smokeloader | 1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c

General

Target

1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe
Size

167KB
MD5

03756e19b1250c70f33c90351c216642
SHA1

e3fd6cf609a3521b4e26772857241e6f198191c7
SHA256

1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c
SHA512

7e49243e41b648155a13b2968ee06b58af04dc57c43d0c90ef754aa9b6ce424f000757acefa2474baeceb178ef5c3878d3f9e3be90f3148c9d2e4662efa9243a
SSDEEP

3072:5KrZHC1uxYTQNzCpesKxRIWQ8N4TmyFJhAqX:5UZHC1bTCzCMrE8NoAq

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4156-122-0x0000000000700000-0x0000000000709000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

32 4344 rundll32.exe
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

pid process

2804
Executes dropped EXE 1 IoCs

Processes:

F1E6.exe

pid process

4480 F1E6.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4344 rundll32.exe
4344 rundll32.exe

flow	pid	process
32	4344	rundll32.exe

pid	process
2804

pid	process
4480	F1E6.exe

pid	process
4344	rundll32.exe
4344	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4344 set thread context of 4640	4344	rundll32.exe	rundll32.exe
PID 4344 set thread context of 2312	4344	rundll32.exe	rundll32.exe
PID 4344 set thread context of 4420	4344	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 54 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000055566f49100054656d7000003a0009000400efbe5456f99355566f492e0000000000000000000000000000000000000000000000000008132d01540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2804

pid	process
2804

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe

pid	process
4156	1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe
4156	1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804
2804

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2804
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe

pid process

4156 1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe

pid	process
2804

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804
Token: SeShutdownPrivilege	2804
Token: SeCreatePagefilePrivilege	2804

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4640 rundll32.exe
2312 rundll32.exe
4420 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2804
2804

pid	process
4640	rundll32.exe
2312	rundll32.exe
4420	rundll32.exe

pid	process
2804
2804

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

F1E6.exerundll32.exe

description	pid	process	target process
PID 2804 wrote to memory of 4480	2804		F1E6.exe
PID 2804 wrote to memory of 4480	2804		F1E6.exe
PID 2804 wrote to memory of 4480	2804		F1E6.exe
PID 4480 wrote to memory of 4344	4480	F1E6.exe	rundll32.exe
PID 4480 wrote to memory of 4344	4480	F1E6.exe	rundll32.exe
PID 4480 wrote to memory of 4344	4480	F1E6.exe	rundll32.exe
PID 4344 wrote to memory of 4640	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 4640	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 4640	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 2312	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 2312	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 2312	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 4420	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 4420	4344	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 4420	4344	rundll32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe
"C:\Users\Admin\AppData\Local\Temp\1c014efbbeaf1876a4268402d5f99add8038fbaf144541a651cb4655b242b68c.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4156

C:\Users\Admin\AppData\Local\Temp\F1E6.exe
C:\Users\Admin\AppData\Local\Temp\F1E6.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qruhaepdediwhf.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30852
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4640

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30852
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2312

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30852
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
Filesize
403KB

MD5
b4d3016a1cccde90a62b685149c832f9

SHA1
5d6c4ba3474e6544bd24343da564e90bba89f6f7

SHA256
df6afa046a72bb55e8984cf9e2870dc62112e4b81d4fef5a94c98e1c4386e373

SHA512
abf5e15b40fa03eb9390854199b9feaf0132aac756c5f07d45c81f58c8b4d909833a996a19ccfef7abb905ddb9206591b1eda49a4674bc75a7c5a9c6372590e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E6.exe
Filesize
4.7MB

MD5
c176beec7f2220954469193969c3bcf9

SHA1
f811f77f5b53c13a06b43b10eb6189513f66d2a2

SHA256
e4f5ee78cf7f8147ab5d5286f4af31dc94cfced6913f3f5f5dad8d87a8cbca7c

SHA512
d573b1dcd9a41fbd9699abe28e0eb3bac4b4eab371de5e6fbef95238286d9e0a1e5a895e91bf5e623ae5eb5012881b973fd873f2c1fa27f9ddcb5438deb28439

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E6.exe
Filesize
4.7MB

MD5
c176beec7f2220954469193969c3bcf9

SHA1
f811f77f5b53c13a06b43b10eb6189513f66d2a2

SHA256
e4f5ee78cf7f8147ab5d5286f4af31dc94cfced6913f3f5f5dad8d87a8cbca7c

SHA512
d573b1dcd9a41fbd9699abe28e0eb3bac4b4eab371de5e6fbef95238286d9e0a1e5a895e91bf5e623ae5eb5012881b973fd873f2c1fa27f9ddcb5438deb28439

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qruhaepdediwhf.dll
Filesize
5.5MB

MD5
2686490f407761c8c3dec8861c101123

SHA1
fb36de492578ce6b53344c0226f84c7fb071f8d8

SHA256
af98c45fb55c92306125c2ddce755af13ba7f288508afd587a64e5e8633f26d5

SHA512
02db12031e44067a4f054a2a58276343d259737a78d0066d444e2438d7bccdcaf36421342471e277ef13e4810d474742b800ca345b59fe8c8d80b0fa4cdadc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1172_1236540652\CRX_INSTALL\_locales\fi\messages.json
Filesize
568B

MD5
e5bbe7dbbe75f45bdcd49db8c797106e

SHA1
0f069d7d19768180945f0d8b67dc71262fd586a2

SHA256
bffb2248b4c66306133fa6ecbb1541f44b3be22cc8d9a338d690e0b1d0c85532

SHA512
f6fe20b7a3b99bdbbf6f4737c8c63fe3098f060e6791bc40ed0e95fa5f93aa55c2643766ea2be099e42ec378cb6e4b6fe7b5f2da56c03a6a990b94a1f872b825

Download Submit
\Users\Admin\AppData\Local\Temp\Qruhaepdediwhf.dll
Filesize
5.5MB

MD5
2686490f407761c8c3dec8861c101123

SHA1
fb36de492578ce6b53344c0226f84c7fb071f8d8

SHA256
af98c45fb55c92306125c2ddce755af13ba7f288508afd587a64e5e8633f26d5

SHA512
02db12031e44067a4f054a2a58276343d259737a78d0066d444e2438d7bccdcaf36421342471e277ef13e4810d474742b800ca345b59fe8c8d80b0fa4cdadc3c

Download Submit
\Users\Admin\AppData\Local\Temp\Qruhaepdediwhf.dll
Filesize
5.5MB

MD5
2686490f407761c8c3dec8861c101123

SHA1
fb36de492578ce6b53344c0226f84c7fb071f8d8

SHA256
af98c45fb55c92306125c2ddce755af13ba7f288508afd587a64e5e8633f26d5

SHA512
02db12031e44067a4f054a2a58276343d259737a78d0066d444e2438d7bccdcaf36421342471e277ef13e4810d474742b800ca345b59fe8c8d80b0fa4cdadc3c

Download Submit
memory/2312-221-0x00007FFD1B7C0000-0x00007FFD1B7C1000-memory.dmp

Filesize
4KB

Download
memory/2312-229-0x00000190C5760000-0x00000190C5A0B000-memory.dmp

Filesize
2.7MB

Download
memory/2312-225-0x00000190C5760000-0x00000190C5A0B000-memory.dmp

Filesize
2.7MB

Download
memory/2312-224-0x00000190C5760000-0x00000190C5A0B000-memory.dmp

Filesize
2.7MB

Download
memory/2312-223-0x00000190C71E0000-0x00000190C7320000-memory.dmp

Filesize
1.2MB

Download
memory/2312-222-0x00000190C71E0000-0x00000190C7320000-memory.dmp

Filesize
1.2MB

Download
memory/2804-123-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/4156-124-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4156-122-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/4344-192-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-157-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-161-0x0000000004210000-0x0000000004797000-memory.dmp

Filesize
5.5MB

Download
memory/4344-159-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-178-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-180-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/4344-179-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-182-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-181-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-183-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-185-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-186-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-188-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-189-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-190-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/4344-191-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-158-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/4344-193-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-235-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-234-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-233-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-231-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-226-0x0000000004210000-0x0000000004797000-memory.dmp

Filesize
5.5MB

Download
memory/4344-144-0x0000000004210000-0x0000000004797000-memory.dmp

Filesize
5.5MB

Download
memory/4344-200-0x0000000004210000-0x0000000004797000-memory.dmp

Filesize
5.5MB

Download
memory/4344-145-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/4344-156-0x0000000004210000-0x0000000004797000-memory.dmp

Filesize
5.5MB

Download
memory/4344-160-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-208-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-210-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-211-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-212-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4344-214-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-215-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4344-216-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-217-0x0000000006010000-0x0000000006150000-memory.dmp

Filesize
1.2MB

Download
memory/4344-218-0x0000000005310000-0x0000000005E65000-memory.dmp

Filesize
11.3MB

Download
memory/4420-248-0x000001C9A4040000-0x000001C9A42EB000-memory.dmp

Filesize
2.7MB

Download
memory/4480-136-0x0000000000400000-0x0000000000AE7000-memory.dmp

Filesize
6.9MB

Download
memory/4480-138-0x0000000000400000-0x0000000000AE7000-memory.dmp

Filesize
6.9MB

Download
memory/4480-140-0x0000000000400000-0x0000000000AE7000-memory.dmp

Filesize
6.9MB

Download
memory/4480-137-0x0000000002DE0000-0x00000000034BA000-memory.dmp

Filesize
6.9MB

Download
memory/4480-135-0x0000000002DE0000-0x00000000034BA000-memory.dmp

Filesize
6.9MB

Download
memory/4640-199-0x000001DFD1CA0000-0x000001DFD1F4B000-memory.dmp

Filesize
2.7MB

Download
memory/4640-198-0x000001DFD3560000-0x000001DFD36A0000-memory.dmp

Filesize
1.2MB

Download
memory/4640-197-0x000001DFD3560000-0x000001DFD36A0000-memory.dmp

Filesize
1.2MB

Download
memory/4640-196-0x00007FFD1B7C0000-0x00007FFD1B7C1000-memory.dmp

Filesize
4KB

Download
memory/4640-206-0x000001DFD1CA0000-0x000001DFD1F4B000-memory.dmp

Filesize
2.7MB

Download
memory/4640-201-0x0000000000840000-0x0000000000AD9000-memory.dmp

Filesize
2.6MB

Download
memory/4640-202-0x000001DFD1CA0000-0x000001DFD1F4B000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads