smokeloader | bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7

General

Target

bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe
Size

179KB
MD5

ccfb70ac53b63ba7a8a1bb859deb0a63
SHA1

4a6b127768edb4316ecccd722d14cdc0fd67a9c0
SHA256

bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7
SHA512

04f4080063d51b50028399c21b910d645c7ae87b2228170ab9fcc0c4ca6d7d9ec4679d6b0fa1e911d6d2c0f164be4dad565f367cef4c9daf321d4a66fb961326
SSDEEP

1536:D/bI75oFJE7LocP46lfSAPMtyKnM9fGqxHMHKQ0v5WK9IMn4kZhXU4L+vx5tLctB:DYlfSAPM0KMYq2HuWKz4kPU465

Score

10^/10

smokeloader pub1 backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

pid process

3156
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

60 drive.google.com
61 drive.google.com

pid	process
3156

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

flow	ioc
60	drive.google.com
61	drive.google.com

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exeexplorer.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{E717E48A-7F41-40CD-B077-4C53FE1BB548}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe

pid	process
868	bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe
868	bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe

pid process

868 bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	3156
Token: SeCreatePagefilePrivilege	3156
Token: SeShutdownPrivilege	3156
Token: SeCreatePagefilePrivilege	3156
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe
Token: SeShutdownPrivilege	916	explorer.exe
Token: SeCreatePagefilePrivilege	916	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

explorer.exe

pid	process
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

explorer.exe

pid	process
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe
916	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 3156 wrote to memory of 2096	3156		cmd.exe
PID 3156 wrote to memory of 2096	3156		cmd.exe
PID 2096 wrote to memory of 3648	2096	cmd.exe	reg.exe
PID 2096 wrote to memory of 3648	2096	cmd.exe	reg.exe
PID 3156 wrote to memory of 4172	3156		cmd.exe
PID 3156 wrote to memory of 4172	3156		cmd.exe
PID 4172 wrote to memory of 416	4172	cmd.exe	reg.exe
PID 4172 wrote to memory of 416	4172	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe
"C:\Users\Admin\AppData\Local\Temp\bf9d4fcc7aeee9158d4764bee8e73b2bb0e42769cbc78e5d4582da43ac0b39a7.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3832.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\48CD.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4760

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3472

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
cf94c140b8e861d5b8a579457f8e4c26

SHA1
972614473d6a8399f72403c6090ed50bcee1e56b

SHA256
2307783397917148817da0e40ad8afc4256a3a42230085eaebe512d815ced1fc

SHA512
696239223616e16d17775660d2e1ef97e4b536741a2cb406510d9de8e4090f6653c0e2fc8196bde76be527b02f2e362bad3b73ad37ac9b0168efaa3c80d90c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
5f7e10eb92ee599f8ef72c5bfbcb7ce0

SHA1
a7f5580a7af88e1b5744079a5bfbd50bdd95d402

SHA256
9f3cbd9b9e563fbca62d98fd2a6f8d2ddf4ff893c071733eff7ced87338fe24f

SHA512
37a46bc24f97900743e0842568a51f36676cd78d23fb67f035344aa856d3e9dd748447b6fd5db7cd7414dba6472a097904fa6cbc7fe8c6becda7f35ccbc6b861

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
a74fdd3947e738c1b95fa04621ba34ba

SHA1
a3e9bfbd74d2fcec2a9c7ac84674da2161217687

SHA256
d6cb235ba8c4278a00673db7c54301cd1ab600cb87f00e08c9f04e403c77f847

SHA512
010225a8a3f2100219ccb2b653cb25187fd77fc2580ecd33b7a4671bc0912208d5d5f195631858d535a66997a6e3e3f1f373dd224ad8702429a7bcc8eca1132b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
Filesize
96B

MD5
84209e171da10686915fe7efcd51552d

SHA1
6bf96e86a533a68eba4d703833de374e18ce6113

SHA256
04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

SHA512
48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3832.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
memory/868-1-0x0000000002400000-0x0000000002500000-memory.dmp

Filesize
1024KB

Download
memory/868-5-0x0000000000400000-0x0000000002349000-memory.dmp

Filesize
31.3MB

Download
memory/868-8-0x0000000004090000-0x000000000409B000-memory.dmp

Filesize
44KB

Download
memory/868-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/868-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/868-2-0x0000000004090000-0x000000000409B000-memory.dmp

Filesize
44KB

Download
memory/1128-363-0x0000026611800000-0x0000026611820000-memory.dmp

Filesize
128KB

Download
memory/1128-362-0x0000026611360000-0x0000026611380000-memory.dmp

Filesize
128KB

Download
memory/1128-344-0x00000266113B0000-0x00000266113D0000-memory.dmp

Filesize
128KB

Download
memory/1128-338-0x0000026610220000-0x0000026610320000-memory.dmp

Filesize
1024KB

Download
memory/2164-337-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2268-32-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3156-22-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/3156-4-0x0000000002F70000-0x0000000002F86000-memory.dmp

Filesize
88KB

Download
memory/3260-221-0x000001E514B00000-0x000001E514B20000-memory.dmp

Filesize
128KB

Download
memory/3260-222-0x000001E5147E0000-0x000001E514800000-memory.dmp

Filesize
128KB

Download
memory/3260-190-0x000001E514B40000-0x000001E514B60000-memory.dmp

Filesize
128KB

Download
memory/4040-485-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/4372-183-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/4560-39-0x000001E3259E0000-0x000001E325A00000-memory.dmp

Filesize
128KB

Download
memory/4560-34-0x000001E324E00000-0x000001E324F00000-memory.dmp

Filesize
1024KB

Download
memory/4560-57-0x000001E3259A0000-0x000001E3259C0000-memory.dmp

Filesize
128KB

Download
memory/4560-70-0x000001E3262C0000-0x000001E3262E0000-memory.dmp

Filesize
128KB

Download
memory/4584-486-0x00000212DD340000-0x00000212DD440000-memory.dmp

Filesize
1024KB

Download
memory/4584-492-0x00000212DE4B0000-0x00000212DE4D0000-memory.dmp

Filesize
128KB

Download
memory/4584-512-0x00000212DE470000-0x00000212DE490000-memory.dmp

Filesize
128KB

Download
memory/4584-523-0x00000212DEB40000-0x00000212DEB60000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads