Malware Analysis Report

2024-11-30 11:29

Sample ID 240227-k59czadf2t
Target sm0k3s.exe
SHA256 be60e274bdefe322071aa6373c39b72361b79104537e8c96c2ad6e2ec5aa1aa2
Tags
lockbit smokeloader backdoor ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be60e274bdefe322071aa6373c39b72361b79104537e8c96c2ad6e2ec5aa1aa2

Threat Level: Known bad

The file sm0k3s.exe was found to be: Known bad.

Malicious Activity Summary

lockbit smokeloader backdoor ransomware spyware stealer trojan

Lockbit

SmokeLoader

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (494) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 09:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 09:12

Reported

2024-02-27 09:13

Platform

win11-20240221-en

Max time kernel

72s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe"

Signatures

Lockbit

ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Renames multiple (494) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
N/A N/A C:\ProgramData\1BC0.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3594324687-1993884830-4019639329-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\124.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3594324687-1993884830-4019639329-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\124.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\1BC0.tmp N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1456 set thread context of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cmd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\124.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe C:\Windows\SysWOW64\cmd.exe
PID 3240 wrote to memory of 5048 N/A N/A C:\Users\Admin\AppData\Local\Temp\124.exe
PID 3240 wrote to memory of 5048 N/A N/A C:\Users\Admin\AppData\Local\Temp\124.exe
PID 3240 wrote to memory of 5048 N/A N/A C:\Users\Admin\AppData\Local\Temp\124.exe
PID 5048 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\124.exe C:\ProgramData\1BC0.tmp
PID 5048 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\124.exe C:\ProgramData\1BC0.tmp
PID 5048 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\124.exe C:\ProgramData\1BC0.tmp
PID 5048 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\124.exe C:\ProgramData\1BC0.tmp
PID 3956 wrote to memory of 3684 N/A C:\ProgramData\1BC0.tmp C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3684 N/A C:\ProgramData\1BC0.tmp C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3684 N/A C:\ProgramData\1BC0.tmp C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe

"C:\Users\Admin\AppData\Local\Temp\sm0k3s.exe"

C:\Windows\System32\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWow64\cmd.exe"

C:\Users\Admin\AppData\Local\Temp\124.exe

C:\Users\Admin\AppData\Local\Temp\124.exe

C:\ProgramData\1BC0.tmp

"C:\ProgramData\1BC0.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1BC0.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 kkudndkwatnfevcaqeefytqnh.top udp
NL 193.222.96.164:80 kkudndkwatnfevcaqeefytqnh.top tcp

Files

memory/1456-0-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/1456-1-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/1020-3-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1020-2-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1020-4-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1020-8-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1020-9-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1020-10-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1020-11-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1020-13-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1020-12-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1020-14-0x000001B77A6A0000-0x000001B77A6A1000-memory.dmp

memory/1456-15-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/1456-18-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/4700-19-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1456-20-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/4700-21-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3240-22-0x0000000006930000-0x0000000006946000-memory.dmp

memory/4700-23-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1456-27-0x0000000000400000-0x00000000005F0000-memory.dmp

memory/1456-28-0x0000000000400000-0x00000000005F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\124.exe

MD5 9b7027b10ee698c1588def9cbcdb03d8
SHA1 0804a8a4a2dcb427df8923a5e6647c49ff786f41
SHA256 e4e6567b1861ca066a60c3257baaa5ef495694ca66b87647b36008500c935bcd
SHA512 bf27f03d5cefcc2d6ec4dbc60ffd28255324e08b78dd0b3da5a31a3d578fa718768d826d7e656b2ff626fef8651dbed9b61b4f5b48df5aa81921763552226041

memory/5048-36-0x0000000002950000-0x0000000002960000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3594324687-1993884830-4019639329-1000\AAAAAAAAAAA

MD5 c448a81f1e1699fbf1d1517d3d03db60
SHA1 6358ab4b23f4829ba0461bdf154c0eecd76d707c
SHA256 71acc824e8a616c9b2bca79d837f4264805c841eb626f18d8e1c7a7f00248fda
SHA512 aa4846f155742022523eeef38ae400951ac2201e3b143454dda7e14353a74b8eb855f6b08761356096fe294fbcb046b7bcf17ca35698ceec0ded5d7105e57ce3

memory/5048-93-0x0000000002950000-0x0000000002960000-memory.dmp

C:\iBUgUvnWk.README.txt

MD5 7c3d34a06bb11ab8383e8afa4c60434d
SHA1 f87e16c6e6d36e70f436228aa3244dfb76f7fc2c
SHA256 2639d017985bafc4a1b213f5b9cf9409a16bc4b01ece1952bc4360a03bf3066a
SHA512 7969f6b2b9b5586fedbda52b895704fe2ba31bf7914a04dea790d2787326c66cfb644baf4c913adad22929d4a1e1f3e5d17fc369672f411d857aa456c3ab57bb

F:\$RECYCLE.BIN\S-1-5-21-3594324687-1993884830-4019639329-1000\DDDDDDDDDDD

MD5 3578f5eddd7f64c4e01ef90ce320b348
SHA1 4aac5cbf63b23411e289d0810caa66122435254b
SHA256 d02cb260d6f521674afa893ed4a811e2ee0dd6f22e48fe89c09096669217f8a1
SHA512 6fb1df6e4714197ecc5ec7bcd97019fc4914fa4b125584a87d9a8991b1a2fd8faa75f46010a1e13cf28d74d17d29b875a3fec16970dd615291aeafb77235665a

memory/5048-39-0x0000000002950000-0x0000000002960000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 4f55be8451c1090c2a54a50d79243cfb
SHA1 f1a94bc446b6ae32300ada858fb251667a17b71d
SHA256 1b8257869915ac04445cb4bfdc0e0fc03db80efb96da98c49e7cbc4097bc28a2
SHA512 b87403fc4ab05cd4dd092d0707cd0dd22f927c65dcf73bce6f6bf2731f0572e089697908eeb377617c9f2531fdb3a495087feafb31871ea9a6f472a45d9d20f6

C:\ProgramData\1BC0.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3956-2704-0x000000007FE70000-0x000000007FE71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBBBBBB

MD5 c843ba2d931b883740c180182a08c463
SHA1 42c901fb1d581ac5853c193b5c826da41196ff5f
SHA256 07e70eac68c242c0c98cf1a5f38fa76b1a03428927d1851624a5955e2539e9f8
SHA512 ecd0d22a3582223d20210d17d7b9112d123201af5890135ab7c8404afb15b068a3b729b280b0e6dd975cab1bbf6d574c7f30be2b16a4aee97c15db1594a7a46f

memory/3956-2706-0x0000000002740000-0x0000000002750000-memory.dmp

memory/3956-2730-0x000000007FDF0000-0x000000007FDF1000-memory.dmp

memory/3956-2711-0x000000007FE50000-0x000000007FE51000-memory.dmp

memory/3956-2736-0x000000007FE10000-0x000000007FE11000-memory.dmp

memory/3956-2737-0x000000007FE30000-0x000000007FE31000-memory.dmp