smokeloader | 1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57

Analysis

max time kernel
151s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe
Size

252KB
MD5

a1059220efae8af834c8dd72aa570eed
SHA1

98cbe923e03c32f8d7980f36b15f2c5fbc8337ee
SHA256

1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57
SHA512

97d0890b4cd2a9ef25bf9b1b3ca53b973eb1a6753a4f46d312b7cb51cb93693acd439491d4fa032fad71964ffb89d2edefe7ac6e6b03783e51eb2dad0a705036
SSDEEP

3072:BdoedgUxUi+i5/riLzboMNrE71VMKp/OsjhTDw02rw4plyr2ZeXGMh0r:XUiFZAQRVd/s02s4pAUe2U

Score

10^/10

smokeloader systembc backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1692-133-0x00000000004F0000-0x00000000004F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

34 2132 rundll32.exe
42 2132 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

372D.exe569D.exe598C.exekbulfx.exebdubces

pid process

1728 372D.exe
3668 569D.exe
3664 598C.exe
4116 kbulfx.exe
3524 bdubces
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

372D.exe

description pid process target process

PID 1728 set thread context of 1752 1728 372D.exe rundll32.exe
Drops file in Windows directory 2 IoCs

Processes:

598C.exe

description ioc process

File created C:\Windows\Tasks\kbulfx.job 598C.exe
File opened for modification C:\Windows\Tasks\kbulfx.job 598C.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2396 1728 WerFault.exe 372D.exe
3860 3664 WerFault.exe 598C.exe

flow	pid	process
34	2132	rundll32.exe
42	2132	rundll32.exe

pid	process
1728	372D.exe
3668	569D.exe
3664	598C.exe
4116	kbulfx.exe
3524	bdubces

description	pid	process	target process
PID 1728 set thread context of 1752	1728	372D.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\kbulfx.job	598C.exe
File opened for modification	C:\Windows\Tasks\kbulfx.job	598C.exe

pid	pid_target	process	target process
2396	1728	WerFault.exe	372D.exe
3860	3664	WerFault.exe	598C.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exebdubces

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bdubces
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bdubces
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bdubces

Checks processor information in registry 2 TTPs 47 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

372D.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	372D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	372D.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	372D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	372D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	372D.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	372D.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 19 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

1076

pid	process
1076

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe

pid	process
1692	1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe
1692	1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1076
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exebdubces

pid process

1692 1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe
3524 bdubces

pid	process
1076

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeDebugPrivilege	1752	rundll32.exe
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076
Token: SeShutdownPrivilege	1076
Token: SeCreatePagefilePrivilege	1076

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1752 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

1076
1076

pid	process
1752	rundll32.exe

pid	process
1076
1076

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

372D.exe

description	pid	process	target process
PID 1076 wrote to memory of 1728	1076		372D.exe
PID 1076 wrote to memory of 1728	1076		372D.exe
PID 1076 wrote to memory of 1728	1076		372D.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 2132	1728	372D.exe	rundll32.exe
PID 1076 wrote to memory of 3668	1076		569D.exe
PID 1076 wrote to memory of 3668	1076		569D.exe
PID 1076 wrote to memory of 3668	1076		569D.exe
PID 1076 wrote to memory of 3664	1076		598C.exe
PID 1076 wrote to memory of 3664	1076		598C.exe
PID 1076 wrote to memory of 3664	1076		598C.exe
PID 1728 wrote to memory of 1752	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 1752	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 1752	1728	372D.exe	rundll32.exe
PID 1728 wrote to memory of 1752	1728	372D.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe
"C:\Users\Admin\AppData\Local\Temp\1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1692

C:\Users\Admin\AppData\Local\Temp\372D.exe
C:\Users\Admin\AppData\Local\Temp\372D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:2132

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 644
2⤵
- Program crash
PID:2396

C:\Users\Admin\AppData\Local\Temp\569D.exe
C:\Users\Admin\AppData\Local\Temp\569D.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Users\Admin\AppData\Local\Temp\598C.exe
C:\Users\Admin\AppData\Local\Temp\598C.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 984
2⤵
- Program crash
PID:3860

C:\ProgramData\vksds\kbulfx.exe
C:\ProgramData\vksds\kbulfx.exe start
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1728 -ip 1728
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3664 -ip 3664
1⤵
PID:4580

C:\Users\Admin\AppData\Roaming\bdubces
C:\Users\Admin\AppData\Roaming\bdubces
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vksds\kbulfx.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\ProgramData\vksds\kbulfx.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\372D.exe
Filesize
781KB

MD5
b7503f2ce1f8ae161525c09da6ce2fef

SHA1
79dae979810a3af3a8be3700c63c138b17249b32

SHA256
ea1a47b7593cfdd76d063a9c8320bd663098d7345ad361ca6881731e357d590b

SHA512
c164a781ca0e92befb5c27e9d07fbb37c9aa18275d76e9829261d97e427f71d9d7d16f619d23905a89e39a2caf56b6b11640730bd08ca0b2531b937034dd1a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\372D.exe
Filesize
781KB

MD5
b7503f2ce1f8ae161525c09da6ce2fef

SHA1
79dae979810a3af3a8be3700c63c138b17249b32

SHA256
ea1a47b7593cfdd76d063a9c8320bd663098d7345ad361ca6881731e357d590b

SHA512
c164a781ca0e92befb5c27e9d07fbb37c9aa18275d76e9829261d97e427f71d9d7d16f619d23905a89e39a2caf56b6b11640730bd08ca0b2531b937034dd1a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\569D.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\569D.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\598C.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\598C.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prewodwyyerdeuy..tmp
Filesize
3.5MB

MD5
1951049d57a12b81d96e53ba69eecc2e

SHA1
7c02ee5b4c4f1de5e7955d641c0c4949a9907a22

SHA256
f904e96e8666928f318f5515400282402d1f5d4a6f05304b9e92982ef32e3ba4

SHA512
e7d4f0fd41b8cb17f3969ad094e114bff74c82d57676a23728bd232b83c36116104c1b364d896681f1b0ce0b6ecb746f47ddafbc0b5ac88801bfd599db5abe15

Download Submit
C:\Users\Admin\AppData\Roaming\bdubces
Filesize
252KB

MD5
a1059220efae8af834c8dd72aa570eed

SHA1
98cbe923e03c32f8d7980f36b15f2c5fbc8337ee

SHA256
1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57

SHA512
97d0890b4cd2a9ef25bf9b1b3ca53b973eb1a6753a4f46d312b7cb51cb93693acd439491d4fa032fad71964ffb89d2edefe7ac6e6b03783e51eb2dad0a705036

Download Submit
C:\Users\Admin\AppData\Roaming\bdubces
Filesize
252KB

MD5
a1059220efae8af834c8dd72aa570eed

SHA1
98cbe923e03c32f8d7980f36b15f2c5fbc8337ee

SHA256
1b6ceb8b05f92afaf73b8a2ce3f2bf0407f5481b7120d5ca031960d7d7537f57

SHA512
97d0890b4cd2a9ef25bf9b1b3ca53b973eb1a6753a4f46d312b7cb51cb93693acd439491d4fa032fad71964ffb89d2edefe7ac6e6b03783e51eb2dad0a705036

Download Submit
memory/1692-136-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1692-132-0x0000000000608000-0x0000000000619000-memory.dmp

Filesize
68KB

Download
memory/1692-135-0x0000000000608000-0x0000000000619000-memory.dmp

Filesize
68KB

Download
memory/1692-134-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1692-133-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/1728-141-0x000000000058E000-0x000000000062F000-memory.dmp

Filesize
644KB

Download
memory/1728-166-0x00000000068D0000-0x0000000006A10000-memory.dmp

Filesize
1.2MB

Download
memory/1728-187-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1728-143-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1728-142-0x00000000021A0000-0x0000000002295000-memory.dmp

Filesize
980KB

Download
memory/1728-165-0x00000000068D0000-0x0000000006A10000-memory.dmp

Filesize
1.2MB

Download
memory/1728-172-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1728-170-0x00000000068D0000-0x0000000006A10000-memory.dmp

Filesize
1.2MB

Download
memory/1728-169-0x00000000068D0000-0x0000000006A10000-memory.dmp

Filesize
1.2MB

Download
memory/1728-184-0x0000000005C30000-0x0000000006789000-memory.dmp

Filesize
11.3MB

Download
memory/1728-137-0x0000000000000000-mapping.dmp

Download
memory/1728-168-0x00000000068D0000-0x0000000006A10000-memory.dmp

Filesize
1.2MB

Download
memory/1728-167-0x0000000005C30000-0x0000000006789000-memory.dmp

Filesize
11.3MB

Download
memory/1728-161-0x0000000005C30000-0x0000000006789000-memory.dmp

Filesize
11.3MB

Download
memory/1728-162-0x00000000068D0000-0x0000000006A10000-memory.dmp

Filesize
1.2MB

Download
memory/1728-163-0x00000000068D0000-0x0000000006A10000-memory.dmp

Filesize
1.2MB

Download
memory/1728-164-0x00000000068D0000-0x0000000006A10000-memory.dmp

Filesize
1.2MB

Download
memory/1752-177-0x0000000003330000-0x0000000003E89000-memory.dmp

Filesize
11.3MB

Download
memory/1752-174-0x0000000003F60000-0x00000000040A0000-memory.dmp

Filesize
1.2MB

Download
memory/1752-180-0x0000000003330000-0x0000000003E89000-memory.dmp

Filesize
11.3MB

Download
memory/1752-179-0x0000000003F60000-0x00000000040A0000-memory.dmp

Filesize
1.2MB

Download
memory/1752-178-0x0000000003F60000-0x00000000040A0000-memory.dmp

Filesize
1.2MB

Download
memory/1752-176-0x0000000000E00000-0x0000000001839000-memory.dmp

Filesize
10.2MB

Download
memory/1752-171-0x0000000000000000-mapping.dmp

Download
memory/1752-175-0x0000000003F60000-0x00000000040A0000-memory.dmp

Filesize
1.2MB

Download
memory/1752-173-0x0000000003330000-0x0000000003E89000-memory.dmp

Filesize
11.3MB

Download
memory/2132-146-0x0000000000B80000-0x0000000000B83000-memory.dmp

Filesize
12KB

Download
memory/2132-145-0x0000000000B80000-0x0000000000B83000-memory.dmp

Filesize
12KB

Download
memory/2132-140-0x0000000000000000-mapping.dmp

Download
memory/2132-144-0x0000000000A80000-0x0000000000A83000-memory.dmp

Filesize
12KB

Download
memory/3524-192-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3524-191-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3524-190-0x0000000000658000-0x0000000000668000-memory.dmp

Filesize
64KB

Download
memory/3664-183-0x00000000004BD000-0x00000000004CD000-memory.dmp

Filesize
64KB

Download
memory/3664-159-0x00000000004BD000-0x00000000004CD000-memory.dmp

Filesize
64KB

Download
memory/3664-150-0x0000000000000000-mapping.dmp

Download
memory/3664-160-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3668-147-0x0000000000000000-mapping.dmp

Download
memory/3668-154-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/3668-157-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3668-156-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/3668-153-0x000000000068D000-0x000000000069D000-memory.dmp

Filesize
64KB

Download
memory/3668-155-0x000000000068D000-0x000000000069D000-memory.dmp

Filesize
64KB

Download
memory/4116-186-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4116-185-0x0000000000628000-0x0000000000638000-memory.dmp

Filesize
64KB

Download