Malware Analysis Report

2024-11-15 05:59

Sample ID 240404-xsp5safe9y
Target 12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb
SHA256 12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb
Tags
smokeloader rhadamanthys kev backdoor collection stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb

Threat Level: Known bad

The file 12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb was found to be: Known bad.

Malicious Activity Summary

smokeloader rhadamanthys kev backdoor collection stealer trojan

SmokeLoader

Smokeloader family

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Executes dropped EXE

Deletes itself

Accesses Microsoft Outlook profiles

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

outlook_office_path

outlook_win_path

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 19:07

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 19:07

Reported

2024-04-04 19:09

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2872 created 2208 N/A C:\Users\Admin\AppData\Local\Temp\976D.exe C:\Windows\system32\sihost.exe

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\976D.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\976D.exe
PID 3472 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\976D.exe
PID 3472 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\976D.exe
PID 3472 wrote to memory of 3628 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 3628 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 3628 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 3628 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 3784 N/A N/A C:\Windows\explorer.exe
PID 3472 wrote to memory of 3784 N/A N/A C:\Windows\explorer.exe
PID 3472 wrote to memory of 3784 N/A N/A C:\Windows\explorer.exe
PID 3472 wrote to memory of 1444 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 1444 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 1444 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 1444 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2872 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\976D.exe C:\Windows\SysWOW64\dialer.exe
PID 2872 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\976D.exe C:\Windows\SysWOW64\dialer.exe
PID 2872 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\976D.exe C:\Windows\SysWOW64\dialer.exe
PID 2872 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\976D.exe C:\Windows\SysWOW64\dialer.exe
PID 2872 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\976D.exe C:\Windows\SysWOW64\dialer.exe
PID 3472 wrote to memory of 4596 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 4596 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 4596 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 4596 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 4884 N/A N/A C:\Windows\explorer.exe
PID 3472 wrote to memory of 4884 N/A N/A C:\Windows\explorer.exe
PID 3472 wrote to memory of 4884 N/A N/A C:\Windows\explorer.exe
PID 3472 wrote to memory of 2296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 2296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 2296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 2296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 400 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 400 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 400 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 400 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 5076 N/A N/A C:\Windows\explorer.exe
PID 3472 wrote to memory of 5076 N/A N/A C:\Windows\explorer.exe
PID 3472 wrote to memory of 5076 N/A N/A C:\Windows\explorer.exe
PID 3472 wrote to memory of 4252 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 4252 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 4252 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3472 wrote to memory of 4252 N/A N/A C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe

"C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe"

C:\Users\Admin\AppData\Local\Temp\976D.exe

C:\Users\Admin\AppData\Local\Temp\976D.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 atillapro.com udp
NL 94.156.65.121:80 atillapro.com tcp
US 8.8.8.8:53 121.65.156.94.in-addr.arpa udp
NL 94.156.65.121:80 atillapro.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/2452-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3472-1-0x0000000007C30000-0x0000000007C46000-memory.dmp

memory/2452-2-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\976D.exe

MD5 08e5f1243ad4970745975b27b6e2f9fa
SHA1 83b1a8939bd4e2ea5677d8742edd1a697edd196b
SHA256 05074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165
SHA512 d01f83c4c35e6049544d71037b3d8db29cf177e232839c684e2943899e7e891d0e30d996ddb0af58f760ac34dd8fc6acee7338b52b3fda5f17c892f7498d2280

memory/2872-15-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3628-17-0x0000000001070000-0x00000000010DB000-memory.dmp

memory/3628-18-0x00000000010E0000-0x0000000001155000-memory.dmp

memory/3628-19-0x0000000001070000-0x00000000010DB000-memory.dmp

memory/3784-41-0x0000000000F90000-0x0000000000F9C000-memory.dmp

memory/3784-43-0x0000000000F90000-0x0000000000F9C000-memory.dmp

memory/3784-42-0x0000000001070000-0x00000000010DB000-memory.dmp

memory/3628-44-0x0000000001070000-0x00000000010DB000-memory.dmp

memory/2872-45-0x00000000032D0000-0x00000000036D0000-memory.dmp

memory/2872-47-0x00000000032D0000-0x00000000036D0000-memory.dmp

memory/2872-48-0x00007FFA19190000-0x00007FFA19385000-memory.dmp

memory/1444-49-0x0000000000430000-0x000000000043B000-memory.dmp

memory/2872-50-0x00000000032D0000-0x00000000036D0000-memory.dmp

memory/1444-53-0x00000000032D0000-0x00000000036D0000-memory.dmp

memory/1444-54-0x0000000000430000-0x000000000043B000-memory.dmp

memory/4028-55-0x00000000006C0000-0x00000000006C9000-memory.dmp

memory/2872-52-0x0000000075780000-0x0000000075995000-memory.dmp

memory/2872-56-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4028-58-0x00000000023B0000-0x00000000027B0000-memory.dmp

memory/4028-59-0x00000000023B0000-0x00000000027B0000-memory.dmp

memory/4028-60-0x00007FFA19190000-0x00007FFA19385000-memory.dmp

memory/4028-63-0x0000000075780000-0x0000000075995000-memory.dmp

memory/4028-61-0x00000000023B0000-0x00000000027B0000-memory.dmp

memory/4596-64-0x0000000001170000-0x000000000117B000-memory.dmp

memory/4596-65-0x0000000001180000-0x0000000001187000-memory.dmp

memory/4596-66-0x0000000001170000-0x000000000117B000-memory.dmp

memory/4028-67-0x00000000023B0000-0x00000000027B0000-memory.dmp

memory/4884-68-0x0000000000DA0000-0x0000000000DAF000-memory.dmp

memory/4884-69-0x0000000000DA0000-0x0000000000DAF000-memory.dmp

memory/2296-70-0x0000000000660000-0x0000000000687000-memory.dmp

memory/2296-71-0x0000000000660000-0x0000000000687000-memory.dmp

memory/2296-73-0x0000000000DA0000-0x0000000000DAF000-memory.dmp

memory/400-75-0x0000000000590000-0x000000000059B000-memory.dmp

memory/400-76-0x0000000000660000-0x0000000000687000-memory.dmp

memory/400-77-0x0000000000590000-0x000000000059B000-memory.dmp

memory/5076-79-0x0000000000FE0000-0x0000000000FE7000-memory.dmp

memory/5076-80-0x0000000000FD0000-0x0000000000FDD000-memory.dmp

memory/5076-78-0x0000000000FD0000-0x0000000000FDD000-memory.dmp

memory/4252-81-0x0000000001080000-0x000000000108B000-memory.dmp

memory/4252-82-0x0000000000FD0000-0x0000000000FDD000-memory.dmp

memory/4252-83-0x0000000001080000-0x000000000108B000-memory.dmp

memory/4596-84-0x0000000001180000-0x0000000001187000-memory.dmp

memory/4884-85-0x0000000001170000-0x000000000117B000-memory.dmp

memory/5076-90-0x0000000000FE0000-0x0000000000FE7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 19:07

Reported

2024-04-04 19:10

Platform

win11-20240221-en

Max time kernel

162s

Max time network

159s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1396 created 2656 N/A C:\Users\Admin\AppData\Local\Temp\5946.exe C:\Windows\system32\sihost.exe

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5946.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\5946.exe
PID 3160 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\5946.exe
PID 3160 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\5946.exe
PID 3160 wrote to memory of 2732 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2732 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2732 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2732 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 1148 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 1148 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 1148 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 3296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 3296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 3296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 3296 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 1032 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 1032 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 1032 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 1032 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1396 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5946.exe C:\Windows\SysWOW64\dialer.exe
PID 1396 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5946.exe C:\Windows\SysWOW64\dialer.exe
PID 1396 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5946.exe C:\Windows\SysWOW64\dialer.exe
PID 1396 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5946.exe C:\Windows\SysWOW64\dialer.exe
PID 1396 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5946.exe C:\Windows\SysWOW64\dialer.exe
PID 3160 wrote to memory of 476 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 476 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 476 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 4452 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 4452 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 4452 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 4452 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 5088 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 5088 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 5088 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 5088 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 1468 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 1468 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 1468 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 3784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 3784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 3784 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 3784 N/A N/A C:\Windows\SysWOW64\explorer.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe

"C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe"

C:\Users\Admin\AppData\Local\Temp\5946.exe

C:\Users\Admin\AppData\Local\Temp\5946.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 atillapro.com udp
NL 94.156.65.121:80 atillapro.com tcp

Files

memory/2924-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3160-1-0x00000000024D0000-0x00000000024E6000-memory.dmp

memory/2924-2-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5946.exe

MD5 08e5f1243ad4970745975b27b6e2f9fa
SHA1 83b1a8939bd4e2ea5677d8742edd1a697edd196b
SHA256 05074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165
SHA512 d01f83c4c35e6049544d71037b3d8db29cf177e232839c684e2943899e7e891d0e30d996ddb0af58f760ac34dd8fc6acee7338b52b3fda5f17c892f7498d2280

memory/1396-15-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2732-18-0x0000000000510000-0x000000000057B000-memory.dmp

memory/2732-19-0x0000000000510000-0x000000000057B000-memory.dmp

memory/2732-17-0x0000000000580000-0x00000000005F5000-memory.dmp

memory/1148-42-0x0000000000160000-0x0000000000167000-memory.dmp

memory/2732-43-0x0000000000510000-0x000000000057B000-memory.dmp

memory/1148-41-0x0000000000150000-0x000000000015C000-memory.dmp

memory/1148-44-0x0000000000150000-0x000000000015C000-memory.dmp

memory/3296-45-0x0000000001040000-0x000000000104A000-memory.dmp

memory/3296-46-0x0000000001030000-0x000000000103B000-memory.dmp

memory/3296-47-0x0000000001030000-0x000000000103B000-memory.dmp

memory/1396-48-0x00000000034D0000-0x00000000038D0000-memory.dmp

memory/1396-49-0x00000000034D0000-0x00000000038D0000-memory.dmp

memory/1032-51-0x0000000001270000-0x000000000127B000-memory.dmp

memory/1032-52-0x0000000001280000-0x0000000001287000-memory.dmp

memory/1396-50-0x00000000034D0000-0x00000000038D0000-memory.dmp

memory/1032-53-0x0000000001270000-0x000000000127B000-memory.dmp

memory/1396-54-0x00007FFEE14E0000-0x00007FFEE16E9000-memory.dmp

memory/1396-55-0x00000000034D0000-0x00000000038D0000-memory.dmp

memory/1396-57-0x00000000759B0000-0x0000000075C02000-memory.dmp

memory/2388-58-0x0000000000E80000-0x0000000000E89000-memory.dmp

memory/1396-60-0x0000000000400000-0x000000000048B000-memory.dmp

memory/476-62-0x00000000001E0000-0x00000000001EF000-memory.dmp

memory/2388-61-0x00007FFEE14E0000-0x00007FFEE16E9000-memory.dmp

memory/2388-64-0x0000000002E90000-0x0000000003290000-memory.dmp

memory/476-65-0x0000000002E90000-0x0000000003290000-memory.dmp

memory/476-67-0x00000000001E0000-0x00000000001EF000-memory.dmp

memory/2388-63-0x0000000002E90000-0x0000000003290000-memory.dmp

memory/2388-69-0x00007FFEE14E0000-0x00007FFEE16E9000-memory.dmp

memory/2388-71-0x0000000002E90000-0x0000000003290000-memory.dmp

memory/2388-70-0x00000000759B0000-0x0000000075C02000-memory.dmp

memory/4452-73-0x0000000000600000-0x0000000000621000-memory.dmp

memory/4452-74-0x00000000003C0000-0x00000000003E7000-memory.dmp

memory/4452-72-0x00000000003C0000-0x00000000003E7000-memory.dmp

memory/2388-76-0x0000000002E90000-0x0000000003290000-memory.dmp

memory/2388-77-0x00007FFEE14E0000-0x00007FFEE16E9000-memory.dmp

memory/5088-80-0x0000000000530000-0x000000000053B000-memory.dmp

memory/5088-79-0x0000000000540000-0x0000000000546000-memory.dmp

memory/1468-81-0x0000000000100000-0x000000000010D000-memory.dmp

memory/1468-82-0x0000000000100000-0x000000000010D000-memory.dmp

memory/3784-83-0x0000000000870000-0x000000000087B000-memory.dmp

memory/1032-84-0x0000000001280000-0x0000000001287000-memory.dmp

memory/3784-85-0x0000000000100000-0x000000000010D000-memory.dmp

memory/3784-86-0x0000000000870000-0x000000000087B000-memory.dmp

memory/476-87-0x0000000002E90000-0x0000000003290000-memory.dmp

memory/5088-88-0x0000000000530000-0x000000000053B000-memory.dmp

memory/1468-89-0x0000000000530000-0x000000000053B000-memory.dmp

memory/3784-90-0x0000000000100000-0x000000000010D000-memory.dmp