lumma | 0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe
Size

206KB
MD5

a375317afc25dee89efc84c83a29f1ce
SHA1

6443bee1e629e9e3803c376a261a9399418f57bd
SHA256

0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1
SHA512

1ac036d91bdabd8e200f4f77dbbafe250c0b11c208c2833a1ecd6a8d2eae92b0183dfdf6fa142a9a2712ee7ba02c6446cfff32b694856033d17d67e387136d43
SSDEEP

3072:sXtnvcyAupAu5X+YLmxujtZtKQnoICqGsj5vU1Uvri:oGmpW6mxOztKqLj5vJv

Score

10^/10

lumma smokeloader backdoor discovery persistence stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1392-133-0x0000000002CE0000-0x0000000002CE9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

36 1820 rundll32.exe
40 1820 rundll32.exe
57 1820 rundll32.exe
62 1820 rundll32.exe
65 1820 rundll32.exe
71 1820 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

CB53.exe

pid process

1236 CB53.exe

flow	pid	process
36	1820	rundll32.exe
40	1820	rundll32.exe
57	1820	rundll32.exe
62	1820	rundll32.exe
65	1820	rundll32.exe
71	1820	rundll32.exe

pid	process
1236	CB53.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AXE8SharedExpat\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AXE8SharedExpat.dll넀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AXE8SharedExpat\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AXE8SharedExpat.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AXE8SharedExpat\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

1820 rundll32.exe
2420 svchost.exe
1464 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1820	rundll32.exe
2420	svchost.exe
1464	rundll32.exe

Drops file in Program Files directory 21 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\QRCode.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\WindowsMedia.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\index.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eula.ini	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sendforsignature.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2884 1236 WerFault.exe CB53.exe
2300 1368 WerFault.exe 3FD4.exe

pid	pid_target	process	target process
2884	1236	WerFault.exe	CB53.exe
2300	1368	WerFault.exe	3FD4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe

Checks processor information in registry 2 TTPs 59 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe

pid	process
1392	0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe
1392	0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020
2020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2020
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe

pid process

1392 0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe

pid	process
2020

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2020
Token: SeCreatePagefilePrivilege	2020
Token: SeDebugPrivilege	1820	rundll32.exe
Token: SeShutdownPrivilege	2020
Token: SeCreatePagefilePrivilege	2020

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

CB53.exesvchost.exerundll32.exe

description	pid	process	target process
PID 2020 wrote to memory of 1236	2020		CB53.exe
PID 2020 wrote to memory of 1236	2020		CB53.exe
PID 2020 wrote to memory of 1236	2020		CB53.exe
PID 1236 wrote to memory of 1820	1236	CB53.exe	rundll32.exe
PID 1236 wrote to memory of 1820	1236	CB53.exe	rundll32.exe
PID 1236 wrote to memory of 1820	1236	CB53.exe	rundll32.exe
PID 2420 wrote to memory of 1464	2420	svchost.exe	rundll32.exe
PID 2420 wrote to memory of 1464	2420	svchost.exe	rundll32.exe
PID 2420 wrote to memory of 1464	2420	svchost.exe	rundll32.exe
PID 1820 wrote to memory of 4700	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 4700	1820	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe
"C:\Users\Admin\AppData\Local\Temp\0ce027e31427cff81bcbe28cd67c5d7c1478beea194829e4266fcc4d3ed6c5f1.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1392

C:\Users\Admin\AppData\Local\Temp\CB53.exe
C:\Users\Admin\AppData\Local\Temp\CB53.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:4700

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3816

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:1872

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4004

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3580

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:2320

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1460

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:4908

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3144

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:4860

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2760

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2496

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18627
3⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 528
2⤵
- Program crash
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1236 -ip 1236
1⤵
PID:2996

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\axe8sharedexpat.dll",s1hbeDlxOFQ=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1464

C:\Users\Admin\AppData\Local\Temp\3FD4.exe
C:\Users\Admin\AppData\Local\Temp\3FD4.exe
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1300
2⤵
- Program crash
PID:2300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1368 -ip 1368
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\AXE8SharedExpat.dll

Filesize
774KB

MD5
e788b1c7457211fd4f2d4981347a40f0

SHA1
92a2c65b44b5e1ff177e79bf2648293e2bf214ab

SHA256
ccd5144a6645658834bb8f87920366fb6099985dcfb8a8b404c1bfc2cb582f52

SHA512
0faede5aefb78c40c4e288a10c4844f95db428fd26bfdda98b342e1a24161ae0bb28717d3264dd0e14d0d49e28d7eeb4db4349c6abea6e43696e47d6a2de8bfa

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\AXE8SharedExpat.dll

Filesize
774KB

MD5
e788b1c7457211fd4f2d4981347a40f0

SHA1
92a2c65b44b5e1ff177e79bf2648293e2bf214ab

SHA256
ccd5144a6645658834bb8f87920366fb6099985dcfb8a8b404c1bfc2cb582f52

SHA512
0faede5aefb78c40c4e288a10c4844f95db428fd26bfdda98b342e1a24161ae0bb28717d3264dd0e14d0d49e28d7eeb4db4349c6abea6e43696e47d6a2de8bfa

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

Filesize
158B

MD5
dd8778eda0b96d5d71716fbb50300293

SHA1
17b3a49fe039ef5c930801c3a77922b30a61ee69

SHA256
61e06f4deff92e80d1605cb17a0c83604ac6cdb72fb3d4b1e3d0eb7e7bbbf4a0

SHA512
4efee799ddfb3d98a6b402aebed2ec79cfbd1cab200bfad1f95af432b91ce11e0404cd1cdf9f5a46324757c135928cb0ce42197c3021ae506ac6dd047127491b

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\385801debe56bada6928812de45c188a_8329e3af-909b-464f-88cb-23d8b2c5eadf

Filesize
1KB

MD5
866778131242cbcee407fde2c6bf30cc

SHA1
30450f27879769fe9edfce67c0bb6f2a75358913

SHA256
79fd0e728a316291552ada14482d84a963e19514c03df140941473fce89a0b73

SHA512
596be242db539916918317634a370892e3e52b79bd1ac59c0d01243e33a0e156c2f6a0278e32228ef580b9c969288ad904f6532c64535a2321d099c7e0c43463

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\C2RManifest.office32ww.msi.16.x-none.xml

Filesize
331KB

MD5
b5cf5d15a8e6c6f2eb99a5645a2c2336

SHA1
7efe1b634ce1253a6761eb0c54f79dd42b79325f

SHA256
f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c

SHA512
83f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
843B

MD5
72d7dc9f57f3487a99e2f05c06274c28

SHA1
ba789a0e8174327b30443f5b7131228f4ad40cf0

SHA256
dae20c31fd2cd68389b40f99cb7791c8d79d8d8aca2c417d90713ad6c926471f

SHA512
aa15897d32ee44cbb2a8d9dfbdbf32b7a6885150ca8fb5c715020310385e6f889612f80eb452ec73d444fdf03fef7eb920fe586662c2185c93a695e72d56362c

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
b00e3d36fd46b8ce0c523e03a23e668e

SHA1
148353aaa83b728472f0aab5e7279696966e6946

SHA256
7e1b757b9af39df6767de4f6ec7314c57f3b6a780a9473bad87ece5798edfc32

SHA512
cadf7ddd8ac80c1e1a79c07b61eaee4d6d32c505e266d2f4489f90f4db3aa4db1d20da4625b534e0e8935e523b065377d36e84faa8ad14472227518621996356

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
b00e3d36fd46b8ce0c523e03a23e668e

SHA1
148353aaa83b728472f0aab5e7279696966e6946

SHA256
7e1b757b9af39df6767de4f6ec7314c57f3b6a780a9473bad87ece5798edfc32

SHA512
cadf7ddd8ac80c1e1a79c07b61eaee4d6d32c505e266d2f4489f90f4db3aa4db1d20da4625b534e0e8935e523b065377d36e84faa8ad14472227518621996356

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\telemetry.ASM-WindowsDefault.json

Filesize
146KB

MD5
d054101b077a5d6ee42f48bbe0a98033

SHA1
e27de6db98d496419be668cdbb0d63693353a08a

SHA256
b44915e8ebc59eb07e1571de5dfe8e7ae87aca64b2aa64bd5aaf3ebfe06f72a8

SHA512
364a15229a7563af5657355b3ec6838f1367f89163fa43cf835756d5b3ae7df1fbd6b577d31f275b5030f00255c2a1958c6d88b43e84b283a602931c9af1921b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD4.exe

Filesize
245KB

MD5
50b8f00da97aa0e66bb0a4cc38faa0db

SHA1
b2e38e07ad1d5804c2b5486bf88ead1628f5a37a

SHA256
84d7abfe34e17af782be2251cd70e78f03540265d5907426b4f75f32523c59d6

SHA512
150a30420b6dd18986f14281127736358457ca175e143ce95f599a61c56ccfbc5a5bc773259954c3a74d8351003fba3966a57cf78b4593af7380be813f06bbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FD4.exe

Filesize
245KB

MD5
50b8f00da97aa0e66bb0a4cc38faa0db

SHA1
b2e38e07ad1d5804c2b5486bf88ead1628f5a37a

SHA256
84d7abfe34e17af782be2251cd70e78f03540265d5907426b4f75f32523c59d6

SHA512
150a30420b6dd18986f14281127736358457ca175e143ce95f599a61c56ccfbc5a5bc773259954c3a74d8351003fba3966a57cf78b4593af7380be813f06bbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB53.exe

Filesize
1.0MB

MD5
f861b84ecef1a161c79a91fe8a22f427

SHA1
037a279d9a947949d51c202f9ca606565effe449

SHA256
22ce425034d7cf0f2ed3278fa3db6fea59e73074b4e12f9a19aef325a4d17285

SHA512
c4b2eda206579e85de3f121da96a676a2614e91047902305cd7a70a2f6565ce24e693b172c4bd2deac5b8fd55dfbc8eb18000735b1f16425b75894de2e5f159f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB53.exe

Filesize
1.0MB

MD5
f861b84ecef1a161c79a91fe8a22f427

SHA1
037a279d9a947949d51c202f9ca606565effe449

SHA256
22ce425034d7cf0f2ed3278fa3db6fea59e73074b4e12f9a19aef325a4d17285

SHA512
c4b2eda206579e85de3f121da96a676a2614e91047902305cd7a70a2f6565ce24e693b172c4bd2deac5b8fd55dfbc8eb18000735b1f16425b75894de2e5f159f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\axe8sharedexpat.dll

Filesize
774KB

MD5
e788b1c7457211fd4f2d4981347a40f0

SHA1
92a2c65b44b5e1ff177e79bf2648293e2bf214ab

SHA256
ccd5144a6645658834bb8f87920366fb6099985dcfb8a8b404c1bfc2cb582f52

SHA512
0faede5aefb78c40c4e288a10c4844f95db428fd26bfdda98b342e1a24161ae0bb28717d3264dd0e14d0d49e28d7eeb4db4349c6abea6e43696e47d6a2de8bfa

Download Submit
memory/1236-142-0x0000000004940000-0x0000000004A29000-memory.dmp

Filesize
932KB

Download
memory/1236-143-0x0000000004A40000-0x0000000004B6E000-memory.dmp

Filesize
1.2MB

Download
memory/1236-136-0x0000000000000000-mapping.dmp

Download
memory/1236-144-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/1236-145-0x0000000000400000-0x0000000002C74000-memory.dmp

Filesize
40.5MB

Download
memory/1368-204-0x0000000002EE9000-0x0000000002F03000-memory.dmp

Filesize
104KB

Download
memory/1368-192-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/1368-203-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/1368-189-0x0000000002EE9000-0x0000000002F03000-memory.dmp

Filesize
104KB

Download
memory/1368-175-0x0000000000000000-mapping.dmp

Download
memory/1368-190-0x0000000002E00000-0x0000000002E2A000-memory.dmp

Filesize
168KB

Download
memory/1392-133-0x0000000002CE0000-0x0000000002CE9000-memory.dmp

Filesize
36KB

Download
memory/1392-132-0x0000000002DB8000-0x0000000002DC9000-memory.dmp

Filesize
68KB

Download
memory/1392-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/1392-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/1460-205-0x0000000000000000-mapping.dmp

Download
memory/1464-164-0x0000000004BA0000-0x00000000056F5000-memory.dmp

Filesize
11.3MB

Download
memory/1464-165-0x0000000004BA0000-0x00000000056F5000-memory.dmp

Filesize
11.3MB

Download
memory/1464-162-0x0000000000000000-mapping.dmp

Download
memory/1704-215-0x0000000000000000-mapping.dmp

Download
memory/1820-182-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-183-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-231-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-230-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-229-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-221-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-220-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-168-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-167-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-166-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-219-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-218-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-180-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-181-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-139-0x0000000000000000-mapping.dmp

Download
memory/1820-197-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-147-0x0000000005550000-0x00000000060A5000-memory.dmp

Filesize
11.3MB

Download
memory/1820-148-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-146-0x0000000005550000-0x00000000060A5000-memory.dmp

Filesize
11.3MB

Download
memory/1820-169-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-210-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-209-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-150-0x0000000005550000-0x00000000060A5000-memory.dmp

Filesize
11.3MB

Download
memory/1820-208-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-149-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-198-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-207-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-195-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1820-196-0x0000000004CE0000-0x0000000004E20000-memory.dmp

Filesize
1.2MB

Download
memory/1872-185-0x000001A7DB4F0000-0x000001A7DB630000-memory.dmp

Filesize
1.2MB

Download
memory/1872-193-0x000001A7D9A90000-0x000001A7D9D45000-memory.dmp

Filesize
2.7MB

Download
memory/1872-186-0x000001A7DB4F0000-0x000001A7DB630000-memory.dmp

Filesize
1.2MB

Download
memory/1872-187-0x000001A7D9A90000-0x000001A7D9D45000-memory.dmp

Filesize
2.7MB

Download
memory/1872-184-0x00007FF762476890-mapping.dmp

Download
memory/2320-199-0x00007FF762476890-mapping.dmp

Download
memory/2320-201-0x000002E91E5A0000-0x000002E91E6E0000-memory.dmp

Filesize
1.2MB

Download
memory/2320-200-0x000002E91E5A0000-0x000002E91E6E0000-memory.dmp

Filesize
1.2MB

Download
memory/2320-206-0x000002E91E720000-0x000002E91E9D5000-memory.dmp

Filesize
2.7MB

Download
memory/2320-202-0x000002E91E720000-0x000002E91E9D5000-memory.dmp

Filesize
2.7MB

Download
memory/2420-191-0x00000000038B0000-0x0000000004405000-memory.dmp

Filesize
11.3MB

Download
memory/2420-154-0x00000000038B0000-0x0000000004405000-memory.dmp

Filesize
11.3MB

Download
memory/2420-155-0x00000000038B0000-0x0000000004405000-memory.dmp

Filesize
11.3MB

Download
memory/2496-228-0x0000000000000000-mapping.dmp

Download
memory/2760-226-0x0000000000000000-mapping.dmp

Download
memory/3144-216-0x0000000000000000-mapping.dmp

Download
memory/3580-194-0x0000000000000000-mapping.dmp

Download
memory/3816-179-0x0000000000000000-mapping.dmp

Download
memory/4004-188-0x0000000000000000-mapping.dmp

Download
memory/4700-172-0x00000262537F0000-0x0000026253930000-memory.dmp

Filesize
1.2MB

Download
memory/4700-171-0x00000262537F0000-0x0000026253930000-memory.dmp

Filesize
1.2MB

Download
memory/4700-170-0x00007FF762476890-mapping.dmp

Download
memory/4700-178-0x0000026251D90000-0x0000026252045000-memory.dmp

Filesize
2.7MB

Download
memory/4700-174-0x0000026251D90000-0x0000026252045000-memory.dmp

Filesize
2.7MB

Download
memory/4700-173-0x0000000000910000-0x0000000000BB4000-memory.dmp

Filesize
2.6MB

Download
memory/4860-224-0x0000018418CE0000-0x0000018418E20000-memory.dmp

Filesize
1.2MB

Download
memory/4860-223-0x0000018418CE0000-0x0000018418E20000-memory.dmp

Filesize
1.2MB

Download
memory/4860-222-0x00007FF762476890-mapping.dmp

Download
memory/4860-225-0x0000018417280000-0x0000018417535000-memory.dmp

Filesize
2.7MB

Download
memory/4860-227-0x0000018417280000-0x0000018417535000-memory.dmp

Filesize
2.7MB

Download
memory/4908-217-0x000002A09FE50000-0x000002A0A0105000-memory.dmp

Filesize
2.7MB

Download
memory/4908-213-0x000002A09FE50000-0x000002A0A0105000-memory.dmp

Filesize
2.7MB

Download
memory/4908-214-0x000002A0A18D0000-0x000002A0A1A10000-memory.dmp

Filesize
1.2MB

Download
memory/4908-212-0x000002A0A18D0000-0x000002A0A1A10000-memory.dmp

Filesize
1.2MB

Download
memory/4908-211-0x00007FF762476890-mapping.dmp

Download