3048e4cfe0c7578a466f8faad880446f4e02
SHA512

688cd7b19786c7c41079a1867a394ade9ed1201f10f38c408d52bae8da9edcd42b433ae979de6b68ed4bbf628201228c45ec4d9a03987851782265c19b0da8c6

Score

10^/10

smokeloader tofsee backdoor bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 9 IoCs

Processes:

E47A.exeED83.exeE47A.exeupdatewin.exe5.exeFB5F.exewwxideck.exe161C.exe1CB4.exe

pid	Process
3308	E47A.exe
3644	ED83.exe
1312	E47A.exe
720	updatewin.exe
2504	5.exe
2816	FB5F.exe
2756	wwxideck.exe
2084	161C.exe
3288	1CB4.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

161C.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	161C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	161C.exe

Deletes itself 1 IoCs

Processes:

pid	Process
3016

Loads dropped DLL 1 IoCs

Processes:

874bcf36482b83f3df470655e985e29b.exe

pid	Process
496	874bcf36482b83f3df470655e985e29b.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
2600	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

E47A.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\88f60da4-d0da-4e37-89b8-c779aa247322\\E47A.exe\" --AutoStart"	E47A.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

161C.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	161C.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
30	api.2ip.ua
31	api.2ip.ua
46	api.2ip.ua

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

1CB4.exe

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	1CB4.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

161C.exe

pid	Process
2084	161C.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wwxideck.exe

description	pid	Process	procid_target
PID 2756 set thread context of 3808	2756	wwxideck.exe	103

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

874bcf36482b83f3df470655e985e29b.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	874bcf36482b83f3df470655e985e29b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	874bcf36482b83f3df470655e985e29b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	874bcf36482b83f3df470655e985e29b.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
200	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 34e8473e26b54f0524edb47d450dd49d084297dce82e72baa46d34fdc48d541d64da6a5785cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691ddd834a7c3ce0af644490bdbc7a23e8945d02cef78d3c74bbc4103d31fbad6b14d8834d7c0db8f2054991cfdb2470dd976d5d8dc4bf662fd39a460b37f9942e569beb092d60b19d5519cc85b07427ef9d553491abee3571bbd91d5061cda5691ddd834a7c3ce0ab64c9d40b866e6c06fc6d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d64a73b090c0814dda46d3731d68e541de4ac450531e3a66810c385447423e6ac5c2df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad953c04cd	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

E47A.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	E47A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E47A.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

874bcf36482b83f3df470655e985e29b.exe

pid	Process
496	874bcf36482b83f3df470655e985e29b.exe
496	874bcf36482b83f3df470655e985e29b.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

874bcf36482b83f3df470655e985e29b.exe

pid	Process
496	874bcf36482b83f3df470655e985e29b.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

1CB4.exe

description	pid	Process
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3288	1CB4.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

E47A.exeE47A.exeFB5F.exeupdatewin.execmd.exewwxideck.exe

description	pid	Process	procid_target
PID 3016 wrote to memory of 3308	3016		78
PID 3016 wrote to memory of 3308	3016		78
PID 3016 wrote to memory of 3308	3016		78
PID 3308 wrote to memory of 2600	3308	E47A.exe	79
PID 3308 wrote to memory of 2600	3308	E47A.exe	79
PID 3308 wrote to memory of 2600	3308	E47A.exe	79
PID 3016 wrote to memory of 3644	3016		80
PID 3016 wrote to memory of 3644	3016		80
PID 3016 wrote to memory of 3644	3016		80
PID 3308 wrote to memory of 1312	3308	E47A.exe	81
PID 3308 wrote to memory of 1312	3308	E47A.exe	81
PID 3308 wrote to memory of 1312	3308	E47A.exe	81
PID 1312 wrote to memory of 720	1312	E47A.exe	83
PID 1312 wrote to memory of 720	1312	E47A.exe	83
PID 1312 wrote to memory of 720	1312	E47A.exe	83
PID 1312 wrote to memory of 2504	1312	E47A.exe	84
PID 1312 wrote to memory of 2504	1312	E47A.exe	84
PID 1312 wrote to memory of 2504	1312	E47A.exe	84
PID 3016 wrote to memory of 2816	3016		85
PID 3016 wrote to memory of 2816	3016		85
PID 3016 wrote to memory of 2816	3016		85
PID 2816 wrote to memory of 3456	2816	FB5F.exe	86
PID 2816 wrote to memory of 3456	2816	FB5F.exe	86
PID 2816 wrote to memory of 3456	2816	FB5F.exe	86
PID 2816 wrote to memory of 1180	2816	FB5F.exe	88
PID 2816 wrote to memory of 1180	2816	FB5F.exe	88
PID 2816 wrote to memory of 1180	2816	FB5F.exe	88
PID 2816 wrote to memory of 2160	2816	FB5F.exe	90
PID 2816 wrote to memory of 2160	2816	FB5F.exe	90
PID 2816 wrote to memory of 2160	2816	FB5F.exe	90
PID 2816 wrote to memory of 2268	2816	FB5F.exe	92
PID 2816 wrote to memory of 2268	2816	FB5F.exe	92
PID 2816 wrote to memory of 2268	2816	FB5F.exe	92
PID 2816 wrote to memory of 2340	2816	FB5F.exe	94
PID 2816 wrote to memory of 2340	2816	FB5F.exe	94
PID 2816 wrote to memory of 2340	2816	FB5F.exe	94
PID 2816 wrote to memory of 356	2816	FB5F.exe	97
PID 2816 wrote to memory of 356	2816	FB5F.exe	97
PID 2816 wrote to memory of 356	2816	FB5F.exe	97
PID 3016 wrote to memory of 2084	3016		99
PID 3016 wrote to memory of 2084	3016		99
PID 3016 wrote to memory of 2084	3016		99
PID 720 wrote to memory of 3400	720	updatewin.exe	100
PID 720 wrote to memory of 3400	720	updatewin.exe	100
PID 720 wrote to memory of 3400	720	updatewin.exe	100
PID 3016 wrote to memory of 3288	3016		102
PID 3016 wrote to memory of 3288	3016		102
PID 3016 wrote to memory of 3288	3016		102
PID 3400 wrote to memory of 200	3400	cmd.exe	104
PID 3400 wrote to memory of 200	3400	cmd.exe	104
PID 3400 wrote to memory of 200	3400	cmd.exe	104
PID 2756 wrote to memory of 3808	2756	wwxideck.exe	103
PID 2756 wrote to memory of 3808	2756	wwxideck.exe	103
PID 2756 wrote to memory of 3808	2756	wwxideck.exe	103
PID 2756 wrote to memory of 3808	2756	wwxideck.exe	103
PID 2756 wrote to memory of 3808	2756	wwxideck.exe	103

C:\Users\Admin\AppData\Local\Temp\874bcf36482b83f3df470655e985e29b.exe
"C:\Users\Admin\AppData\Local\Temp\874bcf36482b83f3df470655e985e29b.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:496

C:\Users\Admin\AppData\Local\Temp\E47A.exe
C:\Users\Admin\AppData\Local\Temp\E47A.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\88f60da4-d0da-4e37-89b8-c779aa247322" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\E47A.exe
  "C:\Users\Admin\AppData\Local\Temp\E47A.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\updatewin.exe
    "C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\updatewin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\updatewin.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:200
- - C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\5.exe
    "C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\5.exe"
    3⤵
    - Executes dropped EXE
    PID:2504

C:\Users\Admin\AppData\Local\Temp\ED83.exe
C:\Users\Admin\AppData\Local\Temp\ED83.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Users\Admin\AppData\Local\Temp\FB5F.exe
C:\Users\Admin\AppData\Local\Temp\FB5F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wzkwstev\
  2⤵
  PID:3456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wwxideck.exe" C:\Windows\SysWOW64\wzkwstev\
  2⤵
  PID:1180
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create wzkwstev binPath= "C:\Windows\SysWOW64\wzkwstev\wwxideck.exe /d\"C:\Users\Admin\AppData\Local\Temp\FB5F.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:2160
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description wzkwstev "wifi internet conection"
  2⤵
  PID:2268
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start wzkwstev
  2⤵
  PID:2340
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:356

C:\Windows\SysWOW64\wzkwstev\wwxideck.exe
C:\Windows\SysWOW64\wzkwstev\wwxideck.exe /d"C:\Users\Admin\AppData\Local\Temp\FB5F.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3808

C:\Users\Admin\AppData\Local\Temp\161C.exe
C:\Users\Admin\AppData\Local\Temp\161C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2084

C:\Users\Admin\AppData\Local\Temp\1CB4.exe
C:\Users\Admin\AppData\Local\Temp\1CB4.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
54e60fd0149fe960a1bb51d1a63724b3

SHA1
8edc3d0d641441a72c642c3e96dabfe8aa9877a8

SHA256
7cdb049d052b55ee9c2ba9096e8cf7e1f9117d2898c1679ab2ef2e8683356309

SHA512
090766a3ae2e7d091ee0f22ce954373327d9642e10451f55342b76b1aa444c8e16cc4102957570e08d7fa19b1e17fe34f8a764f8c041c82f799d095ccf0f357b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
3be96afd7b9e0ff481b665d594167224

SHA1
aff8ca9cc93425b2c20b55aaf1c1e0b56f347144

SHA256
36981629cd13aef6fa93a598db9dd7745d491fb7bee57b235ddcb66f1a8c5799

SHA512
76df4e5a44f6be6e75136550ebdc4bad504cafeef08c2a3f3730343f43b22771b8a3f9ba6ea5b755ed4e674257754bf29b2b8197f9bc0894219dde5f34821299

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

MD5
e1b17cb36e7813e48c590622bc15252b

SHA1
6dfc7033c04075f8925ffed5a3c13a242825c0db

SHA256
e0cfd73d9d91f8b78fd95262a42ec028eb804c6f8ea6b150debbf31d187ab47a

SHA512
95bd7f3752dc2676c577a7da203bf790635cb5fb54a4658377096908d6366ee065697dbcc0c92f93620e07a568935960b2682891a5d3b0c36483c96ebf286c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
f50d6e1786da4ac3d2f2b2164bddffd7

SHA1
438c14f5f48d9b18fd4e34037eb5b05d2acb7634

SHA256
358f4ff0a7b7a18d940e1772b02329606931fe5674ae0c3b97df1b6cff52eff9

SHA512
b79d19d50825ab4bbf6206c8a62462f46e790bfaeffec34e2fecd7cea1b201715b6ebeef0edb3bad44040a4861820e06af919fa4e169f852a5cfec4ce8d0c7d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
88257cc267605551f3a62dc441a9364a

SHA1
a0380684eb14d1a12880f7cf4c16275c267d14f7

SHA256
49d97f32d52cf7cded3ff18d061cf65c0178daea890bce5cbfba47e922d714e9

SHA512
f76798739c2da27f14a2268370ed0ad17ed6eae7ac20e1e40b6078abd5951554dadb895391463538a45556c770723377d817775376eddfc1c74c23f2aa657ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

MD5
92a6c2d2b61efa31f8ff9f57cb1e13c8

SHA1
354e15e2d32365d256213db971c849f2f854ae98

SHA256
c295fb156ffa894bf92cd366a582a40cefb31c34bf016fb75272796adb4838ca

SHA512
76d5a93672dc27ff0622d06037bbaabd42477a4640c9735b4c554985f4aca71fedc8297b7b0ca990cded33e9306255a400c3afacb212364395d803d92d23089c

Download Submit
C:\Users\Admin\AppData\Local\88f60da4-d0da-4e37-89b8-c779aa247322\E47A.exe

MD5
f3f35dcb69fca49ae55a22812770ecb2

SHA1
eb8c95dc050978d10c05073b0d5311f86da986ed

SHA256
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2

SHA512
098d6f2f768811004ef87b51074fbbd9d36ee483cce637efe1f97dae0bec1bcc7c37e737d9ddb082cd1870c7c0952b334b4dbd07a7eb2b293b7a2646a7e10632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\xeronxik123[1].json

MD5
c368ec7ae20fd11786416ff6c9b1017a

SHA1
5b1e24f8ecba4742a5f330aad81a8db918a568bb

SHA256
f417542b2b37c8bcdc88b4c3132e3417e3ec8b0c991434066fe3cea7dd9e23db

SHA512
1c1aaca05b740ef8aeba9869aa005c102a20dc6b93c7789140cda701244e34526486e2510f4387369502e79299d0554d1d28eec53861f06f0a4a3daf579df38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IDC1MHSE.cookie

MD5
bfec134e2bc8139d928161a00d2a4247

SHA1
b00908110e7b562fd6b9d4cf622a67d8bc0e00b1

SHA256
501d7e4b79bcd83cac156bdd8581c795b1b373065fb8514d1131b844d3c6bba5

SHA512
bde1883037e40cfd669e29fc9998c19d5dbfaa2acbe06fef48c2eda01341cd5be69d42b08dc0d4160f1c5b3f0cda12e7d8535a435285dbb86f8188a0fc5c7d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\161C.exe

MD5
ac229a86dd4f26f164d2a3fc644aa82f

SHA1
00616fb12a461213bb67caa8ddaef47710d0e21d

SHA256
90eaf187a5d561327c663d76727fc1dff5b1efdb6746fb680eeac254a9f5795e

SHA512
420c35bb22c86e12147084e411da785db7e0a8d4a85d8ecf21fab896257ab454ac2eab02ca8b6ec9d9176801d201595da7cfe36235688d6a3c61fd484806e526

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CB4.exe

MD5
9866604e6a4eb4fce58553700dcb5834

SHA1
58f0571b583dda88a2dc56976b1d8654a51a96c0

SHA256
240967b5dfa83d9c937ee2b419aaaedb587b785aaeff9428dd9b334714461622

SHA512
7a585ddf38f18ba8de7906f5570538d69306850d4a1cdfd40e3b5a6ba70b37e8cf2ccf31c5c869d21fb3d532e3ec4ec571e0bd0aa08982bdad60ee072828e89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CB4.exe

MD5
9866604e6a4eb4fce58553700dcb5834

SHA1
58f0571b583dda88a2dc56976b1d8654a51a96c0

SHA256
240967b5dfa83d9c937ee2b419aaaedb587b785aaeff9428dd9b334714461622

SHA512
7a585ddf38f18ba8de7906f5570538d69306850d4a1cdfd40e3b5a6ba70b37e8cf2ccf31c5c869d21fb3d532e3ec4ec571e0bd0aa08982bdad60ee072828e89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E47A.exe

MD5
f3f35dcb69fca49ae55a22812770ecb2

SHA1
eb8c95dc050978d10c05073b0d5311f86da986ed

SHA256
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2

SHA512
098d6f2f768811004ef87b51074fbbd9d36ee483cce637efe1f97dae0bec1bcc7c37e737d9ddb082cd1870c7c0952b334b4dbd07a7eb2b293b7a2646a7e10632

Download Submit
C:\Users\Admin\AppData\Local\Temp\E47A.exe

MD5
f3f35dcb69fca49ae55a22812770ecb2

SHA1
eb8c95dc050978d10c05073b0d5311f86da986ed

SHA256
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2

SHA512
098d6f2f768811004ef87b51074fbbd9d36ee483cce637efe1f97dae0bec1bcc7c37e737d9ddb082cd1870c7c0952b334b4dbd07a7eb2b293b7a2646a7e10632

Download Submit
C:\Users\Admin\AppData\Local\Temp\E47A.exe

MD5
f3f35dcb69fca49ae55a22812770ecb2

SHA1
eb8c95dc050978d10c05073b0d5311f86da986ed

SHA256
a3d26db7812778043abdf20ad3ff5caf68be3752fcd33de75d1bea8f515ed3d2

SHA512
098d6f2f768811004ef87b51074fbbd9d36ee483cce637efe1f97dae0bec1bcc7c37e737d9ddb082cd1870c7c0952b334b4dbd07a7eb2b293b7a2646a7e10632

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED83.exe

MD5
6c1a69a9e18b98cfb5785df241f0594c

SHA1
de5736e5ed2c74b14f73564e0487a67135826028

SHA256
6a9c8196948a83cf1d12891b639d5fd27fa04ec5e418600cf8429184b464258e

SHA512
004725c80d44475bc59899da974dc0ac6d3b4a2cb39b8d850cd8e21e357794f674fcf267f29b1b79d499e3493fa1e60e96a3154bb18eef60a30913f9289bdd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED83.exe

MD5
6c1a69a9e18b98cfb5785df241f0594c

SHA1
de5736e5ed2c74b14f73564e0487a67135826028

SHA256
6a9c8196948a83cf1d12891b639d5fd27fa04ec5e418600cf8429184b464258e

SHA512
004725c80d44475bc59899da974dc0ac6d3b4a2cb39b8d850cd8e21e357794f674fcf267f29b1b79d499e3493fa1e60e96a3154bb18eef60a30913f9289bdd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB5F.exe

MD5
4e34484acc2dca82861b7c093e6725e6

SHA1
9086b5b62ea11b8130a4287221a6261abaf4a7b6

SHA256
f20b356209c6bfb249c15b756306e563b2ad6263dda15bb1eef2671e06a34d13

SHA512
207669d9d21b03f49cb8ead0136affe55201fe660d240b558313c976585279fa770b40c2ab72cb1ca11126221de4986c12a60e7c711ab507ec05fed062be2379

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB5F.exe

MD5
4e34484acc2dca82861b7c093e6725e6

SHA1
9086b5b62ea11b8130a4287221a6261abaf4a7b6

SHA256
f20b356209c6bfb249c15b756306e563b2ad6263dda15bb1eef2671e06a34d13

SHA512
207669d9d21b03f49cb8ead0136affe55201fe660d240b558313c976585279fa770b40c2ab72cb1ca11126221de4986c12a60e7c711ab507ec05fed062be2379

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwxideck.exe

MD5
fde97ee9ec112e2e42158ea165d23fb7

SHA1
ba590758e46eaa9e45aceae2ce6cd3529993218e

SHA256
a418cc655c9b23e4cf85b8b5e4744dbd8a847df11dc106e1000d6d6df5586273

SHA512
f211cc91b4a591af32265dfcb8fdc934d116b232c0b221f4b4db68ddde05fb635cd6e022d87720baad52a915432b72b83f0724cc1b4ef1a90151994e334c8712

Download Submit
C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\5.exe

MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\5.exe

MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\updatewin.exe

MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\updatewin.exe

MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Windows\SysWOW64\wzkwstev\wwxideck.exe

MD5
fde97ee9ec112e2e42158ea165d23fb7

SHA1
ba590758e46eaa9e45aceae2ce6cd3529993218e

SHA256
a418cc655c9b23e4cf85b8b5e4744dbd8a847df11dc106e1000d6d6df5586273

SHA512
f211cc91b4a591af32265dfcb8fdc934d116b232c0b221f4b4db68ddde05fb635cd6e022d87720baad52a915432b72b83f0724cc1b4ef1a90151994e334c8712

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/200-80-0x0000000000000000-mapping.dmp

Download
memory/356-68-0x0000000000000000-mapping.dmp

Download
memory/496-3-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/496-2-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/496-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/720-43-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/720-57-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/720-55-0x0000000002430000-0x0000000002466000-memory.dmp

Filesize
216KB

Download
memory/720-27-0x0000000000000000-mapping.dmp

Download
memory/1180-62-0x0000000000000000-mapping.dmp

Download
memory/1312-20-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/1312-18-0x0000000000000000-mapping.dmp

Download
memory/2084-71-0x0000000000400000-0x0000000000BDD000-memory.dmp

Filesize
7.9MB

Download
memory/2084-92-0x0000000003310000-0x000000000333B000-memory.dmp

Filesize
172KB

Download
memory/2084-88-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/2084-87-0x0000000002F10000-0x0000000002F3D000-memory.dmp

Filesize
180KB

Download
memory/2084-89-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2084-90-0x0000000005572000-0x0000000005573000-memory.dmp

Filesize
4KB

Download
memory/2084-73-0x0000000077354000-0x0000000077355000-memory.dmp

Filesize
4KB

Download
memory/2084-74-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2084-91-0x0000000005573000-0x0000000005574000-memory.dmp

Filesize
4KB

Download
memory/2084-69-0x0000000000000000-mapping.dmp

Download
memory/2084-94-0x0000000005574000-0x0000000005576000-memory.dmp

Filesize
8KB

Download
memory/2084-83-0x0000000070DD0000-0x00000000714BE000-memory.dmp

Filesize
6.9MB

Download
memory/2084-93-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/2160-64-0x0000000000000000-mapping.dmp

Download
memory/2268-65-0x0000000000000000-mapping.dmp

Download
memory/2340-66-0x0000000000000000-mapping.dmp

Download
memory/2504-44-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2504-31-0x0000000000000000-mapping.dmp

Download
memory/2504-59-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2504-58-0x0000000002500000-0x0000000002595000-memory.dmp

Filesize
596KB

Download
memory/2504-47-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2600-13-0x0000000000000000-mapping.dmp

Download
memory/2756-78-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2756-85-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2816-49-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2816-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2816-40-0x0000000000000000-mapping.dmp

Download
memory/2816-51-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2816-60-0x0000000000840000-0x0000000000853000-memory.dmp

Filesize
76KB

Download
memory/3016-6-0x0000000000E30000-0x0000000000E46000-memory.dmp

Filesize
88KB

Download
memory/3288-95-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3288-96-0x00000000008F0000-0x000000000095B000-memory.dmp

Filesize
428KB

Download
memory/3288-97-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3288-75-0x0000000000000000-mapping.dmp

Download
memory/3308-12-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3308-10-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/3308-7-0x0000000000000000-mapping.dmp

Download
memory/3308-11-0x0000000001AA0000-0x0000000001BBA000-memory.dmp

Filesize
1.1MB

Download
memory/3400-72-0x0000000000000000-mapping.dmp

Download
memory/3456-56-0x0000000000000000-mapping.dmp

Download
memory/3644-38-0x00000000024C0000-0x0000000002555000-memory.dmp

Filesize
596KB

Download
memory/3644-39-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3644-28-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/3644-15-0x0000000000000000-mapping.dmp

Download
memory/3808-82-0x0000000002B59A6B-mapping.dmp

Download
memory/3808-81-0x0000000002B50000-0x0000000002B65000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads