smokeloader | 4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9

General

Target

4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe
Size

298KB
MD5

03bcdf385ea4c321882e6cff9a84e896
SHA1

4e11e0d1e1e2075fa14d8d469be29b6f30b76a9b
SHA256

4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9
SHA512

2ff95305e58ce85c9fceeedc94f9caa90f15ba498cdee5bec89cf509fa1baf08b5119bda36e62eb6c4b9a9b9acf1634bb14536a3b2e4f10b301ee2af8eac1358
SSDEEP

3072:C6mb6b57eL3ZRGgTl9K7WDk0fGHLY0Y/Q1SbYuQjiMTE5qwria5Zi:C127eL3+gJ9K7WDQLY5jUuQj9Vwria3

Score

10^/10

smokeloader backdoor collection discovery spyware stealer trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3476-133-0x0000000000660000-0x0000000000669000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

47 2168 rundll32.exe
50 2168 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

D258.exeD258.exe

pid process

668 D258.exe
3944 D258.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2168 rundll32.exe
2168 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
47	2168	rundll32.exe
50	2168	rundll32.exe

pid	process
668	D258.exe
3944	D258.exe

pid	process
2168	rundll32.exe
2168	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

D258.exerundll32.exe

description	pid	process	target process
PID 668 set thread context of 3944	668	D258.exe	D258.exe
PID 2168 set thread context of 5000	2168	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000047566b09100054656d7000003a0009000400efbe6b55586c47566b092e000000000000000000000000000000000000000000000000009837ab00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2596

pid	process
2596

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe

pid	process
3476	4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe
3476	4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596
2596

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2596
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe

pid process

3476 4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe

pid	process
2596

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeDebugPrivilege	2168	rundll32.exe
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596
Token: SeShutdownPrivilege	2596
Token: SeCreatePagefilePrivilege	2596

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2596
2596
2596
2596
2596
2596
2596
2596
2168 rundll32.exe
5000 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2596
2596
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2596

pid	process
2596
2596
2596
2596
2596
2596
2596
2596
2168	rundll32.exe
5000	rundll32.exe

pid	process
2596
2596

pid	process
2596

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

D258.exeD258.exerundll32.exe

description	pid	process	target process
PID 2596 wrote to memory of 668	2596		D258.exe
PID 2596 wrote to memory of 668	2596		D258.exe
PID 2596 wrote to memory of 668	2596		D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 668 wrote to memory of 3944	668	D258.exe	D258.exe
PID 3944 wrote to memory of 2168	3944	D258.exe	rundll32.exe
PID 3944 wrote to memory of 2168	3944	D258.exe	rundll32.exe
PID 3944 wrote to memory of 2168	3944	D258.exe	rundll32.exe
PID 2168 wrote to memory of 5000	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 5000	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 5004	2168	rundll32.exe	schtasks.exe
PID 2168 wrote to memory of 5004	2168	rundll32.exe	schtasks.exe
PID 2168 wrote to memory of 5004	2168	rundll32.exe	schtasks.exe
PID 2168 wrote to memory of 5000	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 996	2168	rundll32.exe	schtasks.exe
PID 2168 wrote to memory of 996	2168	rundll32.exe	schtasks.exe
PID 2168 wrote to memory of 996	2168	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe
"C:\Users\Admin\AppData\Local\Temp\4adacd1bf1d4df2f34791f8b421ee0a55c19bb2860ab980cf5573720cb8ef6e9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3476

C:\Users\Admin\AppData\Local\Temp\D258.exe
C:\Users\Admin\AppData\Local\Temp\D258.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\D258.exe
C:\Users\Admin\AppData\Local\Temp\D258.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll,start
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2168

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24025
4⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5000

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:5004

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D258.exe
Filesize
3.7MB

MD5
d2e46cd2155c24077205b0c90480f601

SHA1
21f590fbc5308e1a0bc9c5f220557e232ffff4d8

SHA256
c16af4812b7202c891e80b29c8b22676b175abe5239d000426f49648bf1a24d6

SHA512
a2da09e6f54b1098b9562bd84052c64384d8ae55b0428c9641d923e6924fa9b36dd940675d975a1cd59e2f13dbf22e34b4177f3a3ebe43dc34967b1c86451c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D258.exe
Filesize
3.7MB

MD5
d2e46cd2155c24077205b0c90480f601

SHA1
21f590fbc5308e1a0bc9c5f220557e232ffff4d8

SHA256
c16af4812b7202c891e80b29c8b22676b175abe5239d000426f49648bf1a24d6

SHA512
a2da09e6f54b1098b9562bd84052c64384d8ae55b0428c9641d923e6924fa9b36dd940675d975a1cd59e2f13dbf22e34b4177f3a3ebe43dc34967b1c86451c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D258.exe
Filesize
3.7MB

MD5
d2e46cd2155c24077205b0c90480f601

SHA1
21f590fbc5308e1a0bc9c5f220557e232ffff4d8

SHA256
c16af4812b7202c891e80b29c8b22676b175abe5239d000426f49648bf1a24d6

SHA512
a2da09e6f54b1098b9562bd84052c64384d8ae55b0428c9641d923e6924fa9b36dd940675d975a1cd59e2f13dbf22e34b4177f3a3ebe43dc34967b1c86451c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
96c46951eba7c6fb8034212f239d02af

SHA1
23d53413a24a23d297d34440cdf6ee37d53666e7

SHA256
95dea5e65548a17b9a8d81e6e5776b5fc5e6786a714f4498f6f1047cfcb79a3d

SHA512
b15c64850a3696aaa0d8fcc770276035a97675fb2c76e0fa762a966f2d567b9d15dfd4aa17d6a4bd20a434dd6e2faf8c11ea9c6d9118dc2a8ad521928b35d613

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
96c46951eba7c6fb8034212f239d02af

SHA1
23d53413a24a23d297d34440cdf6ee37d53666e7

SHA256
95dea5e65548a17b9a8d81e6e5776b5fc5e6786a714f4498f6f1047cfcb79a3d

SHA512
b15c64850a3696aaa0d8fcc770276035a97675fb2c76e0fa762a966f2d567b9d15dfd4aa17d6a4bd20a434dd6e2faf8c11ea9c6d9118dc2a8ad521928b35d613

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
96c46951eba7c6fb8034212f239d02af

SHA1
23d53413a24a23d297d34440cdf6ee37d53666e7

SHA256
95dea5e65548a17b9a8d81e6e5776b5fc5e6786a714f4498f6f1047cfcb79a3d

SHA512
b15c64850a3696aaa0d8fcc770276035a97675fb2c76e0fa762a966f2d567b9d15dfd4aa17d6a4bd20a434dd6e2faf8c11ea9c6d9118dc2a8ad521928b35d613

Download Submit
memory/668-136-0x0000000000000000-mapping.dmp

Download
memory/668-139-0x00000000023F3000-0x000000000276B000-memory.dmp

Filesize
3.5MB

Download
memory/668-140-0x0000000002870000-0x0000000002D46000-memory.dmp

Filesize
4.8MB

Download
memory/996-168-0x0000000000000000-mapping.dmp

Download
memory/2168-159-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/2168-161-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/2168-167-0x0000000003860000-0x00000000043AE000-memory.dmp

Filesize
11.3MB

Download
memory/2168-160-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/2168-146-0x0000000000000000-mapping.dmp

Download
memory/2168-157-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/2168-156-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/2168-155-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/2168-154-0x0000000003860000-0x00000000043AE000-memory.dmp

Filesize
11.3MB

Download
memory/2168-151-0x0000000002330000-0x000000000276C000-memory.dmp

Filesize
4.2MB

Download
memory/2168-152-0x0000000003860000-0x00000000043AE000-memory.dmp

Filesize
11.3MB

Download
memory/2168-153-0x0000000003860000-0x00000000043AE000-memory.dmp

Filesize
11.3MB

Download
memory/3476-135-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3476-133-0x0000000000660000-0x0000000000669000-memory.dmp

Filesize
36KB

Download
memory/3476-132-0x00000000006CE000-0x00000000006E3000-memory.dmp

Filesize
84KB

Download
memory/3476-134-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3944-144-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3944-141-0x0000000000000000-mapping.dmp

Download
memory/3944-147-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3944-145-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3944-142-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/5000-162-0x00007FF7C8116890-mapping.dmp

Download
memory/5000-164-0x00000000009E0000-0x0000000000C71000-memory.dmp

Filesize
2.6MB

Download
memory/5000-165-0x0000025308CA0000-0x0000025308DE0000-memory.dmp

Filesize
1.2MB

Download
memory/5000-166-0x0000025308E10000-0x00000253090B3000-memory.dmp

Filesize
2.6MB

Download
memory/5000-163-0x0000025308CA0000-0x0000025308DE0000-memory.dmp

Filesize
1.2MB

Download
memory/5000-169-0x0000025308E10000-0x00000253090B3000-memory.dmp

Filesize
2.6MB

Download
memory/5004-158-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads