icedid | b17485bdb6b377c0c38ab3e2ab83572760ce6c09952506d9202a235b82021a68

Analysis

max time kernel
81s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
24-02-2022 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4d3fc48e2a96e2dc10cf81acf99778a.exe
Size

229KB
MD5

a4d3fc48e2a96e2dc10cf81acf99778a
SHA1

aed6c2b9e92e138d47bd89950b24c77692b243b5
SHA256

b17485bdb6b377c0c38ab3e2ab83572760ce6c09952506d9202a235b82021a68
SHA512

8ecfd5d2a8532385f8433eb1d3d5a17619d473b19e4907effc46b6d2e422adde55a70ee8edd02526f4d2caa2aa0e59f2c07c64d15682df9fe68741785297d2da

Score

10^/10

icedid smokeloader 2715004312 backdoor banker loader suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://pjure.at/upload/

http://puffersweiven.com/upload/

http://algrcabel.ru/upload/

http://pelangiqq99.com/upload/

http://elsaunny.com/upload/

http://korphoto.com/upload/

http://hangxachtaythodoan.com/upload/

http://pkodev.net/upload/

http://go-piratia.ru/upload/

http://piratia.su/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Extracted

Family

icedid

Campaign

2715004312

badgoodreason.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 3464 created 3364	3464	WerFault.exe	F481.exe
PID 1780 created 564	1780	WerFault.exe	55B.exe
PID 1784 created 3364	1784	WerFault.exe	F481.exe

suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/3488-167-0x000001C9AED70000-0x000001C9AED7B000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

91 3288 rundll32.exe
93 312 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

B88F.exeD34C.exeF481.exe55B.exe

pid process

1660 B88F.exe
3488 D34C.exe
3364 F481.exe
564 55B.exe

flow	pid	process
91	3288	rundll32.exe
93	312	rundll32.exe

pid	process
1660	B88F.exe
3488	D34C.exe
3364	F481.exe
564	55B.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2012	3364	WerFault.exe	F481.exe
3768	564	WerFault.exe	55B.exe
2112	3364	WerFault.exe	F481.exe
380	3364	WerFault.exe	F481.exe
2408	3364	WerFault.exe	F481.exe
3508	3364	WerFault.exe	F481.exe
2000	564	WerFault.exe	55B.exe
2472	564	WerFault.exe	55B.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

B88F.exea4d3fc48e2a96e2dc10cf81acf99778a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B88F.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B88F.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B88F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a4d3fc48e2a96e2dc10cf81acf99778a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a4d3fc48e2a96e2dc10cf81acf99778a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a4d3fc48e2a96e2dc10cf81acf99778a.exe

Checks processor information in registry 2 TTPs 33 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F481.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	F481.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	F481.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	F481.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	F481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	F481.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	F481.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a4d3fc48e2a96e2dc10cf81acf99778a.exe

pid	process
1420	a4d3fc48e2a96e2dc10cf81acf99778a.exe
1420	a4d3fc48e2a96e2dc10cf81acf99778a.exe
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2436
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

a4d3fc48e2a96e2dc10cf81acf99778a.exeB88F.exe

pid process

1420 a4d3fc48e2a96e2dc10cf81acf99778a.exe
1660 B88F.exe

pid	process
2436

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeRestorePrivilege	2012	WerFault.exe
Token: SeBackupPrivilege	2012	WerFault.exe
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeIncreaseQuotaPrivilege	3640	WMIC.exe
Token: SeSecurityPrivilege	3640	WMIC.exe
Token: SeTakeOwnershipPrivilege	3640	WMIC.exe
Token: SeLoadDriverPrivilege	3640	WMIC.exe
Token: SeSystemProfilePrivilege	3640	WMIC.exe
Token: SeSystemtimePrivilege	3640	WMIC.exe
Token: SeProfSingleProcessPrivilege	3640	WMIC.exe
Token: SeIncBasePriorityPrivilege	3640	WMIC.exe
Token: SeCreatePagefilePrivilege	3640	WMIC.exe
Token: SeBackupPrivilege	3640	WMIC.exe
Token: SeRestorePrivilege	3640	WMIC.exe
Token: SeShutdownPrivilege	3640	WMIC.exe
Token: SeDebugPrivilege	3640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3640	WMIC.exe
Token: SeRemoteShutdownPrivilege	3640	WMIC.exe
Token: SeUndockPrivilege	3640	WMIC.exe
Token: SeManageVolumePrivilege	3640	WMIC.exe
Token: 33	3640	WMIC.exe
Token: 34	3640	WMIC.exe
Token: 35	3640	WMIC.exe
Token: 36	3640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3640	WMIC.exe
Token: SeSecurityPrivilege	3640	WMIC.exe
Token: SeTakeOwnershipPrivilege	3640	WMIC.exe
Token: SeLoadDriverPrivilege	3640	WMIC.exe
Token: SeSystemProfilePrivilege	3640	WMIC.exe
Token: SeSystemtimePrivilege	3640	WMIC.exe
Token: SeProfSingleProcessPrivilege	3640	WMIC.exe
Token: SeIncBasePriorityPrivilege	3640	WMIC.exe
Token: SeCreatePagefilePrivilege	3640	WMIC.exe
Token: SeBackupPrivilege	3640	WMIC.exe
Token: SeRestorePrivilege	3640	WMIC.exe
Token: SeShutdownPrivilege	3640	WMIC.exe
Token: SeDebugPrivilege	3640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3640	WMIC.exe
Token: SeRemoteShutdownPrivilege	3640	WMIC.exe
Token: SeUndockPrivilege	3640	WMIC.exe
Token: SeManageVolumePrivilege	3640	WMIC.exe
Token: 33	3640	WMIC.exe
Token: 34	3640	WMIC.exe
Token: 35	3640	WMIC.exe
Token: 36	3640	WMIC.exe
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeIncreaseQuotaPrivilege	376	WMIC.exe
Token: SeSecurityPrivilege	376	WMIC.exe
Token: SeTakeOwnershipPrivilege	376	WMIC.exe
Token: SeLoadDriverPrivilege	376	WMIC.exe
Token: SeSystemProfilePrivilege	376	WMIC.exe
Token: SeSystemtimePrivilege	376	WMIC.exe
Token: SeProfSingleProcessPrivilege	376	WMIC.exe
Token: SeIncBasePriorityPrivilege	376	WMIC.exe
Token: SeCreatePagefilePrivilege	376	WMIC.exe
Token: SeBackupPrivilege	376	WMIC.exe
Token: SeRestorePrivilege	376	WMIC.exe
Token: SeShutdownPrivilege	376	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

D34C.exe

pid process

3488 D34C.exe

pid	process
3488	D34C.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

F481.exeWerFault.exe55B.exeWerFault.exe

description	pid	process	target process
PID 2436 wrote to memory of 1660	2436		B88F.exe
PID 2436 wrote to memory of 1660	2436		B88F.exe
PID 2436 wrote to memory of 1660	2436		B88F.exe
PID 2436 wrote to memory of 3488	2436		D34C.exe
PID 2436 wrote to memory of 3488	2436		D34C.exe
PID 2436 wrote to memory of 3364	2436		F481.exe
PID 2436 wrote to memory of 3364	2436		F481.exe
PID 2436 wrote to memory of 3364	2436		F481.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3464 wrote to memory of 3364	3464	WerFault.exe	F481.exe
PID 3464 wrote to memory of 3364	3464	WerFault.exe	F481.exe
PID 2436 wrote to memory of 564	2436		55B.exe
PID 2436 wrote to memory of 564	2436		55B.exe
PID 2436 wrote to memory of 564	2436		55B.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 3364 wrote to memory of 3288	3364	F481.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 1780 wrote to memory of 564	1780	WerFault.exe	55B.exe
PID 1780 wrote to memory of 564	1780	WerFault.exe	55B.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe
PID 564 wrote to memory of 312	564	55B.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a4d3fc48e2a96e2dc10cf81acf99778a.exe
"C:\Users\Admin\AppData\Local\Temp\a4d3fc48e2a96e2dc10cf81acf99778a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1420

C:\Users\Admin\AppData\Local\Temp\B88F.exe
C:\Users\Admin\AppData\Local\Temp\B88F.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1660

C:\Users\Admin\AppData\Local\Temp\D34C.exe
C:\Users\Admin\AppData\Local\Temp\D34C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Users\Admin\AppData\Local\Temp\F481.exe
C:\Users\Admin\AppData\Local\Temp\F481.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 640
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 884
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 940
2⤵
- Program crash
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 972
2⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 964
2⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3364 -ip 3364
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\55B.exe
C:\Users\Admin\AppData\Local\Temp\55B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 616
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 960
2⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 960
2⤵
- Program crash
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 564 -ip 564
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\cmd.exe
cmd
1⤵
PID:3696

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:2452

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:2080

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3364 -ip 3364
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3364 -ip 3364
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3364 -ip 3364
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3364 -ip 3364
1⤵
PID:2460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 564 -ip 564
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 564 -ip 564
1⤵
PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55B.exe
MD5
501253915a1c1931fa88c43672ff0eaf

SHA1
3f29f95da864dec04f131c12b160ffeef080d190

SHA256
daf9419df6bce826aed80fe196fc6940d40d9cc3afcbb8eda6a5da4de8ea91d8

SHA512
f250b1484ae63d8154b93fc7340184020c7cf5c8972090557ecc2a5193188dcdad7a39fbdc70a25a17d9cfa5bf427d0c43808f6724399041106cf26f1d09eaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\55B.exe
MD5
501253915a1c1931fa88c43672ff0eaf

SHA1
3f29f95da864dec04f131c12b160ffeef080d190

SHA256
daf9419df6bce826aed80fe196fc6940d40d9cc3afcbb8eda6a5da4de8ea91d8

SHA512
f250b1484ae63d8154b93fc7340184020c7cf5c8972090557ecc2a5193188dcdad7a39fbdc70a25a17d9cfa5bf427d0c43808f6724399041106cf26f1d09eaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B88F.exe
MD5
02fb35c3dd94cf80250c4738d123e117

SHA1
531f4b811934421ae36c81a418462b41d44f4ec0

SHA256
fc868c1604ff4f617c7f5b5ed0471e80cc5d4fff5da2830deff7db88863a84a7

SHA512
11d2d116fa73f84f6830400fd6accfa419d83f2dc60d598a8aa80a7515e0857ecc72a4c390fc3a9cfdedd84c0fc91e401395a0158261492368ef9d15151d73d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B88F.exe
MD5
02fb35c3dd94cf80250c4738d123e117

SHA1
531f4b811934421ae36c81a418462b41d44f4ec0

SHA256
fc868c1604ff4f617c7f5b5ed0471e80cc5d4fff5da2830deff7db88863a84a7

SHA512
11d2d116fa73f84f6830400fd6accfa419d83f2dc60d598a8aa80a7515e0857ecc72a4c390fc3a9cfdedd84c0fc91e401395a0158261492368ef9d15151d73d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D34C.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
C:\Users\Admin\AppData\Local\Temp\D34C.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
C:\Users\Admin\AppData\Local\Temp\F481.exe
MD5
501253915a1c1931fa88c43672ff0eaf

SHA1
3f29f95da864dec04f131c12b160ffeef080d190

SHA256
daf9419df6bce826aed80fe196fc6940d40d9cc3afcbb8eda6a5da4de8ea91d8

SHA512
f250b1484ae63d8154b93fc7340184020c7cf5c8972090557ecc2a5193188dcdad7a39fbdc70a25a17d9cfa5bf427d0c43808f6724399041106cf26f1d09eaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F481.exe
MD5
501253915a1c1931fa88c43672ff0eaf

SHA1
3f29f95da864dec04f131c12b160ffeef080d190

SHA256
daf9419df6bce826aed80fe196fc6940d40d9cc3afcbb8eda6a5da4de8ea91d8

SHA512
f250b1484ae63d8154b93fc7340184020c7cf5c8972090557ecc2a5193188dcdad7a39fbdc70a25a17d9cfa5bf427d0c43808f6724399041106cf26f1d09eaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tedyyqtuoqfyeed.tmp
MD5
eec4cfce44105d183cecf26cdcd07f61

SHA1
54bd4323be3ed8a1a9341cd8bebdc36202d2b89e

SHA256
b4d2d12d27896be5e969d3669749c13f9b3cc535ac8b2614bc1fdfc462373017

SHA512
58e5701344dd5409abc4da367e3f492645f5d61ce6a77dc6153a130fca65cb4a5ac501c483d9c0b1ba810445e52aea0a4cd3b86ed43437a6edd6a1ce1432322b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tedyyqtuoqfyeed.tmp
MD5
eec4cfce44105d183cecf26cdcd07f61

SHA1
54bd4323be3ed8a1a9341cd8bebdc36202d2b89e

SHA256
b4d2d12d27896be5e969d3669749c13f9b3cc535ac8b2614bc1fdfc462373017

SHA512
58e5701344dd5409abc4da367e3f492645f5d61ce6a77dc6153a130fca65cb4a5ac501c483d9c0b1ba810445e52aea0a4cd3b86ed43437a6edd6a1ce1432322b

Download Submit
memory/312-166-0x0000000003310000-0x0000000003313000-memory.dmp

Filesize
12KB

Download
memory/312-164-0x00000000032F0000-0x00000000032F3000-memory.dmp

Filesize
12KB

Download
memory/312-163-0x00000000032E0000-0x00000000032E3000-memory.dmp

Filesize
12KB

Download
memory/312-165-0x0000000003300000-0x0000000003303000-memory.dmp

Filesize
12KB

Download
memory/312-168-0x0000000003320000-0x0000000003323000-memory.dmp

Filesize
12KB

Download
memory/312-169-0x0000000003330000-0x0000000003333000-memory.dmp

Filesize
12KB

Download
memory/564-210-0x0000000003260000-0x0000000003CBD000-memory.dmp

Filesize
10.4MB

Download
memory/564-154-0x000000000060A000-0x0000000000611000-memory.dmp

Filesize
28KB

Download
memory/564-217-0x0000000003CC0000-0x0000000003E00000-memory.dmp

Filesize
1.2MB

Download
memory/564-213-0x0000000003CC0000-0x0000000003E00000-memory.dmp

Filesize
1.2MB

Download
memory/564-209-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/564-215-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/564-152-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/564-153-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/564-211-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/564-216-0x0000000003CC0000-0x0000000003E00000-memory.dmp

Filesize
1.2MB

Download
memory/564-207-0x0000000003260000-0x0000000003CBD000-memory.dmp

Filesize
10.4MB

Download
memory/564-208-0x0000000003261000-0x0000000003CBD000-memory.dmp

Filesize
10.4MB

Download
memory/564-218-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/564-219-0x0000000003CC0000-0x0000000003E00000-memory.dmp

Filesize
1.2MB

Download
memory/564-212-0x0000000003CC0000-0x0000000003E00000-memory.dmp

Filesize
1.2MB

Download
memory/1420-132-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1420-130-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/1420-131-0x0000000000800000-0x0000000000809000-memory.dmp

Filesize
36KB

Download
memory/1660-136-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/1660-137-0x00000000007E0000-0x00000000007E9000-memory.dmp

Filesize
36KB

Download
memory/1660-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2436-133-0x0000000000B80000-0x0000000000B96000-memory.dmp

Filesize
88KB

Download
memory/2436-171-0x0000000008480000-0x000000000848F000-memory.dmp

Filesize
60KB

Download
memory/2436-141-0x0000000003090000-0x00000000030A6000-memory.dmp

Filesize
88KB

Download
memory/3288-159-0x0000000000340000-0x0000000000343000-memory.dmp

Filesize
12KB

Download
memory/3288-158-0x0000000000330000-0x0000000000333000-memory.dmp

Filesize
12KB

Download
memory/3288-157-0x00000000767C4000-0x00000000767C5000-memory.dmp

Filesize
4KB

Download
memory/3288-156-0x00000000770B4000-0x00000000770B5000-memory.dmp

Filesize
4KB

Download
memory/3288-155-0x0000000000320000-0x0000000000323000-memory.dmp

Filesize
12KB

Download
memory/3288-162-0x0000000000370000-0x0000000000373000-memory.dmp

Filesize
12KB

Download
memory/3288-160-0x0000000000350000-0x0000000000353000-memory.dmp

Filesize
12KB

Download
memory/3288-161-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/3364-172-0x00000000030E0000-0x0000000003B3D000-memory.dmp

Filesize
10.4MB

Download
memory/3364-194-0x0000000003CDF000-0x0000000003CE0000-memory.dmp

Filesize
4KB

Download
memory/3364-180-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/3364-181-0x0000000003C40000-0x0000000003D80000-memory.dmp

Filesize
1.2MB

Download
memory/3364-182-0x0000000003C40000-0x0000000003D80000-memory.dmp

Filesize
1.2MB

Download
memory/3364-183-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/3364-184-0x0000000003C40000-0x0000000003D80000-memory.dmp

Filesize
1.2MB

Download
memory/3364-185-0x0000000003C40000-0x0000000003D80000-memory.dmp

Filesize
1.2MB

Download
memory/3364-186-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/3364-188-0x0000000003C40000-0x0000000003D80000-memory.dmp

Filesize
1.2MB

Download
memory/3364-187-0x0000000003C40000-0x0000000003D80000-memory.dmp

Filesize
1.2MB

Download
memory/3364-144-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/3364-178-0x0000000003C40000-0x0000000003D80000-memory.dmp

Filesize
1.2MB

Download
memory/3364-145-0x00000000024B0000-0x000000000259B000-memory.dmp

Filesize
940KB

Download
memory/3364-193-0x00000000770B2000-0x00000000770B3000-memory.dmp

Filesize
4KB

Download
memory/3364-146-0x00000000025A0000-0x00000000027E9000-memory.dmp

Filesize
2.3MB

Download
memory/3364-197-0x0000000003D4E000-0x0000000003D4F000-memory.dmp

Filesize
4KB

Download
memory/3364-147-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/3364-148-0x000000000060A000-0x0000000000611000-memory.dmp

Filesize
28KB

Download
memory/3364-179-0x0000000003C40000-0x0000000003D80000-memory.dmp

Filesize
1.2MB

Download
memory/3364-214-0x00000000770B2000-0x00000000770B3000-memory.dmp

Filesize
4KB

Download
memory/3364-149-0x00000000770B2000-0x00000000770B3000-memory.dmp

Filesize
4KB

Download
memory/3364-173-0x00000000770B2000-0x00000000770B3000-memory.dmp

Filesize
4KB

Download
memory/3364-174-0x00000000030E1000-0x0000000003B3D000-memory.dmp

Filesize
10.4MB

Download
memory/3364-175-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/3364-176-0x00000000030E0000-0x0000000003B3D000-memory.dmp

Filesize
10.4MB

Download
memory/3364-177-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/3488-167-0x000001C9AED70000-0x000001C9AED7B000-memory.dmp

Filesize
44KB

Download
memory/3492-204-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/3492-203-0x0000000004FA0000-0x00000000059FD000-memory.dmp

Filesize
10.4MB

Download
memory/3492-200-0x0000000005C0F000-0x0000000005C10000-memory.dmp

Filesize
4KB

Download
memory/3492-202-0x00000000770B2000-0x00000000770B3000-memory.dmp

Filesize
4KB

Download
memory/3492-201-0x0000000005C7E000-0x0000000005C7F000-memory.dmp

Filesize
4KB

Download
memory/3492-199-0x0000000002C00000-0x000000000353D000-memory.dmp

Filesize
9.2MB

Download
memory/3492-195-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/3492-198-0x0000000005B70000-0x0000000005CB0000-memory.dmp

Filesize
1.2MB

Download
memory/3492-196-0x0000000005B70000-0x0000000005CB0000-memory.dmp

Filesize
1.2MB

Download
memory/3492-191-0x0000000004FA0000-0x00000000059FD000-memory.dmp

Filesize
10.4MB

Download
memory/3492-190-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download