smokeloader | 7b608f567cdbb7a9ccce2a9937b34bb3b73e178efc3d2b9bc29e5fe905462bee

Analysis

max time kernel
158s
max time network
165s
platform
windows7_x64
resource
win7v20210408
submitted
26-07-2021 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61763efd92c56bd89787f9bd24ff509b.exe
Size

316KB
MD5

61763efd92c56bd89787f9bd24ff509b
SHA1

d5710ec6298b0d723c717806e3220a9d5cd6440a
SHA256

7b608f567cdbb7a9ccce2a9937b34bb3b73e178efc3d2b9bc29e5fe905462bee
SHA512

b05ab9487988932d46c628274250e60312907fb74d9b011c43b5642105008b7531c3a63fcc89bdceffe5a6144262742e5b5d635f69acd98da11302fc9b5163fd

Score

10^/10

smokeloader tofsee vidar 408 backdoor evasion persistence spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

vidar

Version

39.7

Botnet

408

https://shpak125.tumblr.com/

Attributes

profile_id
408

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/556-76-0x00000000004D0000-0x000000000056D000-memory.dmp	family_vidar
behavioral1/memory/556-82-0x0000000000400000-0x00000000004C3000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

45E6.exe55EE.exe57D2.exe6184.exe65E8.exe7120.exe78DE.exe7B01.exe7E5C.exenruqclie.exe

pid process

460 45E6.exe
556 55EE.exe
1120 57D2.exe
1608 6184.exe
428 65E8.exe
1724 7120.exe
824 78DE.exe
1588 7B01.exe
1504 7E5C.exe
948 nruqclie.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
460	45E6.exe
556	55EE.exe
1120	57D2.exe
1608	6184.exe
428	65E8.exe
1724	7120.exe
824	78DE.exe
1588	7B01.exe
1504	7E5C.exe
948	nruqclie.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7120.exe78DE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7120.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7120.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	78DE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	78DE.exe

Deletes itself 1 IoCs

Processes:

pid process

1212
Loads dropped DLL 5 IoCs

Processes:

7E5C.exe57D2.exe

pid process

1504 7E5C.exe
1120 57D2.exe
1120 57D2.exe
1120 57D2.exe
1120 57D2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1212

pid	process
1504	7E5C.exe
1120	57D2.exe
1120	57D2.exe
1120	57D2.exe
1120	57D2.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7120.exe	themida
C:\Users\Admin\AppData\Local\Temp\78DE.exe	themida
behavioral1/memory/824-99-0x0000000001110000-0x0000000001111000-memory.dmp	themida
behavioral1/memory/1724-101-0x0000000000270000-0x0000000000271000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7120.exe78DE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7120.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	78DE.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

7120.exe78DE.exe

pid process

1724 7120.exe
824 78DE.exe

pid	process
1724	7120.exe
824	78DE.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

61763efd92c56bd89787f9bd24ff509b.exenruqclie.exe

description	pid	process	target process
PID 872 set thread context of 1932	872	61763efd92c56bd89787f9bd24ff509b.exe	61763efd92c56bd89787f9bd24ff509b.exe
PID 948 set thread context of 1224	948	nruqclie.exe	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7E5C.exe61763efd92c56bd89787f9bd24ff509b.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7E5C.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7E5C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61763efd92c56bd89787f9bd24ff509b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61763efd92c56bd89787f9bd24ff509b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61763efd92c56bd89787f9bd24ff509b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7E5C.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

57D2.exe55EE.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	57D2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	57D2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	55EE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	55EE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	55EE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

61763efd92c56bd89787f9bd24ff509b.exe

pid	process
1932	61763efd92c56bd89787f9bd24ff509b.exe
1932	61763efd92c56bd89787f9bd24ff509b.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1212
Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

61763efd92c56bd89787f9bd24ff509b.exe7E5C.exe

pid process

1932 61763efd92c56bd89787f9bd24ff509b.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1504 7E5C.exe
1212
1212
1212
1212
1212
1212
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1212
Token: SeShutdownPrivilege 1212
Token: SeShutdownPrivilege 1212
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1212
1212
1212
1212
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1212
1212
1212
1212
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

45E6.exe

pid process

460 45E6.exe

pid	process
1212

description	pid	process
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212

pid	process
1212
1212
1212
1212

pid	process
1212
1212
1212
1212

pid	process
460	45E6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

61763efd92c56bd89787f9bd24ff509b.exe7B01.exe

description	pid	process	target process
PID 872 wrote to memory of 1932	872	61763efd92c56bd89787f9bd24ff509b.exe	61763efd92c56bd89787f9bd24ff509b.exe
PID 872 wrote to memory of 1932	872	61763efd92c56bd89787f9bd24ff509b.exe	61763efd92c56bd89787f9bd24ff509b.exe
PID 872 wrote to memory of 1932	872	61763efd92c56bd89787f9bd24ff509b.exe	61763efd92c56bd89787f9bd24ff509b.exe
PID 872 wrote to memory of 1932	872	61763efd92c56bd89787f9bd24ff509b.exe	61763efd92c56bd89787f9bd24ff509b.exe
PID 872 wrote to memory of 1932	872	61763efd92c56bd89787f9bd24ff509b.exe	61763efd92c56bd89787f9bd24ff509b.exe
PID 872 wrote to memory of 1932	872	61763efd92c56bd89787f9bd24ff509b.exe	61763efd92c56bd89787f9bd24ff509b.exe
PID 872 wrote to memory of 1932	872	61763efd92c56bd89787f9bd24ff509b.exe	61763efd92c56bd89787f9bd24ff509b.exe
PID 1212 wrote to memory of 460	1212		45E6.exe
PID 1212 wrote to memory of 460	1212		45E6.exe
PID 1212 wrote to memory of 460	1212		45E6.exe
PID 1212 wrote to memory of 460	1212		45E6.exe
PID 1212 wrote to memory of 556	1212		55EE.exe
PID 1212 wrote to memory of 556	1212		55EE.exe
PID 1212 wrote to memory of 556	1212		55EE.exe
PID 1212 wrote to memory of 556	1212		55EE.exe
PID 1212 wrote to memory of 1120	1212		57D2.exe
PID 1212 wrote to memory of 1120	1212		57D2.exe
PID 1212 wrote to memory of 1120	1212		57D2.exe
PID 1212 wrote to memory of 1120	1212		57D2.exe
PID 1212 wrote to memory of 1608	1212		6184.exe
PID 1212 wrote to memory of 1608	1212		6184.exe
PID 1212 wrote to memory of 1608	1212		6184.exe
PID 1212 wrote to memory of 1608	1212		6184.exe
PID 1212 wrote to memory of 428	1212		65E8.exe
PID 1212 wrote to memory of 428	1212		65E8.exe
PID 1212 wrote to memory of 428	1212		65E8.exe
PID 1212 wrote to memory of 428	1212		65E8.exe
PID 1212 wrote to memory of 1724	1212		7120.exe
PID 1212 wrote to memory of 1724	1212		7120.exe
PID 1212 wrote to memory of 1724	1212		7120.exe
PID 1212 wrote to memory of 1724	1212		7120.exe
PID 1212 wrote to memory of 1724	1212		7120.exe
PID 1212 wrote to memory of 1724	1212		7120.exe
PID 1212 wrote to memory of 1724	1212		7120.exe
PID 1212 wrote to memory of 824	1212		78DE.exe
PID 1212 wrote to memory of 824	1212		78DE.exe
PID 1212 wrote to memory of 824	1212		78DE.exe
PID 1212 wrote to memory of 824	1212		78DE.exe
PID 1212 wrote to memory of 824	1212		78DE.exe
PID 1212 wrote to memory of 824	1212		78DE.exe
PID 1212 wrote to memory of 824	1212		78DE.exe
PID 1212 wrote to memory of 1588	1212		7B01.exe
PID 1212 wrote to memory of 1588	1212		7B01.exe
PID 1212 wrote to memory of 1588	1212		7B01.exe
PID 1212 wrote to memory of 1588	1212		7B01.exe
PID 1212 wrote to memory of 1504	1212		7E5C.exe
PID 1212 wrote to memory of 1504	1212		7E5C.exe
PID 1212 wrote to memory of 1504	1212		7E5C.exe
PID 1212 wrote to memory of 1504	1212		7E5C.exe
PID 1212 wrote to memory of 1308	1212		explorer.exe
PID 1212 wrote to memory of 1308	1212		explorer.exe
PID 1212 wrote to memory of 1308	1212		explorer.exe
PID 1212 wrote to memory of 1308	1212		explorer.exe
PID 1212 wrote to memory of 1308	1212		explorer.exe
PID 1212 wrote to memory of 1960	1212		explorer.exe
PID 1212 wrote to memory of 1960	1212		explorer.exe
PID 1212 wrote to memory of 1960	1212		explorer.exe
PID 1212 wrote to memory of 1960	1212		explorer.exe
PID 1588 wrote to memory of 1328	1588	7B01.exe	cmd.exe
PID 1588 wrote to memory of 1328	1588	7B01.exe	cmd.exe
PID 1588 wrote to memory of 1328	1588	7B01.exe	cmd.exe
PID 1588 wrote to memory of 1328	1588	7B01.exe	cmd.exe
PID 1588 wrote to memory of 288	1588	7B01.exe	cmd.exe
PID 1588 wrote to memory of 288	1588	7B01.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\61763efd92c56bd89787f9bd24ff509b.exe
"C:\Users\Admin\AppData\Local\Temp\61763efd92c56bd89787f9bd24ff509b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\61763efd92c56bd89787f9bd24ff509b.exe
"C:\Users\Admin\AppData\Local\Temp\61763efd92c56bd89787f9bd24ff509b.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1932

C:\Users\Admin\AppData\Local\Temp\45E6.exe
C:\Users\Admin\AppData\Local\Temp\45E6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:460

C:\Users\Admin\AppData\Local\Temp\55EE.exe
C:\Users\Admin\AppData\Local\Temp\55EE.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:556

C:\Users\Admin\AppData\Local\Temp\57D2.exe
C:\Users\Admin\AppData\Local\Temp\57D2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1120

C:\Users\Admin\AppData\Local\Temp\6184.exe
C:\Users\Admin\AppData\Local\Temp\6184.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Local\Temp\65E8.exe
C:\Users\Admin\AppData\Local\Temp\65E8.exe
1⤵
- Executes dropped EXE
PID:428

C:\Users\Admin\AppData\Local\Temp\7120.exe
C:\Users\Admin\AppData\Local\Temp\7120.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1724

C:\Users\Admin\AppData\Local\Temp\78DE.exe
C:\Users\Admin\AppData\Local\Temp\78DE.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:824

C:\Users\Admin\AppData\Local\Temp\7B01.exe
C:\Users\Admin\AppData\Local\Temp\7B01.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tocmyxdr\
2⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nruqclie.exe" C:\Windows\SysWOW64\tocmyxdr\
2⤵
PID:288

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create tocmyxdr binPath= "C:\Windows\SysWOW64\tocmyxdr\nruqclie.exe /d\"C:\Users\Admin\AppData\Local\Temp\7B01.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1712

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description tocmyxdr "wifi internet conection"
2⤵
PID:548

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start tocmyxdr
2⤵
PID:696

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\7E5C.exe
C:\Users\Admin\AppData\Local\Temp\7E5C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1308

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:628

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1936

C:\Windows\SysWOW64\tocmyxdr\nruqclie.exe
C:\Windows\SysWOW64\tocmyxdr\nruqclie.exe /d"C:\Users\Admin\AppData\Local\Temp\7B01.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:948

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1224

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1816

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1604

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\45E6.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\55EE.exe
MD5
e3b131c40069c79c78ac5f63533e6e8c

SHA1
4100151e35bcd09c0e6192e15ace9a237cfa9d6d

SHA256
208517f209dab917900fe71d28f52aab4fa43c6443d906da9aedddf6c5aaf07a

SHA512
862b58b65075e7feeafb1bb26426fcd253513f6831426f84d464632163d8adfa2ebd9cdd50dc4d27bd0e81d3737a0472a5349108ad5bd90c7bc0832a27d5150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\57D2.exe
MD5
efcd1876a1e120794eaf59ca2469ab9c

SHA1
60b7f29f8ffb82dac8b6f0c6d5a31ec11df682b8

SHA256
2944952348c7d345f2205f72497251a03e3713298b561519f65d682728151012

SHA512
821ddf53dfec8ca5e3b9eb803ae389e1d72fc7c2f639fd5c937106bb32e0a9068eb1102cbce874599fbf81899c67c0b118a0521046f809e2e1f6fd356aa8980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6184.exe
MD5
efcd1876a1e120794eaf59ca2469ab9c

SHA1
60b7f29f8ffb82dac8b6f0c6d5a31ec11df682b8

SHA256
2944952348c7d345f2205f72497251a03e3713298b561519f65d682728151012

SHA512
821ddf53dfec8ca5e3b9eb803ae389e1d72fc7c2f639fd5c937106bb32e0a9068eb1102cbce874599fbf81899c67c0b118a0521046f809e2e1f6fd356aa8980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\65E8.exe
MD5
efcd1876a1e120794eaf59ca2469ab9c

SHA1
60b7f29f8ffb82dac8b6f0c6d5a31ec11df682b8

SHA256
2944952348c7d345f2205f72497251a03e3713298b561519f65d682728151012

SHA512
821ddf53dfec8ca5e3b9eb803ae389e1d72fc7c2f639fd5c937106bb32e0a9068eb1102cbce874599fbf81899c67c0b118a0521046f809e2e1f6fd356aa8980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7120.exe
MD5
a1278cca92f8f83bc136b8c551e06cad

SHA1
6ba4fc48d0267e859dfe284c02d5eef600578ded

SHA256
bf48d9da3846be2cfb8134eb21718d88d210c35d5638ba42bb84999479f816a6

SHA512
421c7f05b8d151916d9318eb32bd1ab36004e7491c7edc962f019bc5c9822b9cabf89ea7a8d2d6bf3bc883bc0bf87cc44d1a924460731db6f9c9f33ac0bcc982

Download Submit
C:\Users\Admin\AppData\Local\Temp\78DE.exe
MD5
eefa6d65ae3c059aeda47da1b1ebe5f3

SHA1
abda62e405e16966348c7894143054c24452ac8b

SHA256
6c1287c0a1d7c8912b6e7eb6588921931e7f5e0b108ed6e87a7fa796bdcc6137

SHA512
3ac55072079cb5c1ed3e005f26dfee89fd55c8cbac45c475bf8b79b9340da880b199ddd4802990c87cc5c557c1e49780d303901c7f3c9c3ada66574843a8345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B01.exe
MD5
7fb7b7475a6c83033be436c0786501c4

SHA1
08147873f72a6e6de12fc49cc4d9acb5cdf0b462

SHA256
fbcd845cd667135afd6af8e0d1ab9bc515c211e7234c2a17ef3fe98727bc8a54

SHA512
d06547cb4560d97dfe11ca0079d0a13926c42dc56f4b1403f9cbfd4ffc88a876d4a92e73860435b641e0534af1b8b2f8c0e6fc9bee467704d6098d94f587404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B01.exe
MD5
7fb7b7475a6c83033be436c0786501c4

SHA1
08147873f72a6e6de12fc49cc4d9acb5cdf0b462

SHA256
fbcd845cd667135afd6af8e0d1ab9bc515c211e7234c2a17ef3fe98727bc8a54

SHA512
d06547cb4560d97dfe11ca0079d0a13926c42dc56f4b1403f9cbfd4ffc88a876d4a92e73860435b641e0534af1b8b2f8c0e6fc9bee467704d6098d94f587404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E5C.exe
MD5
17fab439ac4a54ea258b1ac6cb4bcfbb

SHA1
47cb3ebb3e7559701194614a556da5e532424a66

SHA256
ef905bc622bd7399babbc0a00962e924e0b89b2f48e1b3c1eca51b2a62000d8f

SHA512
d2db30e3c26254d2cfef0556f130ab66e25075d6e9ff5a0e87dd08c30065eb2269fde087d78971ac8e2240105987ccce6a58e5e38df4c2a4b5f5da4582616d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nruqclie.exe
MD5
da5ec9e371bc9b4e10bc792c91ea8370

SHA1
6d4456d6884686e953c0f2f8b3ff60553be9bd0f

SHA256
5bc3acdd5a999fe78406cddefcba6afc49fdcaeb1b4802fb76c7e67947b030ed

SHA512
73a741f2823282f6ecf66e40a694d6385aae612c381c1ef399e7a28b0c1a73741531602240677a3e66a34b58c996d5b59010bb0ba2e2901a277618fe55d81f6a

Download Submit
C:\Windows\SysWOW64\tocmyxdr\nruqclie.exe
MD5
da5ec9e371bc9b4e10bc792c91ea8370

SHA1
6d4456d6884686e953c0f2f8b3ff60553be9bd0f

SHA256
5bc3acdd5a999fe78406cddefcba6afc49fdcaeb1b4802fb76c7e67947b030ed

SHA512
73a741f2823282f6ecf66e40a694d6385aae612c381c1ef399e7a28b0c1a73741531602240677a3e66a34b58c996d5b59010bb0ba2e2901a277618fe55d81f6a

