smokeloader | 425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac

Analysis

max time kernel
156s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe
Size

200KB
MD5

241104b8eb8b3a657eb76a733be2014f
SHA1

25274ee7cae23f038541bc1948bc58322a6fe433
SHA256

425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac
SHA512

59be1f76ebf46e180c3b2ca34546c131c31e5836cb08c15fd40b8b40785a02dfca03cdf5ad8b27abf602822ffbe952e158b052baedb9ab7c059cd17f22a9ade4
SSDEEP

3072:2jaJX1he96vwi5u5nITlai3JeYl1uW4TmqhTDw02rwpqLRc:w6vq5n2EzG1uW4i02spq

Score

10^/10

smokeloader systembc backdoor trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1144-133-0x00000000004E0000-0x00000000004E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

83 2584 rundll32.exe
85 2584 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

55A2.exe8984.exe8ED4.exenjphxo.exe

pid process

4880 55A2.exe
4924 8984.exe
4676 8ED4.exe
4324 njphxo.exe

flow	pid	process
83	2584	rundll32.exe
85	2584	rundll32.exe

pid	process
4880	55A2.exe
4924	8984.exe
4676	8ED4.exe
4324	njphxo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

55A2.exerundll32.exe

description	pid	process	target process
PID 4880 set thread context of 780	4880	55A2.exe	rundll32.exe
PID 780 set thread context of 3936	780	rundll32.exe	rundll32.exe

Drops file in Windows directory 2 IoCs

Processes:

8ED4.exe

description ioc process

File created C:\Windows\Tasks\njphxo.job 8ED4.exe
File opened for modification C:\Windows\Tasks\njphxo.job 8ED4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3860 4880 WerFault.exe 55A2.exe
4000 4676 WerFault.exe 8ED4.exe

description	ioc	process
File created	C:\Windows\Tasks\njphxo.job	8ED4.exe
File opened for modification	C:\Windows\Tasks\njphxo.job	8ED4.exe

pid	pid_target	process	target process
3860	4880	WerFault.exe	55A2.exe
4000	4676	WerFault.exe	8ED4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

55A2.exerundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	55A2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	55A2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	55A2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	55A2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	55A2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	55A2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 43 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "2"
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 4e0031000000000085556d60100054656d7000003a0009000400efbe0c551d9c85556d602e0000000000000000000000000000000000000000000000000066c61f01540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

pid process

3032
3032

pid	process
3032
3032

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe

pid	process
1144	425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe
1144	425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe

pid process

1144 425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe

pid	process
3032

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

780 rundll32.exe
3936 rundll32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

pid process

3032
3032
3032
3032

pid	process
780	rundll32.exe
3936	rundll32.exe

pid	process
3032
3032
3032
3032

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

55A2.exerundll32.exe

description	pid	process	target process
PID 3032 wrote to memory of 4880	3032		55A2.exe
PID 3032 wrote to memory of 4880	3032		55A2.exe
PID 3032 wrote to memory of 4880	3032		55A2.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 2584	4880	55A2.exe	rundll32.exe
PID 3032 wrote to memory of 4924	3032		8984.exe
PID 3032 wrote to memory of 4924	3032		8984.exe
PID 3032 wrote to memory of 4924	3032		8984.exe
PID 3032 wrote to memory of 4676	3032		8ED4.exe
PID 3032 wrote to memory of 4676	3032		8ED4.exe
PID 3032 wrote to memory of 4676	3032		8ED4.exe
PID 4880 wrote to memory of 780	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 780	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 780	4880	55A2.exe	rundll32.exe
PID 4880 wrote to memory of 780	4880	55A2.exe	rundll32.exe
PID 780 wrote to memory of 3936	780	rundll32.exe	rundll32.exe
PID 780 wrote to memory of 3936	780	rundll32.exe	rundll32.exe
PID 780 wrote to memory of 3936	780	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe
"C:\Users\Admin\AppData\Local\Temp\425617d0cbfb5ddb2285437fa6147cf3cfe024efdc4cf7ea56c2f61350ca70ac.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1144

C:\Users\Admin\AppData\Local\Temp\55A2.exe
C:\Users\Admin\AppData\Local\Temp\55A2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:2584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14243
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 588
2⤵
- Program crash
PID:3860

C:\Users\Admin\AppData\Local\Temp\8984.exe
C:\Users\Admin\AppData\Local\Temp\8984.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Users\Admin\AppData\Local\Temp\8ED4.exe
C:\Users\Admin\AppData\Local\Temp\8ED4.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 496
2⤵
- Program crash
PID:4000

C:\ProgramData\jrxosx\njphxo.exe
C:\ProgramData\jrxosx\njphxo.exe start
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4880 -ip 4880
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4676 -ip 4676
1⤵
PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jrxosx\njphxo.exe

Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\ProgramData\jrxosx\njphxo.exe

Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\55A2.exe

Filesize
781KB

MD5
b7503f2ce1f8ae161525c09da6ce2fef

SHA1
79dae979810a3af3a8be3700c63c138b17249b32

SHA256
ea1a47b7593cfdd76d063a9c8320bd663098d7345ad361ca6881731e357d590b

SHA512
c164a781ca0e92befb5c27e9d07fbb37c9aa18275d76e9829261d97e427f71d9d7d16f619d23905a89e39a2caf56b6b11640730bd08ca0b2531b937034dd1a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\55A2.exe

Filesize
781KB

MD5
b7503f2ce1f8ae161525c09da6ce2fef

SHA1
79dae979810a3af3a8be3700c63c138b17249b32

SHA256
ea1a47b7593cfdd76d063a9c8320bd663098d7345ad361ca6881731e357d590b

SHA512
c164a781ca0e92befb5c27e9d07fbb37c9aa18275d76e9829261d97e427f71d9d7d16f619d23905a89e39a2caf56b6b11640730bd08ca0b2531b937034dd1a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8984.exe

Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8984.exe

Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ED4.exe

Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ED4.exe

Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prewodwyyerdeuy..tmp

Filesize
3.5MB

MD5
1951049d57a12b81d96e53ba69eecc2e

SHA1
7c02ee5b4c4f1de5e7955d641c0c4949a9907a22

SHA256
f904e96e8666928f318f5515400282402d1f5d4a6f05304b9e92982ef32e3ba4

SHA512
e7d4f0fd41b8cb17f3969ad094e114bff74c82d57676a23728bd232b83c36116104c1b364d896681f1b0ce0b6ecb746f47ddafbc0b5ac88801bfd599db5abe15

Download Submit
memory/780-182-0x0000000003AE0000-0x0000000003C20000-memory.dmp

Filesize
1.2MB

Download
memory/780-181-0x0000000000A00000-0x0000000001439000-memory.dmp

Filesize
10.2MB

Download
memory/780-186-0x0000000003AE0000-0x0000000003C20000-memory.dmp

Filesize
1.2MB

Download
memory/780-189-0x0000000003AE0000-0x0000000003C20000-memory.dmp

Filesize
1.2MB

Download
memory/780-183-0x0000000003AE0000-0x0000000003C20000-memory.dmp

Filesize
1.2MB

Download
memory/780-188-0x0000000003AE0000-0x0000000003C20000-memory.dmp

Filesize
1.2MB

Download
memory/780-184-0x0000000002E80000-0x00000000039D9000-memory.dmp

Filesize
11.3MB

Download
memory/780-195-0x0000000002E80000-0x00000000039D9000-memory.dmp

Filesize
11.3MB

Download
memory/780-177-0x0000000000000000-mapping.dmp

Download
memory/780-187-0x0000000003AE0000-0x0000000003C20000-memory.dmp

Filesize
1.2MB

Download
memory/780-179-0x0000000003AE0000-0x0000000003C20000-memory.dmp

Filesize
1.2MB

Download
memory/780-180-0x0000000003AE0000-0x0000000003C20000-memory.dmp

Filesize
1.2MB

Download
memory/780-178-0x0000000002E80000-0x00000000039D9000-memory.dmp

Filesize
11.3MB

Download
memory/1144-136-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1144-135-0x0000000000578000-0x0000000000588000-memory.dmp

Filesize
64KB

Download
memory/1144-132-0x0000000000578000-0x0000000000588000-memory.dmp

Filesize
64KB

Download
memory/1144-134-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1144-133-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/2584-149-0x0000000000590000-0x0000000000593000-memory.dmp

Filesize
12KB

Download
memory/2584-143-0x0000000000000000-mapping.dmp

Download
memory/2584-161-0x0000000000590000-0x0000000000593000-memory.dmp

Filesize
12KB

Download
memory/2584-144-0x0000000000500000-0x0000000000503000-memory.dmp

Filesize
12KB

Download
memory/3936-194-0x00000185868E0000-0x0000018586B93000-memory.dmp

Filesize
2.7MB

Download
memory/3936-193-0x00000000004C0000-0x0000000000761000-memory.dmp

Filesize
2.6MB

Download
memory/3936-192-0x0000018588340000-0x0000018588480000-memory.dmp

Filesize
1.2MB

Download
memory/3936-191-0x0000018588340000-0x0000018588480000-memory.dmp

Filesize
1.2MB

Download
memory/3936-190-0x00007FF647E26890-mapping.dmp

Download
memory/4324-164-0x00000000006E8000-0x00000000006F8000-memory.dmp

Filesize
64KB

Download
memory/4324-165-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4324-185-0x00000000006E8000-0x00000000006F8000-memory.dmp

Filesize
64KB

Download
memory/4676-158-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4676-157-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/4676-156-0x000000000073D000-0x000000000074D000-memory.dmp

Filesize
64KB

Download
memory/4676-152-0x0000000000000000-mapping.dmp

Download
memory/4880-142-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4880-169-0x0000000006AA0000-0x0000000006BE0000-memory.dmp

Filesize
1.2MB

Download
memory/4880-175-0x0000000006AA0000-0x0000000006BE0000-memory.dmp

Filesize
1.2MB

Download
memory/4880-197-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4880-173-0x0000000006AA0000-0x0000000006BE0000-memory.dmp

Filesize
1.2MB

Download
memory/4880-196-0x0000000005E00000-0x0000000006959000-memory.dmp

Filesize
11.3MB

Download
memory/4880-137-0x0000000000000000-mapping.dmp

Download
memory/4880-167-0x0000000005E00000-0x0000000006959000-memory.dmp

Filesize
11.3MB

Download
memory/4880-145-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4880-174-0x0000000006AA0000-0x0000000006BE0000-memory.dmp

Filesize
1.2MB

Download
memory/4880-172-0x0000000006AA0000-0x0000000006BE0000-memory.dmp

Filesize
1.2MB

Download
memory/4880-170-0x0000000006AA0000-0x0000000006BE0000-memory.dmp

Filesize
1.2MB

Download
memory/4880-168-0x0000000005E00000-0x0000000006959000-memory.dmp

Filesize
11.3MB

Download
memory/4880-141-0x0000000002250000-0x0000000002345000-memory.dmp

Filesize
980KB

Download
memory/4880-171-0x0000000006AA0000-0x0000000006BE0000-memory.dmp

Filesize
1.2MB

Download
memory/4880-140-0x00000000021A8000-0x0000000002249000-memory.dmp

Filesize
644KB

Download
memory/4880-176-0x0000000006AA0000-0x0000000006BE0000-memory.dmp

Filesize
1.2MB

Download
memory/4924-160-0x00000000004FD000-0x000000000050E000-memory.dmp

Filesize
68KB

Download
memory/4924-146-0x0000000000000000-mapping.dmp

Download
memory/4924-159-0x00000000004FD000-0x000000000050E000-memory.dmp

Filesize
68KB

Download
memory/4924-150-0x00000000004FD000-0x000000000050E000-memory.dmp

Filesize
68KB

Download
memory/4924-151-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/4924-155-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download