smokeloader | becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0

Analysis

max time kernel
148s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0.exe
Size

133KB
MD5

055a72c67c6ca93ad472397f536963f6
SHA1

97f95eb5af6b2e1f219bdde636dd0cd22f72529d
SHA256

becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0
SHA512

047612ae7c30c9109fbca14ae18c4b93befff37dc06a6872cefe17894071c256d38ad7aeddced012cd8680db64eea3e81eeeec36e7a7154dbe6c5eb21373d2d3
SSDEEP

3072:a0qHM7OR0IhWqjMprNY6F8m+AgBDrh47RXmG:YDMqjb6F8mTS4c

Score

10^/10

smokeloader backdoor spyware stealer trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/1048-133-0x00000000022B0000-0x00000000022B9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
3904	AF94.exe
2756	CFEE.exe
3876	F1EF.exe
1096	F7CC.exe
1660	1B91.exe
1080	2314.exe
808	1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AF94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	CFEE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
125	checkip.amazonaws.com
127	checkip.amazonaws.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0.exe

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	115	Go-http-client/1.1
HTTP User-Agent header	116	Go-http-client/1.1
HTTP User-Agent header	117	Go-http-client/1.1
HTTP User-Agent header	118	Go-http-client/1.1
HTTP User-Agent header	114	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC	1B91.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC\Blob = 0f0000000100000020000000927824e958a132afbcadd9e12357a0f9788ab99c5669e1ec3825e1eb5f6f54540b000000010000003e00000041006300740061006c00690073002000410075007400680065006e007400690063006100740069006f006e00200052006f006f0074002000430041000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000055926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066530000000100000020000000301e301c06062b811f01110130123010060a2b0601040182373c0101030200c014000000010000001400000052d8883ac89f7866ed89f37b387094c9020236d01d000000010000001000000095b4475fef63caf7452d10faa6f6362b030000000100000014000000f373b387065a28848af2f34ace192bddc78e9cac2000000001000000bf050000308205bb308203a3a0030201020208570a119742c4e3cc300d06092a864886f70d01010b0500306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f74204341301e170d3131303932323131323230325a170d3330303932323131323230325a306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100a7c6c4a529a42cefe518c5b050a36f513b9f0a5ac9c248380ac21ca0187f91b587b9403fdd1d681f0883d52d1e88a0f88f568f6d9902929016d55f086c89d7e1acbc20c2b1e083518a694d00965a6f2fc0447ea30ee491cd58eedcfbc71e4547dd27b908019fa6211df5412d2f4cfd28ade08aad22b456658e86548f934329de394678a33023bacdf07d1357c05dd2836b484cc4ab9f805a5b3abdc9a7223f8027335b0eb78a0c5d073708cb6cd27a47224435c5cccc2e8edd2aedb77d660d5f615122551be346e3e33dd035629adbaf14c85ba1cc891be13026fca09b1f81a7471f04eba33992069f99d3bfd3ea4f509c19fe96871e3c65f6a31824838610e7543ea83a76244f8121c5e30f02f893944720bbfed40ed368b9ddc47a8482e3535479dddb9cd2f2079b2eb6bc3eed856def2511f2971a4261f74a97e88bb11007fa6581b2a239cff73cff18fbc6f15a8b59e202ac7b92d04e144f5945f60c5e285fb0e83f45cfcfaf9b6ffb84d3775a956fac94849eeebcc04a8f4a93f84421e2314561504e10d8e3357c4c19b4de05bfa3069fc8b5cde41fd717060d7a9574550d681afc101b62649d6de095a0c39407570d14e6bd05fbb89fe6df8be2c6e77e96f653c58034502858f01250711730bae67863bcf4b2ad9b2bb2fee1398c5eba0b2094de7b83b8ffe3568db711e93b8cf2b1c15d9da40b4c2bd9b218f5b59f4b0203010001a3633061301d0603551d0e0416041452d8883ac89f7866ed89f37b387094c9020236d0300f0603551d130101ff040530030101ff301f0603551d2304183016801452d8883ac89f7866ed89f37b387094c9020236d0300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820201000b7b7287c060a6494c8858e61d88f7146448a6d8580a0e4f1335df351dd4ed0631c8813e6ad5dd3b1a32ee903d11d22ef48ec3632e2366b067be6fb6c0133960aaa23425937552dea79dad0e878952716a163c191d83f89a2965bef43f9ad9f0f35a872171804dcbe0389b3fbbfae0304dcf86d365101918d19702b12b724268aca0bd4e5ada18bf6b9881d0fd9abe5e1548cd1115b9c0295cb4e888f73e36aeb762fd1e62de7078101c485bdabca438ba67ed553e5e57dfd403404c81a4d24f63a709420914fc00a9c280734f2ec040d9117b48ea7a02c0d3eb2801265874c1c073226d9395fd397dbb2ae3f682e32c975f4e1f9194fafe2ca3d8761ab84db2384f9bfa1d48607926e2f3fda9d09ae8708f497ad6e5bd0a0edb2df38dbfebe3a47dcbc79571e8daa37cc5c2f87492041b86aca4225340b6acfe4c76cffb9432c0359f763f6ee5906ea0a626a2b82cbed12b85fda768c8ba012bb16c741db87395e7eeb7c725f0004c00b27eb60b8b1cf3c0509e25b9e008de3666ff37a5d1bb54642cc927b54b927e65ffd32de1b94ebc7fa44121904177a6391fea9ee39fd0666f05ecaa767ebf6b16a0ebb5c7fc92542f2b11272537784c516ab0f3cc585d14f16a4815ffc207b6b18d0f8e5c5046b33dbf01984fb25954473e347b786d56932e73ea662878cd1d14bfa08f2f2eb82e8ef2148acce9b57cfb6c9d0ca5e196	1B91.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC\Blob = 190000000100000010000000147c50fda90d6498a51e241b0e84d362030000000100000014000000f373b387065a28848af2f34ace192bddc78e9cac1d000000010000001000000095b4475fef63caf7452d10faa6f6362b14000000010000001400000052d8883ac89f7866ed89f37b387094c9020236d0530000000100000020000000301e301c06062b811f01110130123010060a2b0601040182373c0101030200c062000000010000002000000055926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b000000010000003e00000041006300740061006c00690073002000410075007400680065006e007400690063006100740069006f006e00200052006f006f00740020004300410000000f0000000100000020000000927824e958a132afbcadd9e12357a0f9788ab99c5669e1ec3825e1eb5f6f54542000000001000000bf050000308205bb308203a3a0030201020208570a119742c4e3cc300d06092a864886f70d01010b0500306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f74204341301e170d3131303932323131323230325a170d3330303932323131323230325a306b310b3009060355040613024954310e300c06035504070c054d696c616e31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373127302506035504030c1e416374616c69732041757468656e7469636174696f6e20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100a7c6c4a529a42cefe518c5b050a36f513b9f0a5ac9c248380ac21ca0187f91b587b9403fdd1d681f0883d52d1e88a0f88f568f6d9902929016d55f086c89d7e1acbc20c2b1e083518a694d00965a6f2fc0447ea30ee491cd58eedcfbc71e4547dd27b908019fa6211df5412d2f4cfd28ade08aad22b456658e86548f934329de394678a33023bacdf07d1357c05dd2836b484cc4ab9f805a5b3abdc9a7223f8027335b0eb78a0c5d073708cb6cd27a47224435c5cccc2e8edd2aedb77d660d5f615122551be346e3e33dd035629adbaf14c85ba1cc891be13026fca09b1f81a7471f04eba33992069f99d3bfd3ea4f509c19fe96871e3c65f6a31824838610e7543ea83a76244f8121c5e30f02f893944720bbfed40ed368b9ddc47a8482e3535479dddb9cd2f2079b2eb6bc3eed856def2511f2971a4261f74a97e88bb11007fa6581b2a239cff73cff18fbc6f15a8b59e202ac7b92d04e144f5945f60c5e285fb0e83f45cfcfaf9b6ffb84d3775a956fac94849eeebcc04a8f4a93f84421e2314561504e10d8e3357c4c19b4de05bfa3069fc8b5cde41fd717060d7a9574550d681afc101b62649d6de095a0c39407570d14e6bd05fbb89fe6df8be2c6e77e96f653c58034502858f01250711730bae67863bcf4b2ad9b2bb2fee1398c5eba0b2094de7b83b8ffe3568db711e93b8cf2b1c15d9da40b4c2bd9b218f5b59f4b0203010001a3633061301d0603551d0e0416041452d8883ac89f7866ed89f37b387094c9020236d0300f0603551d130101ff040530030101ff301f0603551d2304183016801452d8883ac89f7866ed89f37b387094c9020236d0300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820201000b7b7287c060a6494c8858e61d88f7146448a6d8580a0e4f1335df351dd4ed0631c8813e6ad5dd3b1a32ee903d11d22ef48ec3632e2366b067be6fb6c0133960aaa23425937552dea79dad0e878952716a163c191d83f89a2965bef43f9ad9f0f35a872171804dcbe0389b3fbbfae0304dcf86d365101918d19702b12b724268aca0bd4e5ada18bf6b9881d0fd9abe5e1548cd1115b9c0295cb4e888f73e36aeb762fd1e62de7078101c485bdabca438ba67ed553e5e57dfd403404c81a4d24f63a709420914fc00a9c280734f2ec040d9117b48ea7a02c0d3eb2801265874c1c073226d9395fd397dbb2ae3f682e32c975f4e1f9194fafe2ca3d8761ab84db2384f9bfa1d48607926e2f3fda9d09ae8708f497ad6e5bd0a0edb2df38dbfebe3a47dcbc79571e8daa37cc5c2f87492041b86aca4225340b6acfe4c76cffb9432c0359f763f6ee5906ea0a626a2b82cbed12b85fda768c8ba012bb16c741db87395e7eeb7c725f0004c00b27eb60b8b1cf3c0509e25b9e008de3666ff37a5d1bb54642cc927b54b927e65ffd32de1b94ebc7fa44121904177a6391fea9ee39fd0666f05ecaa767ebf6b16a0ebb5c7fc92542f2b11272537784c516ab0f3cc585d14f16a4815ffc207b6b18d0f8e5c5046b33dbf01984fb25954473e347b786d56932e73ea662878cd1d14bfa08f2f2eb82e8ef2148acce9b57cfb6c9d0ca5e196	1B91.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0.exe
1048	becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0.exe
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2592	Process not Found

Suspicious behavior: MapViewOfSection 15 IoCs

pid	Process
1048	becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0.exe
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found
2592	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeDebugPrivilege	1096	F7CC.exe
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeDebugPrivilege	1080	2314.exe
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeShutdownPrivilege	2592	Process not Found
Token: SeCreatePagefilePrivilege	2592	Process not Found
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeIncreaseQuotaPrivilege	3912	WMIC.exe
Token: SeSecurityPrivilege	3912	WMIC.exe
Token: SeTakeOwnershipPrivilege	3912	WMIC.exe
Token: SeLoadDriverPrivilege	3912	WMIC.exe
Token: SeSystemProfilePrivilege	3912	WMIC.exe
Token: SeSystemtimePrivilege	3912	WMIC.exe
Token: SeProfSingleProcessPrivilege	3912	WMIC.exe
Token: SeIncBasePriorityPrivilege	3912	WMIC.exe
Token: SeCreatePagefilePrivilege	3912	WMIC.exe
Token: SeBackupPrivilege	3912	WMIC.exe
Token: SeRestorePrivilege	3912	WMIC.exe
Token: SeShutdownPrivilege	3912	WMIC.exe
Token: SeDebugPrivilege	3912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3912	WMIC.exe
Token: SeRemoteShutdownPrivilege	3912	WMIC.exe
Token: SeUndockPrivilege	3912	WMIC.exe
Token: SeManageVolumePrivilege	3912	WMIC.exe
Token: 33	3912	WMIC.exe
Token: 34	3912	WMIC.exe
Token: 35	3912	WMIC.exe
Token: 36	3912	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3912	WMIC.exe
Token: SeSecurityPrivilege	3912	WMIC.exe
Token: SeTakeOwnershipPrivilege	3912	WMIC.exe
Token: SeLoadDriverPrivilege	3912	WMIC.exe
Token: SeSystemProfilePrivilege	3912	WMIC.exe
Token: SeSystemtimePrivilege	3912	WMIC.exe
Token: SeProfSingleProcessPrivilege	3912	WMIC.exe
Token: SeIncBasePriorityPrivilege	3912	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 3904	2592	Process not Found	89
PID 2592 wrote to memory of 3904	2592	Process not Found	89
PID 2592 wrote to memory of 3904	2592	Process not Found	89
PID 2592 wrote to memory of 2756	2592	Process not Found	90
PID 2592 wrote to memory of 2756	2592	Process not Found	90
PID 2592 wrote to memory of 2756	2592	Process not Found	90
PID 2592 wrote to memory of 3876	2592	Process not Found	91
PID 2592 wrote to memory of 3876	2592	Process not Found	91
PID 2592 wrote to memory of 3876	2592	Process not Found	91
PID 2592 wrote to memory of 1096	2592	Process not Found	92
PID 2592 wrote to memory of 1096	2592	Process not Found	92
PID 2592 wrote to memory of 1096	2592	Process not Found	92
PID 2592 wrote to memory of 1660	2592	Process not Found	94
PID 2592 wrote to memory of 1660	2592	Process not Found	94
PID 2592 wrote to memory of 1660	2592	Process not Found	94
PID 2592 wrote to memory of 1080	2592	Process not Found	96
PID 2592 wrote to memory of 1080	2592	Process not Found	96
PID 2592 wrote to memory of 1080	2592	Process not Found	96
PID 2592 wrote to memory of 4180	2592	Process not Found	97
PID 2592 wrote to memory of 4180	2592	Process not Found	97
PID 2592 wrote to memory of 4180	2592	Process not Found	97
PID 2592 wrote to memory of 4180	2592	Process not Found	97
PID 2756 wrote to memory of 808	2756	CFEE.exe	99
PID 2756 wrote to memory of 808	2756	CFEE.exe	99
PID 2756 wrote to memory of 808	2756	CFEE.exe	99
PID 2592 wrote to memory of 704	2592	Process not Found	100
PID 2592 wrote to memory of 704	2592	Process not Found	100
PID 2592 wrote to memory of 704	2592	Process not Found	100
PID 2592 wrote to memory of 2860	2592	Process not Found	101
PID 2592 wrote to memory of 2860	2592	Process not Found	101
PID 2592 wrote to memory of 2860	2592	Process not Found	101
PID 2592 wrote to memory of 2860	2592	Process not Found	101
PID 2592 wrote to memory of 2620	2592	Process not Found	103
PID 2592 wrote to memory of 2620	2592	Process not Found	103
PID 2592 wrote to memory of 2620	2592	Process not Found	103
PID 3904 wrote to memory of 4484	3904	AF94.exe	104
PID 3904 wrote to memory of 4484	3904	AF94.exe	104
PID 3904 wrote to memory of 4484	3904	AF94.exe	104
PID 2592 wrote to memory of 3952	2592	Process not Found	106
PID 2592 wrote to memory of 3952	2592	Process not Found	106
PID 2592 wrote to memory of 3952	2592	Process not Found	106
PID 2592 wrote to memory of 3952	2592	Process not Found	106
PID 2592 wrote to memory of 2608	2592	Process not Found	108
PID 2592 wrote to memory of 2608	2592	Process not Found	108
PID 2592 wrote to memory of 2608	2592	Process not Found	108
PID 2592 wrote to memory of 2608	2592	Process not Found	108
PID 1660 wrote to memory of 3708	1660	1B91.exe	109
PID 1660 wrote to memory of 3708	1660	1B91.exe	109
PID 1660 wrote to memory of 3708	1660	1B91.exe	109
PID 3708 wrote to memory of 3912	3708	cmd.exe	111
PID 3708 wrote to memory of 3912	3708	cmd.exe	111
PID 3708 wrote to memory of 3912	3708	cmd.exe	111
PID 2592 wrote to memory of 996	2592	Process not Found	112
PID 2592 wrote to memory of 996	2592	Process not Found	112
PID 2592 wrote to memory of 996	2592	Process not Found	112
PID 2592 wrote to memory of 996	2592	Process not Found	112

C:\Users\Admin\AppData\Local\Temp\becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0.exe
"C:\Users\Admin\AppData\Local\Temp\becc55f0da56190c49c0b6043e9e7edaf68621331434f23f037f99a41d476ce0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1048

C:\Users\Admin\AppData\Local\Temp\AF94.exe
C:\Users\Admin\AppData\Local\Temp\AF94.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4484

C:\Users\Admin\AppData\Local\Temp\CFEE.exe
C:\Users\Admin\AppData\Local\Temp\CFEE.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\Temp\1.exe
  "C:\Windows\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  PID:808

C:\Users\Admin\AppData\Local\Temp\F1EF.exe
C:\Users\Admin\AppData\Local\Temp\F1EF.exe
1⤵
- Executes dropped EXE
PID:3876

C:\Users\Admin\AppData\Local\Temp\F7CC.exe
C:\Users\Admin\AppData\Local\Temp\F7CC.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Users\Admin\AppData\Local\Temp\1B91.exe
C:\Users\Admin\AppData\Local\Temp\1B91.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  PID:4308
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:1468
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:4352

C:\Users\Admin\AppData\Local\Temp\2314.exe
C:\Users\Admin\AppData\Local\Temp\2314.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4180

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2860

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2620

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2608

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:996

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B91.exe

Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B91.exe

Filesize
4.3MB

MD5
06a1dc7aae769814998f99c0bca5ea41

SHA1
81ea40089386bffadd0e0a6bb780b7ddd4dc71a9

SHA256
ed14ed57c0a785e01024deffe5a05a79ed9d61a21c58ea8be136c79d31e2daa6

SHA512
aa4a4f8cfe7d7e68c6751e518763cbc509a7ba31699dc7541104170af1a19b439e9ae687d92c8b09450088317e58b5fc78b921646ddba0a28b1f080b7190f65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2314.exe

Filesize
236KB

MD5
ae135c9b09deb9a72e3fa5286aa473e7

SHA1
d544617488a05590be04e771932ccff8b3e43e46

SHA256
49aacad637554371e55dae62d643fffcfc5b13c80a6474804321ae4f399a7a24

SHA512
756d1a143824a7ff6f48820c43ded94d866e3f386e8b353905eb6dcd446c3103592de90f97d6102406de75e52882acd329e924695ea4bfcc5d54b058d87d5205

Download Submit
C:\Users\Admin\AppData\Local\Temp\2314.exe

Filesize
236KB

MD5
ae135c9b09deb9a72e3fa5286aa473e7

SHA1
d544617488a05590be04e771932ccff8b3e43e46

SHA256
49aacad637554371e55dae62d643fffcfc5b13c80a6474804321ae4f399a7a24

SHA512
756d1a143824a7ff6f48820c43ded94d866e3f386e8b353905eb6dcd446c3103592de90f97d6102406de75e52882acd329e924695ea4bfcc5d54b058d87d5205

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF94.exe

Filesize
699KB

MD5
c6f4ffde851054ec2871e72833cd9d59

SHA1
e688103c4fa3ca815732f0f70f37d11f69232e04

SHA256
25502cd9907336216d2733d966787f67c47a6ea07a7895a4fa9f26e9206dd0e7

SHA512
47264796515d6ef559b9f33f68011230ba242f5edfc47ea28cc1f788930a6e42f42c7c2963bf727ab67e86e859ae877a139af91dd0e7e95581a69888ad192fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF94.exe

Filesize
699KB

MD5
c6f4ffde851054ec2871e72833cd9d59

SHA1
e688103c4fa3ca815732f0f70f37d11f69232e04

SHA256
25502cd9907336216d2733d966787f67c47a6ea07a7895a4fa9f26e9206dd0e7

SHA512
47264796515d6ef559b9f33f68011230ba242f5edfc47ea28cc1f788930a6e42f42c7c2963bf727ab67e86e859ae877a139af91dd0e7e95581a69888ad192fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFEE.exe

Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFEE.exe

Filesize
466KB

MD5
2955a7fdcda8c0768d106b135a352173

SHA1
1de1f74183421d4f811af2dc469840c8d266eec9

SHA256
3238f627cf753b195a814ad7a01bd16fa13616802e39f48a981c5c8703a2ff6f

SHA512
c87bf10bc4eaaa912a74da441c3a3894535e54764e60a76c505c628e70e35822fcbe147aaabd117ddacbc88294ad16243c7f721400ac64178681633db8898bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1EF.exe

Filesize
315KB

MD5
eca8745d0a485815926c5c0b73346887

SHA1
8395d421d78434277b1c5e84245d8c15e27ec616

SHA256
1c9f3cedcf3295930ccbf061916b974ce2f37a4cc9a697e88d758273566d924e

SHA512
fd88e9e93ecf804af7537526f04c32c66f57425b84c0d32178db5e43b9086510aede1a5916a23e079e9bec7e94885777cad6a222d02411e7a38aa2654a0994b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1EF.exe

Filesize
315KB

MD5
eca8745d0a485815926c5c0b73346887

SHA1
8395d421d78434277b1c5e84245d8c15e27ec616

SHA256
1c9f3cedcf3295930ccbf061916b974ce2f37a4cc9a697e88d758273566d924e

SHA512
fd88e9e93ecf804af7537526f04c32c66f57425b84c0d32178db5e43b9086510aede1a5916a23e079e9bec7e94885777cad6a222d02411e7a38aa2654a0994b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7CC.exe

Filesize
237KB

MD5
d721aa5fb80cb8439585838732ddda66

SHA1
e0ff77d67729bc979068408358cb29dbbf40cf22

SHA256
3fe71ff72cc08157f0cbb93be5051ae98b8ae88546f7bd1e1bee06bfa542dba2

SHA512
5d685d11467fda77e2cfb1223dd22f10c3a3e9262516e8be8ee57d3df9b32bb472174603071c3af7d1d4bf7794776a801d1ea5266392cf5dc5df88c35e851e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7CC.exe

Filesize
237KB

MD5
d721aa5fb80cb8439585838732ddda66

SHA1
e0ff77d67729bc979068408358cb29dbbf40cf22

SHA256
3fe71ff72cc08157f0cbb93be5051ae98b8ae88546f7bd1e1bee06bfa542dba2

SHA512
5d685d11467fda77e2cfb1223dd22f10c3a3e9262516e8be8ee57d3df9b32bb472174603071c3af7d1d4bf7794776a801d1ea5266392cf5dc5df88c35e851e96

Download Submit
C:\Windows\Temp\1.exe

Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
C:\Windows\Temp\1.exe

Filesize
369KB

MD5
4a32a16c5a3c79ade487c098ee71a2be

SHA1
414b203eeb20ac7e74316fd2877ca4ebf52193df

SHA256
61059bd8f3bdb2b07ca01c87efe6284b8b3b77ca63e9a063e0e9010774a482a4

SHA512
6470c0269052bbccea48bfb5da80cdcf96fec71e0e45ae79a42acacd7c4d92139ccc6f122ab97e5b104fc93bee84891850a80aa9c835c0b31418f151517b1ee5

Download Submit
memory/704-161-0x0000000000000000-mapping.dmp

Download
memory/704-166-0x00000000009F0000-0x00000000009F9000-memory.dmp

Filesize
36KB

Download
memory/704-167-0x00000000009E0000-0x00000000009EF000-memory.dmp

Filesize
60KB

Download
memory/808-169-0x0000000000000000-mapping.dmp

Download
memory/996-200-0x0000000000000000-mapping.dmp

Download
memory/996-207-0x00000000010C0000-0x00000000010C6000-memory.dmp

Filesize
24KB

Download
memory/996-208-0x00000000010B0000-0x00000000010BB000-memory.dmp

Filesize
44KB

Download
memory/1048-133-0x00000000022B0000-0x00000000022B9000-memory.dmp

Filesize
36KB

Download
memory/1048-132-0x00000000005ED000-0x00000000005FD000-memory.dmp

Filesize
64KB

Download
memory/1048-134-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1048-135-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1080-155-0x0000000000000000-mapping.dmp

Download
memory/1080-201-0x0000000006DB0000-0x0000000006F72000-memory.dmp

Filesize
1.8MB

Download
memory/1080-203-0x0000000006F90000-0x00000000074BC000-memory.dmp

Filesize
5.2MB

Download
memory/1080-176-0x000000000077D000-0x00000000007A7000-memory.dmp

Filesize
168KB

Download
memory/1080-189-0x0000000006BD0000-0x0000000006C20000-memory.dmp

Filesize
320KB

Download
memory/1080-168-0x00000000006F0000-0x0000000000728000-memory.dmp

Filesize
224KB

Download
memory/1080-171-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1080-185-0x00000000067D0000-0x0000000006836000-memory.dmp

Filesize
408KB

Download
memory/1096-206-0x0000000000650000-0x0000000000688000-memory.dmp

Filesize
224KB

Download
memory/1096-158-0x0000000004D20000-0x00000000052C4000-memory.dmp

Filesize
5.6MB

Download
memory/1096-163-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/1096-170-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/1096-162-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1096-186-0x00000000067D0000-0x0000000006862000-memory.dmp

Filesize
584KB

Download
memory/1096-190-0x0000000006D10000-0x0000000006D86000-memory.dmp

Filesize
472KB

Download
memory/1096-160-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/1096-149-0x0000000000650000-0x0000000000688000-memory.dmp

Filesize
224KB

Download
memory/1096-194-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

Filesize
120KB

Download
memory/1096-205-0x00000000006CD000-0x00000000006F7000-memory.dmp

Filesize
168KB

Download
memory/1096-148-0x00000000006CD000-0x00000000006F7000-memory.dmp

Filesize
168KB

Download
memory/1096-150-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1096-144-0x0000000000000000-mapping.dmp

Download
memory/1404-214-0x0000000000DC0000-0x0000000000DCD000-memory.dmp

Filesize
52KB

Download
memory/1404-213-0x0000000000DD0000-0x0000000000DD7000-memory.dmp

Filesize
28KB

Download
memory/1404-209-0x0000000000000000-mapping.dmp

Download
memory/1468-204-0x0000000000000000-mapping.dmp

Download
memory/1660-151-0x0000000000000000-mapping.dmp

Download
memory/1684-215-0x0000000000000000-mapping.dmp

Download
memory/1684-217-0x0000000000B40000-0x0000000000B4B000-memory.dmp

Filesize
44KB

Download
memory/1684-216-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2608-195-0x0000000000000000-mapping.dmp

Download
memory/2608-199-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/2608-198-0x00000000008F0000-0x00000000008F5000-memory.dmp

Filesize
20KB

Download
memory/2620-184-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download
memory/2620-179-0x0000000000000000-mapping.dmp

Download
memory/2620-182-0x0000000000910000-0x0000000000916000-memory.dmp

Filesize
24KB

Download
memory/2756-139-0x0000000000000000-mapping.dmp

Download
memory/2860-178-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/2860-177-0x0000000000570000-0x0000000000575000-memory.dmp

Filesize
20KB

Download
memory/2860-173-0x0000000000000000-mapping.dmp

Download
memory/3708-196-0x0000000000000000-mapping.dmp

Download
memory/3876-142-0x0000000000000000-mapping.dmp

Download
memory/3904-141-0x0000000000B80000-0x0000000000C30000-memory.dmp

Filesize
704KB

Download
memory/3904-175-0x0000000005760000-0x0000000005782000-memory.dmp

Filesize
136KB

Download
memory/3904-136-0x0000000000000000-mapping.dmp

Download
memory/3912-197-0x0000000000000000-mapping.dmp

Download
memory/3952-193-0x0000000001080000-0x00000000010A7000-memory.dmp

Filesize
156KB

Download
memory/3952-191-0x00000000010B0000-0x00000000010D2000-memory.dmp

Filesize
136KB

Download
memory/3952-187-0x0000000000000000-mapping.dmp

Download
memory/4180-164-0x0000000000F50000-0x0000000000F57000-memory.dmp

Filesize
28KB

Download
memory/4180-165-0x0000000000F40000-0x0000000000F4B000-memory.dmp

Filesize
44KB

Download
memory/4180-159-0x0000000000000000-mapping.dmp

Download
memory/4308-202-0x0000000000000000-mapping.dmp

Download
memory/4352-212-0x0000000000000000-mapping.dmp

Download
memory/4484-188-0x00000000063A0000-0x0000000006406000-memory.dmp

Filesize
408KB

Download
memory/4484-211-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Filesize
104KB

Download
memory/4484-210-0x0000000008320000-0x000000000899A000-memory.dmp

Filesize
6.5MB

Download
memory/4484-180-0x0000000000000000-mapping.dmp

Download
memory/4484-181-0x0000000003350000-0x0000000003386000-memory.dmp

Filesize
216KB

Download
memory/4484-183-0x0000000005C70000-0x0000000006298000-memory.dmp

Filesize
6.2MB

Download
memory/4484-192-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download