smokeloader | 3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2022 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926.exe
Size

224KB
MD5

2d0cb45a5cae57497e231d8b81986797
SHA1

c7fdede472d241307e1bf21d497ee78a96ba46fa
SHA256

3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926
SHA512

30d52aa31e9e0776a8a9eaf8ce3b209fc123ff25c7f0d02c7483b69130b604c0dfc533b9672ea4391e2f83d05264e39bf67f38c90e72122bfadfacb8d8145a42
SSDEEP

3072:9DnRhLrRcy5eSxsVu2Jrjo4h78AThQiauDnc4B3ejiwf/ln:dLryHSCVlh78GqiaMFBuOK

Score

10^/10

smokeloader backdoor collection discovery spyware stealer trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/1348-133-0x00000000008C0000-0x00000000008C9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
32	4088	rundll32.exe
37	4088	rundll32.exe
88	4088	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
484	995.exe
3096	dsrcdjf

Loads dropped DLL 1 IoCs

pid	Process
4088	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4088 set thread context of 1572	4088	rundll32.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3544	484	WerFault.exe	76

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsrcdjf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsrcdjf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dsrcdjf

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found

Modifies registry class 30 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009855eb94100054656d7000003a0009000400efbe0c551d9c9855eb942e0000000000000000000000000000000000000000000000000089947a00540065006d007000000014000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2688	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1348	3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926.exe
1348	3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926.exe
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1348	3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926.exe
3096	dsrcdjf

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeDebugPrivilege	4088	rundll32.exe
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found
Token: SeShutdownPrivilege	2688	Process not Found
Token: SeCreatePagefilePrivilege	2688	Process not Found

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2688	Process not Found
2688	Process not Found
2688	Process not Found
1572	rundll32.exe
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found
4088	rundll32.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2688	Process not Found
2688	Process not Found
2688	Process not Found
2688	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	Process not Found
2688	Process not Found

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 484	2688	Process not Found	76
PID 2688 wrote to memory of 484	2688	Process not Found	76
PID 2688 wrote to memory of 484	2688	Process not Found	76
PID 484 wrote to memory of 4088	484	995.exe	81
PID 484 wrote to memory of 4088	484	995.exe	81
PID 484 wrote to memory of 4088	484	995.exe	81
PID 4088 wrote to memory of 1572	4088	rundll32.exe	90
PID 4088 wrote to memory of 1572	4088	rundll32.exe	90
PID 4088 wrote to memory of 1572	4088	rundll32.exe	90
PID 4088 wrote to memory of 732	4088	rundll32.exe	93
PID 4088 wrote to memory of 732	4088	rundll32.exe	93
PID 4088 wrote to memory of 732	4088	rundll32.exe	93
PID 4088 wrote to memory of 3232	4088	rundll32.exe	95
PID 4088 wrote to memory of 3232	4088	rundll32.exe	95
PID 4088 wrote to memory of 3232	4088	rundll32.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926.exe
"C:\Users\Admin\AppData\Local\Temp\3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1348

C:\Users\Admin\AppData\Local\Temp\995.exe
C:\Users\Admin\AppData\Local\Temp\995.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Oyiesauffusw.tmp",Wuuitfqhpt
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4088
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 17140
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 540
  2⤵
  - Program crash
  PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 484 -ip 484
1⤵
PID:2376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2296

C:\Users\Admin\AppData\Roaming\dsrcdjf
C:\Users\Admin\AppData\Roaming\dsrcdjf
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\995.exe

Filesize
1.0MB

MD5
ed11a248a2af894c03adeaa5d9f57a2b

SHA1
b2934d359cff3c53158ce3ef329cecd466e8c626

SHA256
ebd2be77829bd7882984eaa1065311d781e02e2ae6b56096d79752b9a5f1eddd

SHA512
e472a2119c270679b81f6f492b9911a01224d9034da5f22ebc27475a55cc9d97d452d06ca41262cb902f54cfb478d92d7100e9a095b87cacb4444704871a40b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\995.exe

Filesize
1.0MB

MD5
ed11a248a2af894c03adeaa5d9f57a2b

SHA1
b2934d359cff3c53158ce3ef329cecd466e8c626

SHA256
ebd2be77829bd7882984eaa1065311d781e02e2ae6b56096d79752b9a5f1eddd

SHA512
e472a2119c270679b81f6f492b9911a01224d9034da5f22ebc27475a55cc9d97d452d06ca41262cb902f54cfb478d92d7100e9a095b87cacb4444704871a40b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oyiesauffusw.tmp

Filesize
730KB

MD5
8d039a703875733043526555982e4e60

SHA1
f583795e790e682db2feaa5f5b8d282216f581e2

SHA256
5cb8e52b000f84494627db8e8e700e7731c9bfa2eb9e6a8a8280d2311327e81a

SHA512
3e89ec3eb7e90aa93c0a3cc2d120521b1c2236a8a2169b2654fcc153f926b97e85267a177ef92f3ac3a7aa493a81a3a55c1b6b56ef8f8beb93b78bf3eb10373e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oyiesauffusw.tmp

Filesize
730KB

MD5
8d039a703875733043526555982e4e60

SHA1
f583795e790e682db2feaa5f5b8d282216f581e2

SHA256
5cb8e52b000f84494627db8e8e700e7731c9bfa2eb9e6a8a8280d2311327e81a

SHA512
3e89ec3eb7e90aa93c0a3cc2d120521b1c2236a8a2169b2654fcc153f926b97e85267a177ef92f3ac3a7aa493a81a3a55c1b6b56ef8f8beb93b78bf3eb10373e

Download Submit
C:\Users\Admin\AppData\Roaming\dsrcdjf

Filesize
224KB

MD5
2d0cb45a5cae57497e231d8b81986797

SHA1
c7fdede472d241307e1bf21d497ee78a96ba46fa

SHA256
3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926

SHA512
30d52aa31e9e0776a8a9eaf8ce3b209fc123ff25c7f0d02c7483b69130b604c0dfc533b9672ea4391e2f83d05264e39bf67f38c90e72122bfadfacb8d8145a42

Download Submit
C:\Users\Admin\AppData\Roaming\dsrcdjf

Filesize
224KB

MD5
2d0cb45a5cae57497e231d8b81986797

SHA1
c7fdede472d241307e1bf21d497ee78a96ba46fa

SHA256
3f7b8a4b3e8d14816fc181cd3753c6b040799ef0a79b8f29125cdf6013c5d926

SHA512
30d52aa31e9e0776a8a9eaf8ce3b209fc123ff25c7f0d02c7483b69130b604c0dfc533b9672ea4391e2f83d05264e39bf67f38c90e72122bfadfacb8d8145a42

Download Submit
memory/484-139-0x0000000000AD3000-0x0000000000BB0000-memory.dmp

Filesize
884KB

Download
memory/484-140-0x0000000002360000-0x000000000247C000-memory.dmp

Filesize
1.1MB

Download
memory/484-141-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/484-145-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/1348-132-0x00000000004BA000-0x00000000004CB000-memory.dmp

Filesize
68KB

Download
memory/1348-135-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1348-134-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1348-133-0x00000000008C0000-0x00000000008C9000-memory.dmp

Filesize
36KB

Download
memory/1572-156-0x0000023629450000-0x0000023629590000-memory.dmp

Filesize
1.2MB

Download
memory/1572-157-0x0000000000630000-0x00000000008CA000-memory.dmp

Filesize
2.6MB

Download
memory/1572-158-0x0000023627A00000-0x0000023627CAC000-memory.dmp

Filesize
2.7MB

Download
memory/1572-155-0x0000023629450000-0x0000023629590000-memory.dmp

Filesize
1.2MB

Download
memory/3096-166-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3096-165-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3096-164-0x000000000049A000-0x00000000004AB000-memory.dmp

Filesize
68KB

Download
memory/4088-148-0x0000000005150000-0x0000000005290000-memory.dmp

Filesize
1.2MB

Download
memory/4088-153-0x0000000005150000-0x0000000005290000-memory.dmp

Filesize
1.2MB

Download
memory/4088-147-0x00000000057B0000-0x0000000006312000-memory.dmp

Filesize
11.4MB

Download
memory/4088-160-0x00000000057B0000-0x0000000006312000-memory.dmp

Filesize
11.4MB

Download
memory/4088-149-0x0000000005150000-0x0000000005290000-memory.dmp

Filesize
1.2MB

Download
memory/4088-146-0x00000000057B0000-0x0000000006312000-memory.dmp

Filesize
11.4MB

Download
memory/4088-152-0x0000000005150000-0x0000000005290000-memory.dmp

Filesize
1.2MB

Download
memory/4088-151-0x0000000005150000-0x0000000005290000-memory.dmp

Filesize
1.2MB

Download
memory/4088-150-0x0000000005150000-0x0000000005290000-memory.dmp

Filesize
1.2MB

Download