Malware Analysis Report

2025-01-02 11:07

Sample ID 240313-284qbsec54
Target 21ce872cb2de555ba869966f19682485.exe
SHA256 129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a
Tags
dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a

Threat Level: Known bad

The file 21ce872cb2de555ba869966f19682485.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery infostealer persistence ransomware rat stealer trojan

DcRat

SmokeLoader

Detect Vidar Stealer

Vidar

Djvu Ransomware

Detected Djvu ransomware

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 23:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 23:16

Reported

2024-03-13 23:18

Platform

win7-20240221-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\82439f1a-f145-4f32-8361-0de21b5d9afc\\86B.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\86B.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\82439f1a-f145-4f32-8361-0de21b5d9afc\\86B.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\86B.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2648 N/A N/A C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2648 N/A N/A C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2648 N/A N/A C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2648 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2648 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1244 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 1244 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 1244 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 1244 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2976 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2384 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Windows\SysWOW64\icacls.exe
PID 2384 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Windows\SysWOW64\icacls.exe
PID 2384 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Windows\SysWOW64\icacls.exe
PID 2384 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Windows\SysWOW64\icacls.exe
PID 2384 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2384 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2384 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2384 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 2320 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\Temp\86B.exe
PID 1868 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1868 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1868 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1868 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 1072 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe
PID 2136 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2136 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2136 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2136 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1868 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe
PID 1868 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe
PID 1868 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe
PID 1868 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\86B.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe
PID 2956 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe

"C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BF0B.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\86B.exe

C:\Users\Admin\AppData\Local\Temp\86B.exe

C:\Users\Admin\AppData\Local\Temp\86B.exe

C:\Users\Admin\AppData\Local\Temp\86B.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\82439f1a-f145-4f32-8361-0de21b5d9afc" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\86B.exe

"C:\Users\Admin\AppData\Local\Temp\86B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\86B.exe

"C:\Users\Admin\AppData\Local\Temp\86B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe

"C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe"

C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe

"C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1416

C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe

"C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe"

C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe

"C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
BA 185.12.79.25:80 sdfjhuz.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 sajdfue.com udp
BA 185.12.79.25:80 sdfjhuz.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
UY 179.27.75.59:80 sajdfue.com tcp
UY 179.27.75.59:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp

Files

memory/1524-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/1524-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1524-1-0x0000000000800000-0x0000000000900000-memory.dmp

memory/1524-5-0x0000000000400000-0x000000000071E000-memory.dmp

memory/1244-4-0x0000000002B50000-0x0000000002B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF0B.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\86B.exe

MD5 fb2eaf21f40a5293bca0032b02b47431
SHA1 27fdf1e18bbe4bbbbc499d9651e53b4a6057958d
SHA256 3b451069548b9a505abbc0a2377cae5d58f4916a5842fb94525cf3053c2f9473
SHA512 1622cfb183bc154da8e4c6cba586931efdd973b9ac09d4dc5ed9485305f655b9436dc7f8f814a91a543ca6d1d8e72d3d69bb1066b2d034ba312497829485a635

memory/2976-26-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2976-27-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2384-33-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86B.exe

MD5 6d8fb20729b1e5f679e74b232545c7ea
SHA1 eb12f5a4f026eb5fa93336b87040c2ba426b1ef6
SHA256 8461033304bca2e877cc48471951320b5d1d67db26cc7570122cf73379ddf3f4
SHA512 da425d59bd182c817deb81cbedd2587793c90272a6bdbac9d0d3742332d116b703b05046025a9e247e3fed9ab3ff5a4b0ed087a9b5f8252a5b7387c9e96a9e35

memory/2384-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86B.exe

MD5 89914cbaf74f01d870b15fa4731c8344
SHA1 fb67d4494ae1dee49bb2693631a0353e1f0d2868
SHA256 b869515e69d8a4683c04b0bb0777abd1cd0d67b8b0096a9a16bfa2610b50ac11
SHA512 c84d67ba926c18b7ded385e7c973ac9e10dbb099489a98321ad8a5062e025f3d89ca4427851793d7c9fe4cb844076df15541cc55734f77a8f2da3dd96de0d247

