Malware Analysis Report

2024-11-15 05:58

Sample ID 240404-xw29hsff9s
Target 2cdffb841cfd9e2e729de2f02c47f8d1.exe
SHA256 12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb
Tags
smokeloader rhadamanthys kev backdoor collection stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb

Threat Level: Known bad

The file 2cdffb841cfd9e2e729de2f02c47f8d1.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader rhadamanthys kev backdoor collection stealer trojan

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Smokeloader family

Executes dropped EXE

Deletes itself

Accesses Microsoft Outlook profiles

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 19:13

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 19:13

Reported

2024-04-04 19:15

Platform

win7-20240221-en

Max time kernel

161s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2504 created 1360 N/A C:\Users\Admin\AppData\Local\Temp\D6DF.exe C:\Windows\Explorer.EXE

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D6DF.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2504 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D6DF.exe
PID 1360 wrote to memory of 2504 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D6DF.exe
PID 1360 wrote to memory of 2504 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D6DF.exe
PID 1360 wrote to memory of 2504 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D6DF.exe
PID 1360 wrote to memory of 2416 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2416 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2416 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2416 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2416 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2376 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 2376 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 2376 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 2376 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 1712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2504 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\D6DF.exe C:\Windows\SysWOW64\dialer.exe
PID 2504 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\D6DF.exe C:\Windows\SysWOW64\dialer.exe
PID 2504 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\D6DF.exe C:\Windows\SysWOW64\dialer.exe
PID 2504 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\D6DF.exe C:\Windows\SysWOW64\dialer.exe
PID 2504 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\D6DF.exe C:\Windows\SysWOW64\dialer.exe
PID 2504 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\D6DF.exe C:\Windows\SysWOW64\dialer.exe
PID 1360 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1208 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 1208 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 1208 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 1208 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 2568 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2568 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2568 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2568 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2568 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 1624 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 1624 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 1624 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 1624 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1360 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1360 wrote to memory of 2304 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe

"C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe"

C:\Users\Admin\AppData\Local\Temp\D6DF.exe

C:\Users\Admin\AppData\Local\Temp\D6DF.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 atillapro.com udp
NL 94.156.65.121:80 atillapro.com tcp

Files

memory/2676-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2676-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1360-1-0x0000000002590000-0x00000000025A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D6DF.exe

MD5 08e5f1243ad4970745975b27b6e2f9fa
SHA1 83b1a8939bd4e2ea5677d8742edd1a697edd196b
SHA256 05074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165
SHA512 d01f83c4c35e6049544d71037b3d8db29cf177e232839c684e2943899e7e891d0e30d996ddb0af58f760ac34dd8fc6acee7338b52b3fda5f17c892f7498d2280

memory/2504-18-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2416-19-0x0000000000170000-0x00000000001E5000-memory.dmp

memory/2416-20-0x0000000000100000-0x000000000016B000-memory.dmp

memory/2416-21-0x0000000000100000-0x000000000016B000-memory.dmp

memory/2416-34-0x0000000000100000-0x000000000016B000-memory.dmp

memory/2376-35-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2376-36-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2504-37-0x0000000002E60000-0x0000000003260000-memory.dmp

memory/2504-38-0x0000000002E60000-0x0000000003260000-memory.dmp

memory/2504-39-0x0000000002E60000-0x0000000003260000-memory.dmp

memory/2504-41-0x0000000077BB0000-0x0000000077D59000-memory.dmp

memory/2504-45-0x0000000076430000-0x0000000076477000-memory.dmp

memory/2504-47-0x0000000002E60000-0x0000000003260000-memory.dmp

memory/2704-46-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1712-44-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1712-42-0x0000000000090000-0x000000000009A000-memory.dmp

memory/1712-40-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2504-48-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2704-50-0x0000000001DB0000-0x00000000021B0000-memory.dmp

memory/2704-51-0x0000000001DB0000-0x00000000021B0000-memory.dmp

memory/2748-55-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2704-54-0x0000000077BB0000-0x0000000077D59000-memory.dmp