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\msvcp140.dll
MD5
9f231303425df2b606aa36498b36bd3d

SHA1
edb5a7247cf2d3017829fb890904439f4b79e025

SHA256
f1d383841378f579bee6ba24ef8eb59eece44f3ff7e64885a540f29cf35518ce

SHA512
44ed39031fe65abb5bdef1f133f1e9ecb1724d414c68a9441f195bcd92cf0fe51c306e3ccbbcfbca3281156bceab5a4a24deb5b7c4be5839c0bb2b5ca4f373d3

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dll
MD5
af6b89c314983f871984c684250eadb8

SHA1
c976e5e6be6c357824b70474067e4aa4f0e1c1dd

SHA256
bbe34d3683c3320dbf4b022401440542e6f4fc6a583654b6f7b3d8433cc778cd

SHA512
87549892fa25f13c4bdf697f1e01c8e8518d15665df2e6b260932036d0480475b1b14f525bc98ef159d4e6ae7c92647940c9cc0703cb921a50a1e494d4145550

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/288-120-0x0000000000000000-mapping.dmp

Download
memory/428-78-0x0000000000000000-mapping.dmp

Download
memory/428-93-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/460-65-0x0000000000000000-mapping.dmp

Download
memory/548-129-0x0000000000000000-mapping.dmp

Download
memory/556-82-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/556-76-0x00000000004D0000-0x000000000056D000-memory.dmp

Filesize
628KB

Download
memory/556-69-0x0000000000000000-mapping.dmp

Download
memory/628-128-0x0000000000000000-mapping.dmp

Download
memory/628-131-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/628-130-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/696-135-0x0000000000000000-mapping.dmp

Download
memory/824-99-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/824-90-0x0000000000000000-mapping.dmp

Download
memory/872-63-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/948-157-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1084-140-0x0000000000000000-mapping.dmp

Download
memory/1120-71-0x0000000000000000-mapping.dmp

Download
memory/1120-80-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1120-86-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1212-143-0x0000000002950000-0x0000000002966000-memory.dmp

Filesize
88KB

Download
memory/1212-64-0x0000000002A00000-0x0000000002A16000-memory.dmp

Filesize
88KB

Download
memory/1224-153-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1224-155-0x0000000000089A6B-mapping.dmp

Download
memory/1308-119-0x0000000000100000-0x000000000016B000-memory.dmp

Filesize
428KB

Download
memory/1308-118-0x0000000000170000-0x00000000001E4000-memory.dmp

Filesize
464KB

Download
memory/1308-105-0x0000000000000000-mapping.dmp

Download
memory/1308-112-0x0000000072231000-0x0000000072233000-memory.dmp

Filesize
8KB

Download
memory/1328-115-0x0000000000000000-mapping.dmp

Download
memory/1504-97-0x0000000000000000-mapping.dmp

Download
memory/1504-109-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1504-111-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1588-94-0x0000000000000000-mapping.dmp

Download
memory/1588-110-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1588-107-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/1604-149-0x0000000000000000-mapping.dmp

Download
memory/1604-154-0x00000000000E0000-0x00000000000E9000-memory.dmp

Filesize
36KB

Download
memory/1604-152-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/1608-87-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1608-74-0x0000000000000000-mapping.dmp

Download
memory/1712-127-0x0000000000000000-mapping.dmp

Download
memory/1724-83-0x0000000000000000-mapping.dmp

Download
memory/1724-101-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1764-139-0x0000000000000000-mapping.dmp

Download
memory/1764-142-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1764-141-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/1816-150-0x0000000000100000-0x0000000000109000-memory.dmp

Filesize
36KB

Download
memory/1816-144-0x0000000000000000-mapping.dmp

Download
memory/1816-148-0x0000000000110000-0x0000000000114000-memory.dmp

Filesize
16KB

Download
memory/1908-161-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1908-162-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1908-156-0x0000000000000000-mapping.dmp

Download
memory/1916-125-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1916-126-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1916-123-0x00000000720C1000-0x00000000720C3000-memory.dmp

Filesize
8KB

Download
memory/1916-121-0x0000000000000000-mapping.dmp

Download
memory/1932-61-0x0000000000402E1A-mapping.dmp

Download
memory/1932-62-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

Filesize
8KB

Download
memory/1932-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1936-132-0x0000000000000000-mapping.dmp

Download
memory/1936-136-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1936-138-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1960-116-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1960-117-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1960-114-0x0000000000000000-mapping.dmp

Download