\Users\Admin\AppData\Local\Temp\86B.exe

MD5 6b3cc76f10dddaabb8e7a5438354fa90
SHA1 51daaf2369ed98819cda3f4c4874487dab7eb490
SHA256 e68cb048a19f01170c51d7aa07132534561b98df96c3e8b564940dacedb6b0fc
SHA512 e6aa40b72fdbbadd6295f2dd1d7d4e93033eb20f0b33f6866536fedf9720ab73aa6c18eabc3ef904a03e83927b34dfc3e42a9dbba2534d94e05ea4ea49750b5d

memory/2976-28-0x00000000007A0000-0x00000000008BB000-memory.dmp

memory/2384-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-36-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2384-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2320-62-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2384-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2320-65-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1868-72-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2320-71-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1868-73-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d04fb44238d521b9d4eaef984eb5e8e4
SHA1 676a5fa4242966eccf09be082064d3f2e3a6b9c3
SHA256 5c1b0e341707970db10bb561da36920bdb14f6885199f1e353d6e80733bf3b88
SHA512 809f7665e1e67aca54583ee3e9f733438f471ebbd341b9073c67983e0c60000ddcd77ca59a01e0100ab7efbafa2e130eb0db9c7c29b93036df7ea89f41575439

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 1b5e10b019e32bc9a3b91a937761d23a
SHA1 c195e9095bc0302048ec82e36a58cfccd898838d
SHA256 7fe09e04c15fc9d9b16951d3a7aef3cef028ddbbb8eabd436ac2b133f3361ed6
SHA512 7d2dbe6e7a0ebe568c51ad6b45a5fbf1efe1eba94236a6fe6d5f79f2d8488635d769fe1fbe5b9626a6946d93bc5661d694941c877471886fb8ba4eabf9d88281

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 add1bbb06c8bc984e8938aa5b2b87699
SHA1 4e5e804954cc0cb4593cff4aa1cacc63de84aba4
SHA256 04d7e1b6ef2aa710e96d680fa7bafb38100d11e3a9bbf5bf40ba8a301fa934b4
SHA512 c4f88e5c802c10650d2ce0ed7e9a387f37c6dea8819bd13e085317ab271e564f68e070fbec04d48f410b52b9e1748254d6fef88209c02746cc136fb83e284c80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4318c9d8a44a979994037d7b8d55e82
SHA1 a8a95922ff2f6df4773b2b9bae6178bffdfc46c3
SHA256 81a7d0ac6cc9891b5da59241485213774b87a935e7bcd51a8f9c2dccb77e1e6c
SHA512 7f2cbe82b6d4ada596c25fbbe79da0acdc9f81cc49c03e00cea0d510dfe960c8eb845e131f7419e8186e528e7baf31320c93ab68a33ee5283ec3a68fde107559

C:\Users\Admin\AppData\Local\Temp\Cab2971.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1868-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1868-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1868-93-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1868-95-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1868-96-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1868-97-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1868-98-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/1072-111-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/1072-114-0x0000000000230000-0x0000000000261000-memory.dmp

memory/2136-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2136-116-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2136-119-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2136-120-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar86DD.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar918D.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2136-160-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2136-181-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1868-205-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\59e095be-a285-4702-84d2-cf4f772df47c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2956-210-0x0000000000230000-0x0000000000234000-memory.dmp

memory/2956-208-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/2264-211-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2264-216-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2264-218-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2264-213-0x0000000000400000-0x0000000000406000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 23:16

Reported

2024-03-13 23:18

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 3564 N/A N/A C:\Windows\system32\cmd.exe
PID 3352 wrote to memory of 3564 N/A N/A C:\Windows\system32\cmd.exe
PID 3564 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3564 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe

"C:\Users\Admin\AppData\Local\Temp\21ce872cb2de555ba869966f19682485.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7CE1.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 149.150.94.81.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
MO 122.100.154.145:80 sdfjhuz.com tcp
US 8.8.8.8:53 145.154.100.122.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4608-1-0x00000000007C0000-0x00000000008C0000-memory.dmp

memory/4608-2-0x00000000007B0000-0x00000000007BB000-memory.dmp

memory/4608-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/4608-6-0x0000000000400000-0x000000000071E000-memory.dmp

memory/3352-4-0x00000000025B0000-0x00000000025C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7CE1.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155