Malware Analysis Report

2025-04-14 08:09

Sample ID 250309-b6h3qswxdt
Target c127879c5fa90526ba316c4bffd85427.exe
SHA256 808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b
Tags
raccoon smokeloader eee94d533c0441c732ed7e18e494bdc6 x0x4 backdoor discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b

Threat Level: Known bad

The file c127879c5fa90526ba316c4bffd85427.exe was found to be: Known bad.

Malicious Activity Summary

raccoon smokeloader eee94d533c0441c732ed7e18e494bdc6 x0x4 backdoor discovery stealer trojan

Raccoon

SmokeLoader

Raccoon family

Smokeloader family

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-09 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-09 01:45

Reported

2025-03-09 01:47

Platform

win7-20240903-en

Max time kernel

136s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"

Signatures

Raccoon

stealer raccoon

Raccoon family

raccoon

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 3040 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 3040 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 3040 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2852 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Network

Country Destination Domain Proto
DE 45.15.156.16:80 tcp
DE 45.15.156.16:80 tcp
NL 82.115.223.5:80 tcp
NL 82.115.223.5:80 tcp
NL 82.115.223.6:80 tcp
NL 82.115.223.6:80 tcp
DE 45.15.156.17:80 tcp
DE 45.15.156.17:80 tcp
NL 82.115.223.7:80 82.115.223.7 tcp

Files

memory/3040-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/3040-1-0x0000000000E20000-0x0000000000F6A000-memory.dmp

memory/3040-2-0x0000000004370000-0x00000000044B8000-memory.dmp

memory/3040-3-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/3040-4-0x0000000004BC0000-0x0000000004C52000-memory.dmp

memory/2716-7-0x00000000025B0000-0x00000000025F0000-memory.dmp

memory/3040-8-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/3040-9-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/2716-10-0x00000000025B0000-0x00000000025F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c23219fc3f93d7dff504c4c333c559da
SHA1 2cdf106d865e861f8f87d86fb9aa65958908c6f0
SHA256 1be1ed2e4506939a3969641a91a8aa98b9c628be07007ab6ec0f12623afbb825
SHA512 67d23b81a651e7e7cfdf580d0b7fcec815a93cd20a99a09e4bd3f7d3127e82fcd2b63d569dee08228650e68a8719aa3b398f8bd1f402f16b237208fe93054798

\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

MD5 7f1f17f581d25b34013146f290fea01b
SHA1 27c020394a1396b3e11ab563d62f76c2d5e873ea
SHA256 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375
SHA512 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935

memory/2852-24-0x0000000000260000-0x0000000000334000-memory.dmp

memory/2852-25-0x0000000004310000-0x00000000043E0000-memory.dmp

memory/2976-37-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2976-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-38-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3040-39-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/1624-54-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1624-59-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1624-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1624-56-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-09 01:45

Reported

2025-03-09 01:47

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"

Signatures

Raccoon

stealer raccoon

Raccoon family

raccoon

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4588 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4588 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4588 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 1340 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 1340 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 1340 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 1340 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 1340 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 1340 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 45.15.156.16:80 tcp
NL 82.115.223.5:80 tcp
NL 82.115.223.6:80 tcp
DE 45.15.156.17:80 tcp
NL 82.115.223.7:80 82.115.223.7 tcp

Files

memory/4588-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/4588-1-0x0000000000120000-0x000000000026A000-memory.dmp

memory/4588-2-0x0000000004A80000-0x0000000004BC8000-memory.dmp

memory/4588-3-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/4588-4-0x0000000004CB0000-0x0000000004D42000-memory.dmp

memory/4588-5-0x0000000004D80000-0x0000000004DA2000-memory.dmp

memory/4588-6-0x0000000004FC0000-0x0000000005314000-memory.dmp

memory/4236-7-0x0000000004950000-0x0000000004986000-memory.dmp

memory/4236-8-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/4236-9-0x0000000005000000-0x0000000005628000-memory.dmp

memory/4236-11-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/4236-10-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/4236-13-0x0000000004F70000-0x0000000004FD6000-memory.dmp

memory/4236-12-0x0000000004F00000-0x0000000004F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybfvmgf4.mre.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4236-23-0x0000000005F20000-0x0000000005F3E000-memory.dmp

memory/4236-24-0x0000000006450000-0x000000000649C000-memory.dmp

memory/4236-25-0x00000000077A0000-0x0000000007E1A000-memory.dmp

memory/4236-26-0x00000000063B0000-0x00000000063CA000-memory.dmp

memory/4588-27-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/4588-28-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/4236-29-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/4236-33-0x0000000074D90000-0x0000000075540000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/2376-35-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/2376-36-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/2376-37-0x0000000074D90000-0x0000000075540000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b27a805b9c5f87b285ea03bf51af647
SHA1 bc2136ceca0bec87bb04cfbcd0f15c36c57cc98b
SHA256 58de71f8228388f7859a3d3cbc5a0e1c91651458dcc90a9b9fac449c1fa78f86
SHA512 491fe430e847db96ae9177c5c509a5292aac86a5ff13101a7e59ec1ac821b37059dd407dc7073e8e762679d4b42b8ce0f5464abb6be5ff984629e4f21c3304f7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/2376-49-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/2376-50-0x0000000006D90000-0x0000000006DC2000-memory.dmp

memory/2376-51-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/2376-62-0x0000000007020000-0x00000000070C3000-memory.dmp

memory/2376-61-0x0000000006D50000-0x0000000006D6E000-memory.dmp

memory/2376-63-0x0000000007100000-0x000000000710A000-memory.dmp

memory/2376-64-0x0000000007300000-0x0000000007396000-memory.dmp

memory/2376-65-0x0000000007260000-0x0000000007271000-memory.dmp

memory/2376-66-0x0000000007290000-0x000000000729E000-memory.dmp

memory/2376-67-0x00000000072A0000-0x00000000072B4000-memory.dmp

memory/2376-68-0x00000000073A0000-0x00000000073BA000-memory.dmp

memory/2376-69-0x00000000072E0000-0x00000000072E8000-memory.dmp

memory/2376-71-0x0000000074D90000-0x0000000075540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

MD5 7f1f17f581d25b34013146f290fea01b
SHA1 27c020394a1396b3e11ab563d62f76c2d5e873ea
SHA256 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375
SHA512 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935

memory/1340-83-0x00000000008A0000-0x0000000000974000-memory.dmp

memory/1340-86-0x0000000005120000-0x00000000051F0000-memory.dmp

memory/3912-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4588-88-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3912-84-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1340-89-0x00000000056D0000-0x0000000005A24000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 56d663207dfda19ab99d74c0a4f83d0d
SHA1 1618989b1360de2050118edeb0515d795458d2f4
SHA256 2d26da3624e17fc30d357eea672493bb863b40043836af4b7368e6492110d540
SHA512 aafe1faa32c98c8b6b42e56681869677bd12da9d5ca67c8597d78b825f28592ed983f5890f4a81ab3baa0592c479059ea153a97e3d1ad9ddb09be7d17df1afca

memory/4576-100-0x0000000005FC0000-0x000000000600C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e4e4e409290fd04cb5a3a43888a7d11b
SHA1 76d5e61178b3dc2c36853c60ea6cbeb4729c5242
SHA256 f1c1fcff22555d38668d083b78c5139ba3ad03d7a655eded18c58a495be33b83
SHA512 bbd403d84c4c254fa73b55a5a23f9f00b669e1fb3f7cb94a27bedb9fbace9cf7628f7697ed476a77f1bad018b9d1ab182734886c803ed253ce8635d2b41a22da

memory/2008-112-0x0000000070640000-0x000000007068C000-memory.dmp

memory/2008-122-0x00000000072F0000-0x0000000007393000-memory.dmp

memory/2008-123-0x0000000007570000-0x0000000007581000-memory.dmp

memory/2008-124-0x00000000075D0000-0x00000000075E4000-memory.dmp

memory/4496-126-0x0000000000400000-0x0000000000409000-memory.dmp