smokeloader | 894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe
Size

303KB
MD5

9a86d53354c9fdcfd27b23930581db19
SHA1

20bc69c4dc6c6758fe6c32fdc2c9faa74a8ee7c7
SHA256

894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080
SHA512

032c987e219dcbb337733ffa16068b01fba6ba8ddc46886dc9c7f84c13128de06695589e9a1b018aed1240c3d3da45c03620a8486fec6364395d34d8af40aeb3
SSDEEP

6144:dFV2VqWlb2HYjE+Q5AZu7mA22tThsIeGjY6:kkWlbNjqAZxA22ZVE

Score

10^/10

smokeloader systembc backdoor trojan

Malware Config

Extracted

Family

systembc

89.248.163.218:443

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1264-133-0x00000000004A0000-0x00000000004A9000-memory.dmp	family_smokeloader
behavioral1/memory/1264-136-0x00000000004A0000-0x00000000004A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

46 4244 rundll32.exe
49 4244 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

6784.exe2288.exexlikuwa.exe

pid process

3524 6784.exe
4596 2288.exe
1612 xlikuwa.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

6784.exe

description pid process target process

PID 3524 set thread context of 968 3524 6784.exe rundll32.exe
Drops file in Windows directory 2 IoCs

Processes:

2288.exe

description ioc process

File created C:\Windows\Tasks\xlikuwa.job 2288.exe
File opened for modification C:\Windows\Tasks\xlikuwa.job 2288.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1140 3524 WerFault.exe 6784.exe

flow	pid	process
46	4244	rundll32.exe
49	4244	rundll32.exe

pid	process
3524	6784.exe
4596	2288.exe
1612	xlikuwa.exe

description	pid	process	target process
PID 3524 set thread context of 968	3524	6784.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\xlikuwa.job	2288.exe
File opened for modification	C:\Windows\Tasks\xlikuwa.job	2288.exe

pid	pid_target	process	target process
1140	3524	WerFault.exe	6784.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe

Checks processor information in registry 2 TTPs 45 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe6784.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	6784.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6784.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	6784.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	6784.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	6784.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6784.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	6784.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 19 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3048

pid	process
3048

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe

pid	process
1264	894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe
1264	894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe

pid process

1264 894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe

pid	process
3048

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

968 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3048
3048

pid	process
968	rundll32.exe

pid	process
3048
3048

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

6784.exerundll32.exe

description	pid	process	target process
PID 3048 wrote to memory of 3524	3048		6784.exe
PID 3048 wrote to memory of 3524	3048		6784.exe
PID 3048 wrote to memory of 3524	3048		6784.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 4244	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 968	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 968	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 968	3524	6784.exe	rundll32.exe
PID 3524 wrote to memory of 968	3524	6784.exe	rundll32.exe
PID 968 wrote to memory of 2368	968	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 2368	968	rundll32.exe	rundll32.exe
PID 3048 wrote to memory of 4596	3048		2288.exe
PID 3048 wrote to memory of 4596	3048		2288.exe
PID 3048 wrote to memory of 4596	3048		2288.exe

C:\Users\Admin\AppData\Local\Temp\894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe
"C:\Users\Admin\AppData\Local\Temp\894a882987a059912caf2f050e78c3cf2a470b7f3c2a4a8a0af9e9c4b66fd080.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1264

C:\Users\Admin\AppData\Local\Temp\6784.exe
C:\Users\Admin\AppData\Local\Temp\6784.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:4244

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 25376
3⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 636
2⤵
- Program crash
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3524 -ip 3524
1⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\2288.exe
C:\Users\Admin\AppData\Local\Temp\2288.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4596

C:\ProgramData\udbr\xlikuwa.exe
C:\ProgramData\udbr\xlikuwa.exe start
1⤵
- Executes dropped EXE
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\udbr\xlikuwa.exe

Filesize
303KB

MD5
a91d1ad4f99dc142a63342a79a04a61c

SHA1
9328310f5567fc7247516d21f339fb99b67706be

SHA256
2c3fade9317146109c3dad7e9e06168a2af28d04185c248a3322cd8b8ae8901f

SHA512
f869c9568afb90bec12732ce55552e66fe1dc2f9a52212a8011e2509805bfc59574ecbe4f52144ed8bde0b240849816cdb261ccefcb9d00f1ba65f0daa9cc39a

Download Submit
C:\ProgramData\udbr\xlikuwa.exe

Filesize
303KB

MD5
a91d1ad4f99dc142a63342a79a04a61c

SHA1
9328310f5567fc7247516d21f339fb99b67706be

SHA256
2c3fade9317146109c3dad7e9e06168a2af28d04185c248a3322cd8b8ae8901f

SHA512
f869c9568afb90bec12732ce55552e66fe1dc2f9a52212a8011e2509805bfc59574ecbe4f52144ed8bde0b240849816cdb261ccefcb9d00f1ba65f0daa9cc39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2288.exe

Filesize
303KB

MD5
a91d1ad4f99dc142a63342a79a04a61c

SHA1
9328310f5567fc7247516d21f339fb99b67706be

SHA256
2c3fade9317146109c3dad7e9e06168a2af28d04185c248a3322cd8b8ae8901f

SHA512
f869c9568afb90bec12732ce55552e66fe1dc2f9a52212a8011e2509805bfc59574ecbe4f52144ed8bde0b240849816cdb261ccefcb9d00f1ba65f0daa9cc39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2288.exe

Filesize
303KB

MD5
a91d1ad4f99dc142a63342a79a04a61c

SHA1
9328310f5567fc7247516d21f339fb99b67706be

SHA256
2c3fade9317146109c3dad7e9e06168a2af28d04185c248a3322cd8b8ae8901f

SHA512
f869c9568afb90bec12732ce55552e66fe1dc2f9a52212a8011e2509805bfc59574ecbe4f52144ed8bde0b240849816cdb261ccefcb9d00f1ba65f0daa9cc39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6784.exe

Filesize
833KB

MD5
67193a27bcd9e473b9940a85433e895f

SHA1
ca5645f73c55a324df4549d0342f09b339a1de76

SHA256
a29c18a7bf226bfdc65e76283ddc6cf7af2e14f9e797093268c647270f050534

SHA512
9588db870a78c97df85a9e817291d7c17e4fb7d9f3a2a385f0b2c81e1a61073d777cb8db4e4c95cdac6b904f8291a886f7729f0b5d656cb5cea6ecd224261856

Download Submit
C:\Users\Admin\AppData\Local\Temp\6784.exe

Filesize
833KB

MD5
67193a27bcd9e473b9940a85433e895f

SHA1
ca5645f73c55a324df4549d0342f09b339a1de76

SHA256
a29c18a7bf226bfdc65e76283ddc6cf7af2e14f9e797093268c647270f050534

SHA512
9588db870a78c97df85a9e817291d7c17e4fb7d9f3a2a385f0b2c81e1a61073d777cb8db4e4c95cdac6b904f8291a886f7729f0b5d656cb5cea6ecd224261856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iriaiusduwe..tmp

Filesize
3.5MB

MD5
db3baeb998d079c88c022bb95ca02558

SHA1
1c6f44ea8cb895ef1e7b00152456c3438036ec0c

SHA256
7b5982b10f78e11bff55c748717eb889923589e7bb8900d4c4930390ac047bdf

SHA512
be10ffd29debfd05ff4cec6b775d72ecd052e0cd86eff77c46321ca12877db0d8a922080777ac15c1152e157594eeb941a81dce8e2e4f9e686ba9b003cc90ee0

Download Submit
memory/968-166-0x0000000003630000-0x0000000003770000-memory.dmp

Filesize
1.2MB

Download
memory/968-167-0x0000000003630000-0x0000000003770000-memory.dmp

Filesize
1.2MB

Download
memory/968-160-0x0000000000000000-mapping.dmp

Download
memory/968-161-0x0000000000C80000-0x00000000016B5000-memory.dmp

Filesize
10.2MB

Download
memory/968-163-0x0000000002AD0000-0x0000000003625000-memory.dmp

Filesize
11.3MB

Download
memory/968-165-0x0000000003630000-0x0000000003770000-memory.dmp

Filesize
1.2MB

Download
memory/968-164-0x0000000003630000-0x0000000003770000-memory.dmp

Filesize
1.2MB

Download
memory/968-169-0x0000000002AD0000-0x0000000003625000-memory.dmp

Filesize
11.3MB

Download
memory/968-168-0x0000000003630000-0x0000000003770000-memory.dmp

Filesize
1.2MB

Download
memory/1264-135-0x00000000004CC000-0x00000000004E2000-memory.dmp

Filesize
88KB

Download
memory/1264-133-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/1264-132-0x00000000004CC000-0x00000000004E2000-memory.dmp

Filesize
88KB

Download
memory/1264-134-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1264-136-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/1264-137-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1612-182-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1612-181-0x0000000000617000-0x000000000062C000-memory.dmp

Filesize
84KB

Download
memory/3524-157-0x0000000006780000-0x00000000068C0000-memory.dmp

Filesize
1.2MB

Download
memory/3524-170-0x0000000005A60000-0x00000000065B5000-memory.dmp

Filesize
11.3MB

Download
memory/3524-158-0x0000000006780000-0x00000000068C0000-memory.dmp

Filesize
1.2MB

Download
memory/3524-159-0x0000000006780000-0x00000000068C0000-memory.dmp

Filesize
1.2MB

Download
memory/3524-155-0x0000000006780000-0x00000000068C0000-memory.dmp

Filesize
1.2MB

Download
memory/3524-154-0x0000000006780000-0x00000000068C0000-memory.dmp

Filesize
1.2MB

Download
memory/3524-152-0x0000000006780000-0x00000000068C0000-memory.dmp

Filesize
1.2MB

Download
memory/3524-153-0x0000000006780000-0x00000000068C0000-memory.dmp

Filesize
1.2MB

Download
memory/3524-151-0x0000000005A60000-0x00000000065B5000-memory.dmp

Filesize
11.3MB

Download
memory/3524-150-0x0000000005A60000-0x00000000065B5000-memory.dmp

Filesize
11.3MB

Download
memory/3524-149-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3524-138-0x0000000000000000-mapping.dmp

Download
memory/3524-141-0x000000000066B000-0x0000000000704000-memory.dmp

Filesize
612KB

Download
memory/3524-156-0x0000000006780000-0x00000000068C0000-memory.dmp

Filesize
1.2MB

Download
memory/3524-171-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3524-142-0x00000000020D0000-0x00000000021BC000-memory.dmp

Filesize
944KB

Download
memory/3524-143-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4244-144-0x0000000000000000-mapping.dmp

Download
memory/4244-145-0x0000000000D80000-0x0000000000D83000-memory.dmp

Filesize
12KB

Download
memory/4244-146-0x0000000000DA0000-0x0000000000DA3000-memory.dmp

Filesize
12KB

Download
memory/4244-147-0x0000000000DA0000-0x0000000000DA3000-memory.dmp

Filesize
12KB

Download
memory/4596-175-0x000000000056C000-0x0000000000581000-memory.dmp

Filesize
84KB

Download
memory/4596-177-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4596-176-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/4596-178-0x000000000056C000-0x0000000000581000-memory.dmp

Filesize
84KB

Download
memory/4596-172-0x0000000000000000-mapping.dmp

Download