nymaim | 2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858

Analysis

max time kernel
152s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2022 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

521KB
MD5

5fe1f92b221d98a8504139a2792265f8
SHA1

5faf25f3ee80a45b85f4d1fb971ab9cfd1ff174d
SHA256

2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858
SHA512

b40a7cb1cfd119883e3ae5126b50a73641f184daa49eddc620728a1a2c8e4b5c2e6154bad5a0b6faf053c8049144208ffe4e209611df94e995489b9257ff362d
SSDEEP

12288:kQi3ceLI4OjuBxPnk6tnq6m6URA3Phmyawo+sdsikeEDmBlyZC3:kQiF7nphh/8+sdkvmOQ3

Score

10^/10

nymaim smokeloader backdoor evasion persistence trojan vmprotect

Malware Config

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Signatures

Detects Smokeloader packer 4 IoCs

resource	yara_rule
behavioral2/memory/6896-191-0x0000000002D40000-0x0000000002D49000-memory.dmp	family_smokeloader
behavioral2/memory/1112-193-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/1112-199-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/1112-207-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	2140	rundll32.exe	86

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	PowerOff.exe

Executes dropped EXE 11 IoCs

pid	Process
4760	file.tmp
3304	PowerOff.exe
1540	Xorobekajo.exe
3352	Mirupymaena.exe
6200	GcleanerEU.exe
6488	gcleaner.exe
6508	random.exe
6548	pb1117.exe
6896	toolspab3.exe
6952	random.exe
1112	toolspab3.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000022e69-174.dat	vmprotect
behavioral2/files/0x0007000000022e69-175.dat	vmprotect
behavioral2/memory/6548-177-0x0000000140000000-0x0000000140617000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	PowerOff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Mirupymaena.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GcleanerEU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gcleaner.exe

Loads dropped DLL 2 IoCs

pid	Process
4760	file.tmp
1280	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft\\Mirupymaena.exe\""	PowerOff.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 6896 set thread context of 1112	6896	toolspab3.exe	122

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\IXVVJJOZPJ\poweroff.exe	PowerOff.exe
File created	C:\Program Files (x86)\Microsoft\Mirupymaena.exe	PowerOff.exe
File created	C:\Program Files (x86)\Microsoft\Mirupymaena.exe.config	PowerOff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
6700	6200	WerFault.exe	98
6856	6488	WerFault.exe	105
7132	6488	WerFault.exe	105
928	6200	WerFault.exe	98
4344	6488	WerFault.exe	105
1944	6200	WerFault.exe	98
396	6488	WerFault.exe	105
4728	1280	WerFault.exe	129
4684	6200	WerFault.exe	98
4356	6488	WerFault.exe	105
4524	6200	WerFault.exe	98
836	6488	WerFault.exe	105
4144	6200	WerFault.exe	98
4888	6488	WerFault.exe	105
2496	6200	WerFault.exe	98
4312	6488	WerFault.exe	105
4848	6200	WerFault.exe	98
2260	6488	WerFault.exe	105
2016	6200	WerFault.exe	98
3460	6488	WerFault.exe	105

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab3.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2224	taskkill.exe
4236	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	96	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe
3352	Mirupymaena.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1112	toolspab3.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	PowerOff.exe
Token: SeDebugPrivilege	1540	Xorobekajo.exe
Token: SeDebugPrivilege	3352	Mirupymaena.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	4236	taskkill.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4760	4796	file.exe	82
PID 4796 wrote to memory of 4760	4796	file.exe	82
PID 4796 wrote to memory of 4760	4796	file.exe	82
PID 4760 wrote to memory of 3304	4760	file.tmp	89
PID 4760 wrote to memory of 3304	4760	file.tmp	89
PID 3304 wrote to memory of 1540	3304	PowerOff.exe	92
PID 3304 wrote to memory of 1540	3304	PowerOff.exe	92
PID 3304 wrote to memory of 3352	3304	PowerOff.exe	93
PID 3304 wrote to memory of 3352	3304	PowerOff.exe	93
PID 3352 wrote to memory of 4032	3352	Mirupymaena.exe	96
PID 3352 wrote to memory of 4032	3352	Mirupymaena.exe	96
PID 4032 wrote to memory of 6200	4032	cmd.exe	98
PID 4032 wrote to memory of 6200	4032	cmd.exe	98
PID 4032 wrote to memory of 6200	4032	cmd.exe	98
PID 3352 wrote to memory of 8108	3352	Mirupymaena.exe	99
PID 3352 wrote to memory of 8108	3352	Mirupymaena.exe	99
PID 3352 wrote to memory of 8168	3352	Mirupymaena.exe	101
PID 3352 wrote to memory of 8168	3352	Mirupymaena.exe	101
PID 3352 wrote to memory of 6436	3352	Mirupymaena.exe	103
PID 3352 wrote to memory of 6436	3352	Mirupymaena.exe	103
PID 8108 wrote to memory of 6488	8108	cmd.exe	105
PID 8108 wrote to memory of 6488	8108	cmd.exe	105
PID 8108 wrote to memory of 6488	8108	cmd.exe	105
PID 8168 wrote to memory of 6508	8168	cmd.exe	106
PID 8168 wrote to memory of 6508	8168	cmd.exe	106
PID 8168 wrote to memory of 6508	8168	cmd.exe	106
PID 6436 wrote to memory of 6548	6436	cmd.exe	108
PID 6436 wrote to memory of 6548	6436	cmd.exe	108
PID 3352 wrote to memory of 6760	3352	Mirupymaena.exe	111
PID 3352 wrote to memory of 6760	3352	Mirupymaena.exe	111
PID 6760 wrote to memory of 6896	6760	cmd.exe	115
PID 6760 wrote to memory of 6896	6760	cmd.exe	115
PID 6760 wrote to memory of 6896	6760	cmd.exe	115
PID 6508 wrote to memory of 6952	6508	random.exe	116
PID 6508 wrote to memory of 6952	6508	random.exe	116
PID 6508 wrote to memory of 6952	6508	random.exe	116
PID 6896 wrote to memory of 1112	6896	toolspab3.exe	122
PID 6896 wrote to memory of 1112	6896	toolspab3.exe	122
PID 6896 wrote to memory of 1112	6896	toolspab3.exe	122
PID 6896 wrote to memory of 1112	6896	toolspab3.exe	122
PID 6896 wrote to memory of 1112	6896	toolspab3.exe	122
PID 6896 wrote to memory of 1112	6896	toolspab3.exe	122
PID 4464 wrote to memory of 1280	4464	rundll32.exe	129
PID 4464 wrote to memory of 1280	4464	rundll32.exe	129
PID 4464 wrote to memory of 1280	4464	rundll32.exe	129
PID 6200 wrote to memory of 100	6200	GcleanerEU.exe	153
PID 6200 wrote to memory of 100	6200	GcleanerEU.exe	153
PID 6200 wrote to memory of 100	6200	GcleanerEU.exe	153
PID 100 wrote to memory of 2224	100	cmd.exe	157
PID 100 wrote to memory of 2224	100	cmd.exe	157
PID 100 wrote to memory of 2224	100	cmd.exe	157
PID 6488 wrote to memory of 4012	6488	gcleaner.exe	158
PID 6488 wrote to memory of 4012	6488	gcleaner.exe	158
PID 6488 wrote to memory of 4012	6488	gcleaner.exe	158
PID 4012 wrote to memory of 4236	4012	cmd.exe	162
PID 4012 wrote to memory of 4236	4012	cmd.exe	162
PID 4012 wrote to memory of 4236	4012	cmd.exe	162

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\is-G1ADG.tmp\file.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-G1ADG.tmp\file.tmp" /SL5="$A01B8,254182,170496,C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\is-F1TLI.tmp\PowerOff.exe
    "C:\Users\Admin\AppData\Local\Temp\is-F1TLI.tmp\PowerOff.exe" /S /UID=95
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\c0-00fa9-512-d11ac-d9e8323094a1b\Xorobekajo.exe
      "C:\Users\Admin\AppData\Local\Temp\c0-00fa9-512-d11ac-d9e8323094a1b\Xorobekajo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\70-71b5a-1bb-3ee80-c9bc5668fb53f\Mirupymaena.exe
      "C:\Users\Admin\AppData\Local\Temp\70-71b5a-1bb-3ee80-c9bc5668fb53f\Mirupymaena.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3352
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jrpqoo5v.lqr\GcleanerEU.exe /eufive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Users\Admin\AppData\Local\Temp\jrpqoo5v.lqr\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\jrpqoo5v.lqr\GcleanerEU.exe /eufive
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:6200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 460
        7⤵
        Program crash
        
        PID:6700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 764
        7⤵
        Program crash
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 772
        7⤵
        Program crash
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 784
        7⤵
        Program crash
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 792
        7⤵
        Program crash
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 936
        7⤵
        Program crash
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1032
        7⤵
        Program crash
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1360
        7⤵
        Program crash
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\jrpqoo5v.lqr\GcleanerEU.exe" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1384
        7⤵
        Program crash
        
        PID:2016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ovqwdkv.ink\gcleaner.exe /mixfive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:8108
      - C:\Users\Admin\AppData\Local\Temp\4ovqwdkv.ink\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\4ovqwdkv.ink\gcleaner.exe /mixfive
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:6488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 452
        7⤵
        Program crash
        
        PID:6856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 772
        7⤵
        Program crash
        
        PID:7132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 764
        7⤵
        Program crash
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 852
        7⤵
        Program crash
        
        PID:396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 860
        7⤵
        Program crash
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 884
        7⤵
        Program crash
        
        PID:836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 780
        7⤵
        Program crash
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 1124
        7⤵
        Program crash
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 1380
        7⤵
        Program crash
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4ovqwdkv.ink\gcleaner.exe" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 560
        7⤵
        Program crash
        
        PID:3460
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1eehik3g.neo\random.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:8168
      - C:\Users\Admin\AppData\Local\Temp\1eehik3g.neo\random.exe
        
        C:\Users\Admin\AppData\Local\Temp\1eehik3g.neo\random.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\1eehik3g.neo\random.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1eehik3g.neo\random.exe" -q
        7⤵
        Executes dropped EXE
        
        PID:6952
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mhyp5esv.e0c\pb1117.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6436
      - C:\Users\Admin\AppData\Local\Temp\mhyp5esv.e0c\pb1117.exe
        
        C:\Users\Admin\AppData\Local\Temp\mhyp5esv.e0c\pb1117.exe
        6⤵
        Executes dropped EXE
        
        PID:6548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x1upglkq.ynu\toolspab3.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6760
      - C:\Users\Admin\AppData\Local\Temp\x1upglkq.ynu\toolspab3.exe
        
        C:\Users\Admin\AppData\Local\Temp\x1upglkq.ynu\toolspab3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\x1upglkq.ynu\toolspab3.exe
        
        C:\Users\Admin\AppData\Local\Temp\x1upglkq.ynu\toolspab3.exe
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6200 -ip 6200
1⤵
PID:6624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6488 -ip 6488
1⤵
PID:6832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6488 -ip 6488
1⤵
PID:7116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 6200 -ip 6200
1⤵
PID:7164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6488 -ip 6488
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6200 -ip 6200
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6488 -ip 6488
1⤵
PID:384

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:1280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 612
    3⤵
    - Program crash
    PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1280 -ip 1280
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6200 -ip 6200
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6488 -ip 6488
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6200 -ip 6200
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6488 -ip 6488
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6200 -ip 6200
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6488 -ip 6488
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6200 -ip 6200
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6488 -ip 6488
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6200 -ip 6200
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6488 -ip 6488
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6200 -ip 6200
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6488 -ip 6488
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1eehik3g.neo\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eehik3g.neo\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eehik3g.neo\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ovqwdkv.ink\gcleaner.exe

Filesize
293KB

MD5
5f13924f972897bebc2a1e1e008aed68

SHA1
4928520719c8b4e218c145107dea0055ba7d0202

SHA256
07c8d83a5302f1c11086aa329e36914c08a711d2b8dffa631a83e93394c16e06

SHA512
0d38387d0631e3ed868c3cbe92d0d8acbf29b584561c94faef272a1a523abfbd94c027b4580f9587f41339850015fe0fdec66d898bd04e8d0bdb67fe76bfc179

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ovqwdkv.ink\gcleaner.exe

Filesize
293KB

MD5
5f13924f972897bebc2a1e1e008aed68

SHA1
4928520719c8b4e218c145107dea0055ba7d0202

SHA256
07c8d83a5302f1c11086aa329e36914c08a711d2b8dffa631a83e93394c16e06

SHA512
0d38387d0631e3ed868c3cbe92d0d8acbf29b584561c94faef272a1a523abfbd94c027b4580f9587f41339850015fe0fdec66d898bd04e8d0bdb67fe76bfc179

Download Submit
C:\Users\Admin\AppData\Local\Temp\70-71b5a-1bb-3ee80-c9bc5668fb53f\Kenessey.txt

Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\70-71b5a-1bb-3ee80-c9bc5668fb53f\Mirupymaena.exe

Filesize
420KB

MD5
cb90d473ea62e95a2767bbe3d91c4c64

SHA1
61af0628fe380db4c09a8b34ff97a030b313800a

SHA256
512627bd32c8c842ea80f63d03fe491a1e8b9494b0083fb62c0d3ced93951223

SHA512
e56a94fa9adb28bbfe6862419d177154a98bba4f7105df9c49eb20f19cf51e8844771d925cdbb55df75740e18b5bd204e7ba0f89d4208ca0233fffbc5372bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\70-71b5a-1bb-3ee80-c9bc5668fb53f\Mirupymaena.exe

Filesize
420KB

MD5
cb90d473ea62e95a2767bbe3d91c4c64

SHA1
61af0628fe380db4c09a8b34ff97a030b313800a

SHA256
512627bd32c8c842ea80f63d03fe491a1e8b9494b0083fb62c0d3ced93951223

SHA512
e56a94fa9adb28bbfe6862419d177154a98bba4f7105df9c49eb20f19cf51e8844771d925cdbb55df75740e18b5bd204e7ba0f89d4208ca0233fffbc5372bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\70-71b5a-1bb-3ee80-c9bc5668fb53f\Mirupymaena.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0-00fa9-512-d11ac-d9e8323094a1b\Xorobekajo.exe

Filesize
315KB

MD5
a1539d5a565503b26710d24a173eb641

SHA1
4982821c94b1c32d56d2395c4ef53a8fee852e25

SHA256
7332f18f1e9b01188e8a64feeb3cfec5013256048efa38d3c7b8173e9f466748

SHA512
d0bc439dcc68943fb3a7a3521e298035f66dd55ca34da86280a6f20d35007d2766ef1c892af5c0763e07dbd4032b4106d7928a9e3d9528cfd9aadab60e744878

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0-00fa9-512-d11ac-d9e8323094a1b\Xorobekajo.exe

Filesize
315KB

MD5
a1539d5a565503b26710d24a173eb641

SHA1
4982821c94b1c32d56d2395c4ef53a8fee852e25

SHA256
7332f18f1e9b01188e8a64feeb3cfec5013256048efa38d3c7b8173e9f466748

SHA512
d0bc439dcc68943fb3a7a3521e298035f66dd55ca34da86280a6f20d35007d2766ef1c892af5c0763e07dbd4032b4106d7928a9e3d9528cfd9aadab60e744878

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0-00fa9-512-d11ac-d9e8323094a1b\Xorobekajo.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1TLI.tmp\PowerOff.exe

Filesize
375KB

MD5
52fc737d89c67101f7b8dc6361d5212f

SHA1
ad328b80bb00bb23ec33baabc27aaa18060acbb0

SHA256
f25346bf7c2b71015b0f735824b733a4c043f1b3086d2a232412d069a65b777a

SHA512
a4e3441bb7901f3b555e6d28faeebe089331b240331d67878cd429b4a40451e53ab2232ee9d0b7acb7cfa4a013da0df6328f84caa6e9e34ab96669a161530c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1TLI.tmp\PowerOff.exe

Filesize
375KB

MD5
52fc737d89c67101f7b8dc6361d5212f

SHA1
ad328b80bb00bb23ec33baabc27aaa18060acbb0

SHA256
f25346bf7c2b71015b0f735824b733a4c043f1b3086d2a232412d069a65b777a

SHA512
a4e3441bb7901f3b555e6d28faeebe089331b240331d67878cd429b4a40451e53ab2232ee9d0b7acb7cfa4a013da0df6328f84caa6e9e34ab96669a161530c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F1TLI.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G1ADG.tmp\file.tmp

Filesize
805KB

MD5
bf8662a2311eb606e0549451323fa2ba

SHA1
79fbb3b94c91becb56d531806daab15cba55f31c

SHA256
4748736cfa0ff8f469c483cd864166c943d30ff9c3ba0f8cdf0b6b9378a89456

SHA512
e191a8a50e97800d3fb3cb449d01f1d06dda36d85845355f68d3038e30c3a2a7aa8d87e29f0f638ae85d2badd68eccc26a279f17fb91a38de2fa14a015ed3cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrpqoo5v.lqr\GcleanerEU.exe

Filesize
293KB

MD5
5f13924f972897bebc2a1e1e008aed68

SHA1
4928520719c8b4e218c145107dea0055ba7d0202

SHA256
07c8d83a5302f1c11086aa329e36914c08a711d2b8dffa631a83e93394c16e06

SHA512
0d38387d0631e3ed868c3cbe92d0d8acbf29b584561c94faef272a1a523abfbd94c027b4580f9587f41339850015fe0fdec66d898bd04e8d0bdb67fe76bfc179

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrpqoo5v.lqr\GcleanerEU.exe

Filesize
293KB

MD5
5f13924f972897bebc2a1e1e008aed68

SHA1
4928520719c8b4e218c145107dea0055ba7d0202

SHA256
07c8d83a5302f1c11086aa329e36914c08a711d2b8dffa631a83e93394c16e06

SHA512
0d38387d0631e3ed868c3cbe92d0d8acbf29b584561c94faef272a1a523abfbd94c027b4580f9587f41339850015fe0fdec66d898bd04e8d0bdb67fe76bfc179

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhyp5esv.e0c\pb1117.exe

Filesize
3.5MB

MD5
dc2712485f755f16c7b433cc159b6643

SHA1
f412179298a43ae14eff6e42188e852930a3effd

SHA256
ad87cd82ba357bb206397eed1726c69bd344803c72782fc277e64f7fd95ab04f

SHA512
4d7893b4689b27930b1a6006c4014988879d1c59cb3389d5a2ec399a69fd2d2ae7c51480672199e5ea626ac0bf38bed41a58d2e619698ea958715e0360282f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhyp5esv.e0c\pb1117.exe

Filesize
3.5MB

MD5
dc2712485f755f16c7b433cc159b6643

SHA1
f412179298a43ae14eff6e42188e852930a3effd

SHA256
ad87cd82ba357bb206397eed1726c69bd344803c72782fc277e64f7fd95ab04f

SHA512
4d7893b4689b27930b1a6006c4014988879d1c59cb3389d5a2ec399a69fd2d2ae7c51480672199e5ea626ac0bf38bed41a58d2e619698ea958715e0360282f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1upglkq.ynu\toolspab3.exe

Filesize
224KB

MD5
94aff6f696a630cdbee6ac586081ec41

SHA1
3c94db854ea9e5ae323989e95761d0ccaf763dc1

SHA256
d2d14961ece146ef21842ecf21664e2eed5f5f3eda19b18882a6e145d836636a

SHA512
5ad51374e4c79d17140558c46dde3b1116e60765d3d8158d7f8a735f6672229532251b3757e1e4e38f9e96e838c94fa8027111a15c061d4cb9a904c7140c1f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1upglkq.ynu\toolspab3.exe

Filesize
224KB

MD5
94aff6f696a630cdbee6ac586081ec41

SHA1
3c94db854ea9e5ae323989e95761d0ccaf763dc1

SHA256
d2d14961ece146ef21842ecf21664e2eed5f5f3eda19b18882a6e145d836636a

SHA512
5ad51374e4c79d17140558c46dde3b1116e60765d3d8158d7f8a735f6672229532251b3757e1e4e38f9e96e838c94fa8027111a15c061d4cb9a904c7140c1f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1upglkq.ynu\toolspab3.exe

Filesize
224KB

MD5
94aff6f696a630cdbee6ac586081ec41

SHA1
3c94db854ea9e5ae323989e95761d0ccaf763dc1

SHA256
d2d14961ece146ef21842ecf21664e2eed5f5f3eda19b18882a6e145d836636a

SHA512
5ad51374e4c79d17140558c46dde3b1116e60765d3d8158d7f8a735f6672229532251b3757e1e4e38f9e96e838c94fa8027111a15c061d4cb9a904c7140c1f36

Download Submit
memory/1112-193-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-207-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1112-199-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1540-148-0x00007FFCBA480000-0x00007FFCBAEB6000-memory.dmp

Filesize
10.2MB

Download
memory/3304-154-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/3304-149-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/3304-143-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/3304-142-0x0000000000C60000-0x0000000000CC6000-memory.dmp

Filesize
408KB

Download
memory/3352-155-0x00007FFCBA480000-0x00007FFCBAEB6000-memory.dmp

Filesize
10.2MB

Download
memory/4796-138-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4796-156-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4796-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4796-132-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6200-172-0x0000000004890000-0x00000000048D0000-memory.dmp

Filesize
256KB

Download
memory/6200-176-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/6200-205-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/6200-204-0x0000000002E03000-0x0000000002E2A000-memory.dmp

Filesize
156KB

Download
memory/6200-184-0x0000000002E03000-0x0000000002E2A000-memory.dmp

Filesize
156KB

Download
memory/6200-164-0x0000000002E03000-0x0000000002E2A000-memory.dmp

Filesize
156KB

Download
memory/6488-206-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/6488-183-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/6488-182-0x0000000002DC3000-0x0000000002DEA000-memory.dmp

Filesize
156KB

Download
memory/6548-177-0x0000000140000000-0x0000000140617000-memory.dmp

Filesize
6.1MB

Download
memory/6896-191-0x0000000002D40000-0x0000000002D49000-memory.dmp

Filesize
36KB

Download
memory/6896-190-0x0000000002EC2000-0x0000000002ED7000-memory.dmp

Filesize
84KB

Download