smokeloader | 97f44841a8ff68e12b34c470767d5ab89b64e742a922e033a7e23a40be29ec07

General

Target

14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe
Size

148KB
MD5

3ed4b941f32af8f49c6d909298b7b905
SHA1

1f6a142ea388e789d6624eccf9adf57876bf461d
SHA256

14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3
SHA512

e1c1ff2f9ca9a88967ce777689aebe522832637cfc9e6567d5e55a549c40e47dcdcd7641fd1af6388994a21dcd7aaa04546dd329411cea9753f0a655b224c625
SSDEEP

3072:1oCEa2RDyk0mn5VBOPdycwFkIR6CUk8EyOhYQq1M:7sDyk0qOPSkIEsyO3h

Score

10^/10

smokeloader backdoor collection discovery spyware stealer trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4872-133-0x0000000000C70000-0x0000000000C79000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

68 4360 rundll32.exe
72 4360 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

7EA6.exe

pid process

1580 7EA6.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4360 rundll32.exe
4360 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
68	4360	rundll32.exe
72	4360	rundll32.exe

pid	process
1580	7EA6.exe

pid	process
4360	rundll32.exe
4360	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4360 set thread context of 4336 4360 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1832 1580 WerFault.exe 7EA6.exe

description	pid	process	target process
PID 4360 set thread context of 4336	4360	rundll32.exe	rundll32.exe

pid	pid_target	process	target process
1832	1580	WerFault.exe	7EA6.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000007d55f6a9100054656d7000003a0009000400efbe21550a587d55f6a92e00000000000000000000000000000000000000000000000000a56b7e00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3024

pid	process
3024

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe

pid	process
4872	14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe
4872	14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe

pid process

4872 14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe

pid	process
3024

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	4360	rundll32.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4336 rundll32.exe
3024
3024
3024
3024
4360 rundll32.exe
3024
3024
3024
3024
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3024
3024

pid	process
4336	rundll32.exe
3024
3024
3024
3024
4360	rundll32.exe
3024
3024
3024
3024

pid	process
3024
3024

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7EA6.exerundll32.exe

description	pid	process	target process
PID 3024 wrote to memory of 1580	3024		7EA6.exe
PID 3024 wrote to memory of 1580	3024		7EA6.exe
PID 3024 wrote to memory of 1580	3024		7EA6.exe
PID 1580 wrote to memory of 4360	1580	7EA6.exe	rundll32.exe
PID 1580 wrote to memory of 4360	1580	7EA6.exe	rundll32.exe
PID 1580 wrote to memory of 4360	1580	7EA6.exe	rundll32.exe
PID 4360 wrote to memory of 4336	4360	rundll32.exe	rundll32.exe
PID 4360 wrote to memory of 4336	4360	rundll32.exe	rundll32.exe
PID 4360 wrote to memory of 4336	4360	rundll32.exe	rundll32.exe
PID 4360 wrote to memory of 620	4360	rundll32.exe	schtasks.exe
PID 4360 wrote to memory of 620	4360	rundll32.exe	schtasks.exe
PID 4360 wrote to memory of 620	4360	rundll32.exe	schtasks.exe
PID 4360 wrote to memory of 628	4360	rundll32.exe	schtasks.exe
PID 4360 wrote to memory of 628	4360	rundll32.exe	schtasks.exe
PID 4360 wrote to memory of 628	4360	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe
"C:\Users\Admin\AppData\Local\Temp\14a10fc4f2e38e3581b570c2cdc82fbdc084110d8849fee3161ac009ebd5baf3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4872

C:\Users\Admin\AppData\Local\Temp\7EA6.exe
C:\Users\Admin\AppData\Local\Temp\7EA6.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4360

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 13736
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4336

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:620

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 512
2⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1580 -ip 1580
1⤵
PID:4432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7EA6.exe
Filesize
3.6MB

MD5
93628d556ca270cc82b312cbb50be70f

SHA1
f44aa3096bcdb8fdd4bc2a2e38e1f1d1d5e659a5

SHA256
0e46c94d2f6efcb74d42cbb7e8ec9736d62ab8b7d83caaa0a449122d169d3029

SHA512
b256386f6f7414a49069d03e52b07b93fb5864a618e07ecb65ea68ee4a282f22c254340ba73e7e11221eb7ad742ea4d78c0b036007fecd955f7d12c6ebfe28b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EA6.exe
Filesize
3.6MB

MD5
93628d556ca270cc82b312cbb50be70f

SHA1
f44aa3096bcdb8fdd4bc2a2e38e1f1d1d5e659a5

SHA256
0e46c94d2f6efcb74d42cbb7e8ec9736d62ab8b7d83caaa0a449122d169d3029

SHA512
b256386f6f7414a49069d03e52b07b93fb5864a618e07ecb65ea68ee4a282f22c254340ba73e7e11221eb7ad742ea4d78c0b036007fecd955f7d12c6ebfe28b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll
Filesize
4.3MB

MD5
dc71f028e12eeb89222feb8c7be3a2c9

SHA1
0e8e1ae90f79f5bacae03aff545c983c27288b11

SHA256
24e9acae07b99e759d6a5d0465703623de5d1308809126ee423450768da876b5

SHA512
04f24f773cba8376e0e217a56d364c1fbb528ccfa8a39e6fd1ae78284889121831c90e3bfb3d4b8ffb1a3fbd24ef324a9d0e74447c632b0e6ed7ec8d03a13b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll
Filesize
4.3MB

MD5
dc71f028e12eeb89222feb8c7be3a2c9

SHA1
0e8e1ae90f79f5bacae03aff545c983c27288b11

SHA256
24e9acae07b99e759d6a5d0465703623de5d1308809126ee423450768da876b5

SHA512
04f24f773cba8376e0e217a56d364c1fbb528ccfa8a39e6fd1ae78284889121831c90e3bfb3d4b8ffb1a3fbd24ef324a9d0e74447c632b0e6ed7ec8d03a13b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll
Filesize
4.3MB

MD5
dc71f028e12eeb89222feb8c7be3a2c9

SHA1
0e8e1ae90f79f5bacae03aff545c983c27288b11

SHA256
24e9acae07b99e759d6a5d0465703623de5d1308809126ee423450768da876b5

SHA512
04f24f773cba8376e0e217a56d364c1fbb528ccfa8a39e6fd1ae78284889121831c90e3bfb3d4b8ffb1a3fbd24ef324a9d0e74447c632b0e6ed7ec8d03a13b15

Download Submit
memory/620-164-0x0000000000000000-mapping.dmp

Download
memory/628-166-0x0000000000000000-mapping.dmp

Download
memory/1580-148-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1580-140-0x0000000002A90000-0x0000000002F75000-memory.dmp

Filesize
4.9MB

Download
memory/1580-141-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1580-139-0x0000000002708000-0x0000000002A8D000-memory.dmp

Filesize
3.5MB

Download
memory/1580-136-0x0000000000000000-mapping.dmp

Download
memory/4336-163-0x0000023E4BF20000-0x0000023E4C1C8000-memory.dmp

Filesize
2.7MB

Download
memory/4336-162-0x0000000000A40000-0x0000000000CD6000-memory.dmp

Filesize
2.6MB

Download
memory/4336-161-0x0000023E4D7E0000-0x0000023E4D920000-memory.dmp

Filesize
1.2MB

Download
memory/4336-160-0x0000023E4D7E0000-0x0000023E4D920000-memory.dmp

Filesize
1.2MB

Download
memory/4336-159-0x00007FF6E7146890-mapping.dmp

Download
memory/4360-152-0x00000000038A0000-0x00000000043ED000-memory.dmp

Filesize
11.3MB

Download
memory/4360-158-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/4360-151-0x00000000038A0000-0x00000000043ED000-memory.dmp

Filesize
11.3MB

Download
memory/4360-149-0x0000000002400000-0x0000000002857000-memory.dmp

Filesize
4.3MB

Download
memory/4360-154-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/4360-153-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/4360-155-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/4360-156-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/4360-157-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/4360-150-0x00000000038A0000-0x00000000043ED000-memory.dmp

Filesize
11.3MB

Download
memory/4360-165-0x00000000038A0000-0x00000000043ED000-memory.dmp

Filesize
11.3MB

Download
memory/4360-147-0x0000000002400000-0x0000000002857000-memory.dmp

Filesize
4.3MB

Download
memory/4360-146-0x0000000002400000-0x0000000002857000-memory.dmp

Filesize
4.3MB

Download
memory/4360-142-0x0000000000000000-mapping.dmp

Download
memory/4872-135-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/4872-134-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/4872-132-0x0000000000C9E000-0x0000000000CAF000-memory.dmp

Filesize
68KB

Download
memory/4872-133-0x0000000000C70000-0x0000000000C79000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads