smokeloader | e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2022 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021.exe
Size

316KB
MD5

c699ec8c7082761b49bdb613c2a96728
SHA1

f8f1618417446712d6609615f2832757fbc17222
SHA256

e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021
SHA512

c7788205afac4f2e6b397d40ca86e16506f4b9b4c6c32e6d96a9bbed7f7f7944c2c4a2dba0d1a426253deb79287d1967126d3d8ac190c56f28b82a67255f0873
SSDEEP

6144:vI9LAP/wIoWfpTESxuCRVVrkkiRR0cSpQTtyzsduHNIv:w9kP/wIxNESxusV9iRR0TCtyYduHNI

Score

10^/10

smokeloader backdoor collection discovery spyware stealer trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/1952-133-0x00000000005B0000-0x00000000005B9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
41	1840	rundll32.exe
43	1840	rundll32.exe
68	1840	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4524	F4A6.exe

Loads dropped DLL 1 IoCs

pid	Process
1840	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1840 set thread context of 2192	1840	rundll32.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2488	4524	WerFault.exe	88

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found

Modifies registry class 30 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000965585a9100054656d7000003a0009000400efbe6b557d6c965585a92e0000000000000000000000000000000000000000000000000055241000540065006d007000000014000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2532	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021.exe
1952	e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021.exe
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2532	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1952	e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeDebugPrivilege	1840	rundll32.exe
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found
Token: SeShutdownPrivilege	2532	Process not Found
Token: SeCreatePagefilePrivilege	2532	Process not Found

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2192	rundll32.exe
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
2532	Process not Found
1840	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2532	Process not Found
2532	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2532	Process not Found

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 4524	2532	Process not Found	88
PID 2532 wrote to memory of 4524	2532	Process not Found	88
PID 2532 wrote to memory of 4524	2532	Process not Found	88
PID 4524 wrote to memory of 1840	4524	F4A6.exe	89
PID 4524 wrote to memory of 1840	4524	F4A6.exe	89
PID 4524 wrote to memory of 1840	4524	F4A6.exe	89
PID 1840 wrote to memory of 2192	1840	rundll32.exe	92
PID 1840 wrote to memory of 2192	1840	rundll32.exe	92
PID 1840 wrote to memory of 2192	1840	rundll32.exe	92
PID 1840 wrote to memory of 4900	1840	rundll32.exe	93
PID 1840 wrote to memory of 4900	1840	rundll32.exe	93
PID 1840 wrote to memory of 4900	1840	rundll32.exe	93
PID 1840 wrote to memory of 4412	1840	rundll32.exe	95
PID 1840 wrote to memory of 4412	1840	rundll32.exe	95
PID 1840 wrote to memory of 4412	1840	rundll32.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021.exe
"C:\Users\Admin\AppData\Local\Temp\e73ca8ae1135189de67f9cc132ab43578c3d34141f080eb936e6aab82c0cf021.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1952

C:\Users\Admin\AppData\Local\Temp\F4A6.exe
C:\Users\Admin\AppData\Local\Temp\F4A6.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Oyiesauffusw.tmp",Wuuitfqhpt
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1840
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 17103
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 528
  2⤵
  - Program crash
  PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4524 -ip 4524
1⤵
PID:2576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F4A6.exe

Filesize
1.1MB

MD5
c75278c7981cdbbb1001943ee773881a

SHA1
cf053ea65c3de7dd072f8f16988bbd05fa8a4042

SHA256
72e7ce868f59fa8ed5fe7400def17a893aa03dbd397033a6320f7206f1656e3a

SHA512
ff8152a22e4892ed186bb92dc7bfcfb063d4aaec61cfa788e1667e167353dbea03e9afc88696054f31c8e888450ea91a7145d8cf30a48190b9abd9f04b93c6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4A6.exe

Filesize
1.1MB

MD5
c75278c7981cdbbb1001943ee773881a

SHA1
cf053ea65c3de7dd072f8f16988bbd05fa8a4042

SHA256
72e7ce868f59fa8ed5fe7400def17a893aa03dbd397033a6320f7206f1656e3a

SHA512
ff8152a22e4892ed186bb92dc7bfcfb063d4aaec61cfa788e1667e167353dbea03e9afc88696054f31c8e888450ea91a7145d8cf30a48190b9abd9f04b93c6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oyiesauffusw.tmp

Filesize
730KB

MD5
8d039a703875733043526555982e4e60

SHA1
f583795e790e682db2feaa5f5b8d282216f581e2

SHA256
5cb8e52b000f84494627db8e8e700e7731c9bfa2eb9e6a8a8280d2311327e81a

SHA512
3e89ec3eb7e90aa93c0a3cc2d120521b1c2236a8a2169b2654fcc153f926b97e85267a177ef92f3ac3a7aa493a81a3a55c1b6b56ef8f8beb93b78bf3eb10373e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oyiesauffusw.tmp

Filesize
730KB

MD5
8d039a703875733043526555982e4e60

SHA1
f583795e790e682db2feaa5f5b8d282216f581e2

SHA256
5cb8e52b000f84494627db8e8e700e7731c9bfa2eb9e6a8a8280d2311327e81a

SHA512
3e89ec3eb7e90aa93c0a3cc2d120521b1c2236a8a2169b2654fcc153f926b97e85267a177ef92f3ac3a7aa493a81a3a55c1b6b56ef8f8beb93b78bf3eb10373e

Download Submit
memory/1840-146-0x0000000004C40000-0x00000000057A2000-memory.dmp

Filesize
11.4MB

Download
memory/1840-147-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/1840-149-0x0000000006580000-0x00000000066C0000-memory.dmp

Filesize
1.2MB

Download
memory/1840-150-0x0000000006580000-0x00000000066C0000-memory.dmp

Filesize
1.2MB

Download
memory/1840-148-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/1840-159-0x0000000004C40000-0x00000000057A2000-memory.dmp

Filesize
11.4MB

Download
memory/1840-152-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/1840-151-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/1840-145-0x0000000004C40000-0x00000000057A2000-memory.dmp

Filesize
11.4MB

Download
memory/1952-134-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1952-132-0x000000000068E000-0x00000000006A4000-memory.dmp

Filesize
88KB

Download
memory/1952-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/1952-135-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2192-155-0x00000286A8EC0000-0x00000286A9000000-memory.dmp

Filesize
1.2MB

Download
memory/2192-154-0x00000286A8EC0000-0x00000286A9000000-memory.dmp

Filesize
1.2MB

Download
memory/2192-156-0x0000000000BF0000-0x0000000000E8A000-memory.dmp

Filesize
2.6MB

Download
memory/2192-157-0x00000286A9040000-0x00000286A92EC000-memory.dmp

Filesize
2.7MB

Download
memory/4524-144-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4524-143-0x00000000022F0000-0x000000000240C000-memory.dmp

Filesize
1.1MB

Download
memory/4524-142-0x000000000216F000-0x000000000224C000-memory.dmp

Filesize
884KB

Download