smokeloader | 784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44

General

Target

487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe
Size

209KB
MD5

487c5ef864db010745ea26e6c27cdf10
SHA1

b285aecebee79d70f684832a2bb09467c6db6cfb
SHA256

784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44
SHA512

8dfd0185117d909fca007e9bd53dcc90da54d8b2bccac265f8a963f46a5b05c0d38ef981531b441ae5b762632f28ec4a7b45293cb4d2d99235ec61c1add98a4c
SSDEEP

1536:n3o311bC7Xu1LpopPim+PvDOmdVFnb0MLrR2mbU9EFJ0NxgVO1MGyF59vXMziEV0:4/MePP7rrRHbU9EFJ0YVj5GZH

Score

10^/10

smokeloader pub1 backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

pid process

3336
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe

pid	process
3336

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{1486BB94-A509-4ED6-8729-097D6504320F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe

pid	process
2220	487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe
2220	487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe

pid process

2220 487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	3336
Token: SeCreatePagefilePrivilege	3336
Token: SeShutdownPrivilege	3336
Token: SeCreatePagefilePrivilege	3336
Token: SeShutdownPrivilege	3904	explorer.exe
Token: SeCreatePagefilePrivilege	3904	explorer.exe
Token: SeShutdownPrivilege	3904	explorer.exe
Token: SeCreatePagefilePrivilege	3904	explorer.exe
Token: SeShutdownPrivilege	3904	explorer.exe
Token: SeCreatePagefilePrivilege	3904	explorer.exe
Token: SeShutdownPrivilege	3904	explorer.exe
Token: SeCreatePagefilePrivilege	3904	explorer.exe
Token: SeShutdownPrivilege	3904	explorer.exe
Token: SeCreatePagefilePrivilege	3904	explorer.exe
Token: SeShutdownPrivilege	3904	explorer.exe
Token: SeCreatePagefilePrivilege	3904	explorer.exe
Token: SeShutdownPrivilege	3904	explorer.exe
Token: SeCreatePagefilePrivilege	3904	explorer.exe
Token: SeShutdownPrivilege	3904	explorer.exe
Token: SeCreatePagefilePrivilege	3904	explorer.exe
Token: SeShutdownPrivilege	3904	explorer.exe
Token: SeCreatePagefilePrivilege	3904	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

explorer.exe

pid	process
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

explorer.exe

pid	process
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 3336 wrote to memory of 2056	3336		cmd.exe
PID 3336 wrote to memory of 2056	3336		cmd.exe
PID 2056 wrote to memory of 3644	2056	cmd.exe	reg.exe
PID 2056 wrote to memory of 3644	2056	cmd.exe	reg.exe
PID 3336 wrote to memory of 5016	3336		cmd.exe
PID 3336 wrote to memory of 5016	3336		cmd.exe
PID 5016 wrote to memory of 1480	5016	cmd.exe	reg.exe
PID 5016 wrote to memory of 1480	5016	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\487c5ef864db010745ea26e6c27cdf10_NeikiAnalytics.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\43CA.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5204.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3636

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3240

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3248

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3776

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
63330549ac3b38c1c4b4a4e901e7f1c9

SHA1
bcfa026e6c8628467fbe49979eeeaf63d93ecb41

SHA256
97ca5a250852dc226a11d2eb8171610fed5a9cd2fe4854de96aedf6a6c9047d6

SHA512
b5d1b4d487d916d7e296a8bae4eb7cb04530834f9012fb661369d0884c234c8157e1633cb947bf9662fe021cd05639f28cc1128d86e2ec5199ade8e71ef7f357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
9419a00b2c2d10d9062f1de6925c642e

SHA1
d9ca9ece95f3f8fcdfddf7b8275d724e299f1472

SHA256
ff94e2c28f190bb6bb03b8620bbdfb25f0d8ed651bd3603ec91994d3874c6d62

SHA512
35acc4bd62b96a799fb7a79aaffce7fefbf05b31066429e7bc5cd586aa0f958338d5a261e9a4e3305ae63e579532c2f6242e640856a31e077426523f760b45f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
a520026f24f6fe4b7e6cb2a4023ccb72

SHA1
083e889e6e2e57866084639e31725b0259c70dfb

SHA256
cd6d01d52c077a20f0c7c0a59399603d1489c785164b72d167e94f080b32100a

SHA512
a48b7e0ef619e5459d7b02fe9a49c80bb8c10bd59b056c2565bfe9b06fa8c47b4a974731743a016f493b822717aa0861371cf0b189559c6b1ae1962b075b4a1a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
Filesize
96B

MD5
84209e171da10686915fe7efcd51552d

SHA1
6bf96e86a533a68eba4d703833de374e18ce6113

SHA256
04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

SHA512
48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\43CA.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
memory/748-479-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/1584-337-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/1724-59-0x0000025B5BD50000-0x0000025B5BD70000-memory.dmp

Filesize
128KB

Download
memory/1724-34-0x0000025359790000-0x0000025359890000-memory.dmp

Filesize
1024KB

Download
memory/1724-39-0x0000025B5B900000-0x0000025B5B920000-memory.dmp

Filesize
128KB

Download
memory/1724-58-0x0000025B5B3B0000-0x0000025B5B3D0000-memory.dmp

Filesize
128KB

Download
memory/2220-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-5-0x0000000000400000-0x0000000002351000-memory.dmp

Filesize
31.3MB

Download
memory/2220-8-0x00000000040A0000-0x00000000040AB000-memory.dmp

Filesize
44KB

Download
memory/2220-1-0x00000000024D0000-0x00000000025D0000-memory.dmp

Filesize
1024KB

Download
memory/2220-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2220-2-0x00000000040A0000-0x00000000040AB000-memory.dmp

Filesize
44KB

Download
memory/2448-516-0x00000200F5200000-0x00000200F5220000-memory.dmp

Filesize
128KB

Download
memory/2448-487-0x00000200F5240000-0x00000200F5260000-memory.dmp

Filesize
128KB

Download
memory/2448-481-0x000001F8F2F00000-0x000001F8F3000000-memory.dmp

Filesize
1024KB

Download
memory/2448-482-0x000001F8F2F00000-0x000001F8F3000000-memory.dmp

Filesize
1024KB

Download
memory/2448-518-0x00000200F5610000-0x00000200F5630000-memory.dmp

Filesize
128KB

Download
memory/3240-186-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/3336-24-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/3336-4-0x00000000032D0000-0x00000000032E6000-memory.dmp

Filesize
88KB

Download
memory/3392-32-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/3776-340-0x000001CB8B600000-0x000001CB8B700000-memory.dmp

Filesize
1024KB

Download
memory/3776-339-0x000001CB8B600000-0x000001CB8B700000-memory.dmp

Filesize
1024KB

Download
memory/3776-345-0x000001CB8C530000-0x000001CB8C550000-memory.dmp

Filesize
128KB

Download
memory/3776-362-0x000001CB8C4F0000-0x000001CB8C510000-memory.dmp

Filesize
128KB

Download
memory/3776-376-0x000001CB8CB40000-0x000001CB8CB60000-memory.dmp

Filesize
128KB

Download
memory/3776-341-0x000001CB8B600000-0x000001CB8B700000-memory.dmp

Filesize
1024KB

Download
memory/4836-227-0x0000021ECDF70000-0x0000021ECDF90000-memory.dmp

Filesize
128KB

Download
memory/4836-214-0x0000021ECD9E0000-0x0000021ECDA00000-memory.dmp

Filesize
128KB

Download
memory/4836-193-0x0000021ECDC20000-0x0000021ECDC40000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads