smokeloader | 65baf6f97e9206c572b743fb7eadc5ddf9adc3fbb5857c73ae2b4b77affc7b72

General

Target

file.exe
Size

238KB
MD5

968905a62a1aaff517ec51a0f86b06d7
SHA1

d2baea0842e6df4f8a1924cc1c1efdd48c24fadb
SHA256

65baf6f97e9206c572b743fb7eadc5ddf9adc3fbb5857c73ae2b4b77affc7b72
SHA512

aa248fb6a89c216ba93a1c63d07532552874be8ada65674c9b9c606400cac1963ee48e9ae7716e72549c847c4e07db2f13b1011ed4a54ff8fe60bc0ecac94406
SSDEEP

3072:7+5WLzpe327C9OJr5qK9pnTqObiFKrpJadvohdBcf0E0OTkRbR8pgX:hLzD7C9Oykpn/iFMp6voyftmcpgX

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4788-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

74 4060 rundll32.exe
77 4060 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

80D8.exe

pid process

256 80D8.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4060 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1256 256 WerFault.exe 80D8.exe

flow	pid	process
74	4060	rundll32.exe
77	4060	rundll32.exe

pid	process
256	80D8.exe

pid	process
4060	rundll32.exe

pid	pid_target	process	target process
1256	256	WerFault.exe	80D8.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 56 IoCs

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell

NTFS ADS 1 IoCs

Processes:

description ioc process

File opened for modification C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3036

description	ioc	process
File opened for modification	C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION

pid	process
3036

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4788	file.exe
4788	file.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

4788 file.exe

pid	process
3036

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeSecurityPrivilege	3036
Token: SeTakeOwnershipPrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeSecurityPrivilege	3036
Token: SeTakeOwnershipPrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3036
3036
Suspicious use of SendNotifyMessage 33 IoCs

Processes:

pid process

3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

pid process

3036
3036
3036
3036
3036
3036
3036
3036

pid	process
3036
3036

pid	process
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

pid	process
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

80D8.exe

description	pid	process	target process
PID 3036 wrote to memory of 256	3036		80D8.exe
PID 3036 wrote to memory of 256	3036		80D8.exe
PID 3036 wrote to memory of 256	3036		80D8.exe
PID 256 wrote to memory of 4060	256	80D8.exe	rundll32.exe
PID 256 wrote to memory of 4060	256	80D8.exe	rundll32.exe
PID 256 wrote to memory of 4060	256	80D8.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4788

C:\Users\Admin\AppData\Local\Temp\80D8.exe
C:\Users\Admin\AppData\Local\Temp\80D8.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:256

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uyieweaiht.tmp",Hfesyte
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 256 -s 528
2⤵
- Program crash
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 256 -ip 256
1⤵
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80D8.exe
Filesize
1.1MB

MD5
f3b54e24459543e105886a9b77f35687

SHA1
d57ecd8bb3f125e746d560c3a60b0419dc5f9561

SHA256
13a939f3a6ca83fa6f8b7d412f181e15767f68adeafa6c2379ceddbe59000e81

SHA512
a5c709632d222ae517820809702bce36905df627217d5ffbd60cf49e8bda5891deb2d913ed27b029dcfa187849537c7c71f619e547970ecad1acb7c842617be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\80D8.exe
Filesize
1.1MB

MD5
f3b54e24459543e105886a9b77f35687

SHA1
d57ecd8bb3f125e746d560c3a60b0419dc5f9561

SHA256
13a939f3a6ca83fa6f8b7d412f181e15767f68adeafa6c2379ceddbe59000e81

SHA512
a5c709632d222ae517820809702bce36905df627217d5ffbd60cf49e8bda5891deb2d913ed27b029dcfa187849537c7c71f619e547970ecad1acb7c842617be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uyieweaiht.tmp
Filesize
788KB

MD5
8e37ae196e2cdea4dbc44dc99a84a80f

SHA1
b81e6a81a6efe6f44a0edd73ef3b8635b8ae3a0e

SHA256
f61cae9301f5336f9048c1b7e68eab13bb839f63925bc6625f8e7e20f32f00c6

SHA512
fbb1418cab570e6e4e375da3dd99616add73576da1ace88a44adc57a39a6911dab2e3e150366cc7b662604859e6ede53b2a9f2876afe14a0b5e0ea7b7db75e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uyieweaiht.tmp
Filesize
788KB

MD5
8e37ae196e2cdea4dbc44dc99a84a80f

SHA1
b81e6a81a6efe6f44a0edd73ef3b8635b8ae3a0e

SHA256
f61cae9301f5336f9048c1b7e68eab13bb839f63925bc6625f8e7e20f32f00c6

SHA512
fbb1418cab570e6e4e375da3dd99616add73576da1ace88a44adc57a39a6911dab2e3e150366cc7b662604859e6ede53b2a9f2876afe14a0b5e0ea7b7db75e41

Download Submit
memory/256-141-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/256-136-0x0000000000000000-mapping.dmp

Download
memory/256-139-0x000000000061C000-0x0000000000704000-memory.dmp

Filesize
928KB

Download
memory/256-140-0x00000000022A0000-0x00000000023C9000-memory.dmp

Filesize
1.2MB

Download
memory/256-145-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/4060-142-0x0000000000000000-mapping.dmp

Download
memory/4788-135-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4788-132-0x0000000000773000-0x0000000000783000-memory.dmp

Filesize
64KB

Download
memory/4788-134-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4788-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads