smokeloader | 642c97b56fe4524f75692da57199b35c693f4777be48580e54c8805253bc2050

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2022 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4.exe
Size

297KB
MD5

69178f6e005b870217b52a6780494088
SHA1

ee2cd7dcd50d89196f949159182c78a99aec2400
SHA256

4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4
SHA512

14fd684790345e0e36b2b86f083276325662c99636d619e085ed1bf3685b35e7fba0330a24704a8ddcdb999b9c2569d5bd90e1fa0af52b1ed51b56c8356c5617
SSDEEP

6144:ALzX0e34H8RMnx+X58xQ3xDPkMo5zXbAc:AXru8RMnxK58xaxDPyrbA

Score

10^/10

smokeloader backdoor discovery trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/432-133-0x0000000000490000-0x0000000000499000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
40	1400	rundll32.exe
50	1400	rundll32.exe
63	1400	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
344	D4D9.exe

Loads dropped DLL 1 IoCs

pid	Process
1400	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 5028	1400	rundll32.exe	90

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\forms_super.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\MyriadCAD.otf	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\AGMGPUOptIn.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\export.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\3difr.x3d	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\email_all.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\core_icons.png	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\distribute_form.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\reviews_joined.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\aic_file_icons_retina_thumb_new.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\aic_file_icons_retina_thumb.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\remove.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\CollectSignatures.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4756	344	WerFault.exe	85

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009b55ada9100054656d7000003a0009000400efbe6b55586c9b55afa92e00000000000000000000000000000000000000000000000000f7b33001540065006d007000000014000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1192	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4.exe
432	4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1192	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
432	4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeCreatePagefilePrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeCreatePagefilePrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeCreatePagefilePrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeCreatePagefilePrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeCreatePagefilePrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeCreatePagefilePrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeCreatePagefilePrivilege	1192	Process not Found
Token: SeShutdownPrivilege	1192	Process not Found
Token: SeCreatePagefilePrivilege	1192	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5028	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1192	Process not Found
1192	Process not Found

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 344	1192	Process not Found	85
PID 1192 wrote to memory of 344	1192	Process not Found	85
PID 1192 wrote to memory of 344	1192	Process not Found	85
PID 344 wrote to memory of 1400	344	D4D9.exe	87
PID 344 wrote to memory of 1400	344	D4D9.exe	87
PID 344 wrote to memory of 1400	344	D4D9.exe	87
PID 1400 wrote to memory of 5028	1400	rundll32.exe	90
PID 1400 wrote to memory of 5028	1400	rundll32.exe	90
PID 1400 wrote to memory of 5028	1400	rundll32.exe	90

C:\Users\Admin\AppData\Local\Temp\4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4.exe
"C:\Users\Admin\AppData\Local\Temp\4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:432

C:\Users\Admin\AppData\Local\Temp\D4D9.exe
C:\Users\Admin\AppData\Local\Temp\D4D9.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14026
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 528
  2⤵
  - Program crash
  PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 344 -ip 344
1⤵
PID:3952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:2144
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\agmgpuoptin.dll",tVNicml3Uw==
  2⤵
  PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\AGMGPUOptIn.dll

Filesize
792KB

MD5
b0aae80c522d672c0cb533b21502bb27

SHA1
23271c304da87bf0854fc577cc2396899aec3055

SHA256
40ed5e6894f4b982cb1aa5e194409ca31a0a2d5b7e7dcccd3f6ac5da4e1dbc7b

SHA512
7c946134b789d110969ed7818bce4f65d59b281770aa49bf621dd6ec90f9ff3ce18567d4a21c0291838453eab5a010fe1754e56126f7d2db8be4e42484b9a897

Download Submit
C:\Program Files (x86)\Google\Temp\AGMGPUOptIn.dll

Filesize
792KB

MD5
b0aae80c522d672c0cb533b21502bb27

SHA1
23271c304da87bf0854fc577cc2396899aec3055

SHA256
40ed5e6894f4b982cb1aa5e194409ca31a0a2d5b7e7dcccd3f6ac5da4e1dbc7b

SHA512
7c946134b789d110969ed7818bce4f65d59b281770aa49bf621dd6ec90f9ff3ce18567d4a21c0291838453eab5a010fe1754e56126f7d2db8be4e42484b9a897

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch

Filesize
110B

MD5
37a1115747e63e1c0ead2c66301f22d3

SHA1
44339aa5b475ecc2669a69fa1850ffcbf6fc666e

SHA256
9496889b2cbda0bcb85b8ef91dc323107702c214ee37a7c1057b8fc9c8874589

SHA512
6ecc4b9f1d08bccc3f1ae111391e83b8a1ae3788f532ae3afac5ed91823891aaf6a56385e3856910730d312d5374c779bdab7760d82a685ee99c077a3180357d

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\C2RManifest.osmmui.msi.16.en-us.xml

Filesize
10KB

MD5
3ef69b2c0f15e6b97fca1141bc9beb9a

SHA1
421916704e31978eb77421161bb170003a83c1a2

SHA256
f3e25cf6f3fdd2017b76701290ba9599384dd2084111545f6da078502cae29cc

SHA512
cec4a92eb852d731571a4e1098f195b2f3d84a5fde17c5e6ba5d3e7464f2352fe25cb67b051078f0742696b0aa862960e0203c2231df1552534c06539149427d

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
7f3acb0a74fa4a288b33bd0d22f91716

SHA1
9b25a97fe300128d8f99a1887e37812b97fca4d2

SHA256
04637d26bee1e1cd72ed842719afe64c0bfbd7968b173ae043e76c35bbeea636

SHA512
c8fb61038fafb3f6e7cdf3d0e96cc78b565e697ac0376fb7bf02e268c3f018b9925ef6325a29c0a6494f9dcfa5789ed9d55ad67cd0ce0f22ff0863b1a5097d7e

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.CredDialogHost_10.0.19041.1023_neutral__cw5n1h2txyewy.xml

Filesize
1KB

MD5
8c59faf203fc8a2a460920be06eb2b4e

SHA1
833cf94c8a893ed6199812f4ca6f177af7dc43c1

SHA256
b7e5f69aa3d04494c0a0d3a09b70d48b38b5264f74c04a49e5886bb6cc78889a

SHA512
5fa0271ecb6995cac9c003e6d3313c6fa5f89a360711ff4b80292379f58c33d8802413c8c63d1312913934a7144f0a2cfffddeab05d69afd4a1d810c5003bc5f

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
26KB

MD5
3973cc0067bf4b33098b7bf2d68db787

SHA1
88ddb50df1c24a7f658ba2050f94dea1e13ca8d4

SHA256
70d4896e97e5a6e63d081deb667a746d8153c30ef2556c15fac003e4ac3ea4e9

SHA512
87b72becab432f15accf9433b024b53efff165a9478937a4efd5ecf6841503b4c64eedbaae87ecba44f7803331950cd36f9e54c97c4ebf05d7a76062814bd080

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
829B

MD5
87abe99363b16041e32b8a146eb53617

SHA1
b1f3f3c3939f2331dee213e480f4a4d0c753f72a

SHA256
7c8df7b34fca6387a15cbc0d6f591624a5a28bf513f71eb1077d55f1b448d856

SHA512
091ffae18e7cf41237b1039964cb4c3116275edfa34b198bbb9a0b258a99bf3b62b420fb22d747788a889f2306c30f0dc00566c432d4b2bb2e410a9e7dc69e44

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xml

Filesize
15KB

MD5
2f71d0396b93381c1fd86bf822612868

SHA1
d0801700dd00a51276f32c6ed19f5b713b5db825

SHA256
0543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026

SHA512
67022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
1a3168a15983b890b16390a23a89a02e

SHA1
d56ce16d88d79159a27c2d1cd3770dc56d897ebe

SHA256
334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946

SHA512
f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\resource.xml

Filesize
1KB

MD5
36b733e882d091355ffdd2b0a3286888

SHA1
0043a974ebd90d802e8cc5e04b5cefc980d03292

SHA256
f83662badfaa62797f925aa8292852be5351d3e641d70fe22c911ee4cdf68aad

SHA512
abb0df60401f74df3368e17cd8ff672dceaeef0fbeb097da659c07f2b8d756a09ada065ecb3ba7ccabbb4416817d730c13e6340ae5c6239dff31ae8b81c0a10c

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\stream.x64.en-us.hash

Filesize
128B

MD5
73f303800be636585f9ec14701cd8d5e

SHA1
456304dc888d5eaa159fa0fa34fc9bcc3bacb633

SHA256
c8e3762853e17a3bd49882b0d36afa285bed5639f8f9e88f716c3942e28b6ace

SHA512
8a80ee6d1b074d68a55bbb3d5be251cfaae89b0345a6b0e84a6359e8c1453c8bf0969e6d33a7d0523d30d586c46c1eede9e71f7a89f7bc67ea0ad866671b81b4

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\wlidsvcconfig.xml

Filesize
12KB

MD5
f9f25c79e2df9c8c8209b5d052a557b0

SHA1
2d4a14e2df96245a599bacb530e396c2900a5b61

SHA256
385214231d70603caaf00c1f2e9f115be35cc603d289dd878069f9933aa591b5

SHA512
7c9d68d4f96cef25f4703fe4db68fda9689308df759ef05666421c74f0e57b4c25fa8d1c6cf9e5a6a0e9a81d230669b8656279076e60ebfd1ba5b56770fa4ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4D9.exe

Filesize
1.0MB

MD5
bbb459e503d4c79fdc02a2b89af1d07a

SHA1
a0b81044e45b130b56a81f068193295aa79da174

SHA256
6aa2b86ef308d638ec7ed2d9f1be438e1fa481ffe90c4013be27c0e8a61cc427

SHA512
2aeaf04490fa3637bd467b028d3755e208a9688b7fcc28abc9856f1e436270a1bbe67577464c3052241f3c722d778118d972b945a97955ca8dd57c686378ba84

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4D9.exe

Filesize
1.0MB

MD5
bbb459e503d4c79fdc02a2b89af1d07a

SHA1
a0b81044e45b130b56a81f068193295aa79da174

SHA256
6aa2b86ef308d638ec7ed2d9f1be438e1fa481ffe90c4013be27c0e8a61cc427

SHA512
2aeaf04490fa3637bd467b028d3755e208a9688b7fcc28abc9856f1e436270a1bbe67577464c3052241f3c722d778118d972b945a97955ca8dd57c686378ba84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
\??\c:\program files (x86)\google\temp\agmgpuoptin.dll

Filesize
792KB

MD5
b0aae80c522d672c0cb533b21502bb27

SHA1
23271c304da87bf0854fc577cc2396899aec3055

SHA256
40ed5e6894f4b982cb1aa5e194409ca31a0a2d5b7e7dcccd3f6ac5da4e1dbc7b

SHA512
7c946134b789d110969ed7818bce4f65d59b281770aa49bf621dd6ec90f9ff3ce18567d4a21c0291838453eab5a010fe1754e56126f7d2db8be4e42484b9a897

Download Submit
memory/344-144-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/344-143-0x00000000022D0000-0x00000000023E1000-memory.dmp

Filesize
1.1MB

Download
memory/344-142-0x00000000021F1000-0x00000000022C7000-memory.dmp

Filesize
856KB

Download
memory/344-136-0x0000000000000000-mapping.dmp

Download
memory/380-177-0x0000000004AB0000-0x000000000560D000-memory.dmp

Filesize
11.4MB

Download
memory/380-174-0x0000000000000000-mapping.dmp

Download
memory/432-133-0x0000000000490000-0x0000000000499000-memory.dmp

Filesize
36KB

Download
memory/432-134-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/432-132-0x00000000004BE000-0x00000000004D3000-memory.dmp

Filesize
84KB

Download
memory/432-135-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1400-149-0x00000000047B0000-0x00000000048F0000-memory.dmp

Filesize
1.2MB

Download
memory/1400-139-0x0000000000000000-mapping.dmp

Download
memory/1400-148-0x00000000047B0000-0x00000000048F0000-memory.dmp

Filesize
1.2MB

Download
memory/1400-152-0x00000000047B0000-0x00000000048F0000-memory.dmp

Filesize
1.2MB

Download
memory/1400-147-0x00000000047B0000-0x00000000048F0000-memory.dmp

Filesize
1.2MB

Download
memory/1400-146-0x0000000004D00000-0x000000000585D000-memory.dmp

Filesize
11.4MB

Download
memory/1400-145-0x0000000004D00000-0x000000000585D000-memory.dmp

Filesize
11.4MB

Download
memory/1400-150-0x00000000047B0000-0x00000000048F0000-memory.dmp

Filesize
1.2MB

Download
memory/1400-159-0x0000000004D00000-0x000000000585D000-memory.dmp

Filesize
11.4MB

Download
memory/1400-156-0x0000000004829000-0x000000000482B000-memory.dmp

Filesize
8KB

Download
memory/1400-151-0x00000000047B0000-0x00000000048F0000-memory.dmp

Filesize
1.2MB

Download
memory/2144-163-0x00000000039D0000-0x000000000452D000-memory.dmp

Filesize
11.4MB

Download
memory/2144-176-0x00000000039D0000-0x000000000452D000-memory.dmp

Filesize
11.4MB

Download
memory/5028-158-0x000001736E860000-0x000001736EB0E000-memory.dmp

Filesize
2.7MB

Download
memory/5028-157-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/5028-155-0x000001736E6D0000-0x000001736E810000-memory.dmp

Filesize
1.2MB

Download
memory/5028-154-0x000001736E6D0000-0x000001736E810000-memory.dmp

Filesize
1.2MB

Download
memory/5028-153-0x00007FF6A8166890-mapping.dmp

Download