memory/2704-58-0x0000000076430000-0x0000000076477000-memory.dmp

memory/2748-57-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2748-53-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2704-59-0x0000000001DB0000-0x00000000021B0000-memory.dmp

memory/2704-60-0x0000000077BB0000-0x0000000077D59000-memory.dmp

memory/1208-61-0x0000000000060000-0x000000000006F000-memory.dmp

memory/1208-63-0x0000000000070000-0x0000000000079000-memory.dmp

memory/1208-64-0x0000000000060000-0x000000000006F000-memory.dmp

memory/2704-62-0x0000000001DB0000-0x00000000021B0000-memory.dmp

memory/2568-65-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/2568-67-0x0000000000060000-0x000000000006F000-memory.dmp

memory/2568-66-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/1840-71-0x0000000000090000-0x0000000000096000-memory.dmp

memory/1840-70-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1624-72-0x0000000000070000-0x0000000000077000-memory.dmp

memory/1624-74-0x0000000000060000-0x000000000006D000-memory.dmp

memory/2304-76-0x0000000000090000-0x0000000000098000-memory.dmp

memory/2304-75-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2304-77-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2748-78-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1208-79-0x0000000000070000-0x0000000000079000-memory.dmp

memory/2568-80-0x0000000000060000-0x000000000006F000-memory.dmp

memory/1840-85-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1624-86-0x0000000000060000-0x000000000006D000-memory.dmp

memory/2304-87-0x0000000000090000-0x0000000000098000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 19:13

Reported

2024-04-04 19:15

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4824 created 2936 N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe C:\Windows\system32\sihost.exe

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3360 wrote to memory of 4824 N/A N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe
PID 3360 wrote to memory of 4824 N/A N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe
PID 3360 wrote to memory of 4824 N/A N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe
PID 3360 wrote to memory of 4592 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 4592 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 4592 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 4592 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 3488 N/A N/A C:\Windows\explorer.exe
PID 3360 wrote to memory of 3488 N/A N/A C:\Windows\explorer.exe
PID 3360 wrote to memory of 3488 N/A N/A C:\Windows\explorer.exe
PID 3360 wrote to memory of 4728 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 4728 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 4728 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 4728 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 4824 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe C:\Windows\SysWOW64\dialer.exe
PID 4824 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe C:\Windows\SysWOW64\dialer.exe
PID 4824 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe C:\Windows\SysWOW64\dialer.exe
PID 4824 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe C:\Windows\SysWOW64\dialer.exe
PID 4824 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\88B8.exe C:\Windows\SysWOW64\dialer.exe
PID 3360 wrote to memory of 2516 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 2516 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 2516 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 2516 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 5072 N/A N/A C:\Windows\explorer.exe
PID 3360 wrote to memory of 5072 N/A N/A C:\Windows\explorer.exe
PID 3360 wrote to memory of 5072 N/A N/A C:\Windows\explorer.exe
PID 3360 wrote to memory of 864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 1536 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 1536 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 1536 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 1536 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 2640 N/A N/A C:\Windows\explorer.exe
PID 3360 wrote to memory of 2640 N/A N/A C:\Windows\explorer.exe
PID 3360 wrote to memory of 2640 N/A N/A C:\Windows\explorer.exe
PID 3360 wrote to memory of 1188 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 1188 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 1188 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 1188 N/A N/A C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe

"C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe"

C:\Users\Admin\AppData\Local\Temp\88B8.exe

C:\Users\Admin\AppData\Local\Temp\88B8.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 atillapro.com udp
NL 94.156.65.121:80 atillapro.com tcp
US 8.8.8.8:53 121.65.156.94.in-addr.arpa udp
NL 94.156.65.121:80 atillapro.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/1192-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1192-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3360-1-0x0000000007520000-0x0000000007536000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88B8.exe

MD5 08e5f1243ad4970745975b27b6e2f9fa
SHA1 83b1a8939bd4e2ea5677d8742edd1a697edd196b
SHA256 05074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165
SHA512 d01f83c4c35e6049544d71037b3d8db29cf177e232839c684e2943899e7e891d0e30d996ddb0af58f760ac34dd8fc6acee7338b52b3fda5f17c892f7498d2280

memory/4824-15-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4592-18-0x0000000000A40000-0x0000000000AB5000-memory.dmp

memory/4592-17-0x00000000009D0000-0x0000000000A3B000-memory.dmp

memory/4592-19-0x00000000009D0000-0x0000000000A3B000-memory.dmp

memory/3488-41-0x00000000001C0000-0x00000000001C7000-memory.dmp

memory/3488-43-0x00000000001B0000-0x00000000001BC000-memory.dmp

memory/3488-44-0x00000000001B0000-0x00000000001BC000-memory.dmp

memory/4592-45-0x00000000009D0000-0x0000000000A3B000-memory.dmp

memory/4824-46-0x0000000003280000-0x0000000003680000-memory.dmp

memory/4824-48-0x0000000003280000-0x0000000003680000-memory.dmp

memory/4824-49-0x00007FFCED870000-0x00007FFCEDA65000-memory.dmp

memory/4824-51-0x0000000003280000-0x0000000003680000-memory.dmp

memory/4824-52-0x00000000760F0000-0x0000000076305000-memory.dmp

memory/4728-54-0x0000000000B00000-0x0000000000B0B000-memory.dmp

memory/3900-53-0x0000000000A20000-0x0000000000A29000-memory.dmp

memory/4728-55-0x0000000000B10000-0x0000000000B1A000-memory.dmp

memory/4824-56-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4728-57-0x0000000000B00000-0x0000000000B0B000-memory.dmp

memory/3900-60-0x00000000026D0000-0x0000000002AD0000-memory.dmp

memory/3900-59-0x00000000026D0000-0x0000000002AD0000-memory.dmp

memory/3900-61-0x00007FFCED870000-0x00007FFCEDA65000-memory.dmp

memory/3900-63-0x00000000026D0000-0x0000000002AD0000-memory.dmp

memory/3900-64-0x00000000760F0000-0x0000000076305000-memory.dmp

memory/3900-65-0x00000000026D0000-0x0000000002AD0000-memory.dmp

memory/2516-66-0x00000000012B0000-0x00000000012BB000-memory.dmp

memory/2516-67-0x00000000026D0000-0x0000000002AD0000-memory.dmp

memory/2516-68-0x00000000012B0000-0x00000000012BB000-memory.dmp

memory/5072-69-0x0000000000550000-0x000000000055F000-memory.dmp

memory/5072-70-0x0000000000560000-0x0000000000569000-memory.dmp

memory/864-71-0x00000000012B0000-0x00000000012D7000-memory.dmp

memory/864-72-0x00000000012B0000-0x00000000012D7000-memory.dmp

memory/1536-76-0x00000000012C0000-0x00000000012C6000-memory.dmp

memory/1536-75-0x00000000012B0000-0x00000000012BB000-memory.dmp

memory/1536-77-0x00000000012B0000-0x00000000012BB000-memory.dmp

memory/2640-79-0x0000000000600000-0x0000000000607000-memory.dmp

memory/2640-78-0x00000000003F0000-0x00000000003FD000-memory.dmp

memory/1188-80-0x00000000012B0000-0x00000000012BB000-memory.dmp

memory/1188-81-0x00000000003F0000-0x00000000003FD000-memory.dmp

memory/1188-82-0x00000000012B0000-0x00000000012BB000-memory.dmp

memory/2516-83-0x00000000026D0000-0x0000000002AD0000-memory.dmp

memory/5072-84-0x0000000000550000-0x000000000055F000-memory.dmp

memory/864-85-0x0000000000550000-0x000000000055F000-memory.dmp

memory/1536-90-0x00000000012C0000-0x00000000012C6000-memory.dmp

memory/2640-91-0x00000000003F0000-0x00000000003FD000-memory.dmp

memory/1188-92-0x00000000003F0000-0x00000000003FD000-memory.dmp