smokeloader | a3c625b0c6de6b9885470ce4e5f55e08e64c82c668cdc1df8d1a81d751f401be

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7
submitted
19-09-2020 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3Z8QHEBk.tmp.exe
Size

137KB
MD5

0d969fd596743d82839ac89189f47a2b
SHA1

2adb5aba20d3af1b9c78856555a08015b0f7df25
SHA256

a3c625b0c6de6b9885470ce4e5f55e08e64c82c668cdc1df8d1a81d751f401be
SHA512

ac2f7d71e8c547b6c8c12fc00ea9ef27a76daf59fdfe5b42cc32f42cebc85a689e04da239489a59c746300f89e1977f935ae94bd2a0047c27f428832a070068c

Score

10^/10

ransomware persistence trojan backdoor smokeloader discovery stealer raccoon botnet zloader spyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\LocalLow\machineinfo.txt

Family

raccoon

Ransom Note

[Raccoon Stealer] - v1.5.13-af-hotfix Release Build compiled on Mon Jul 6 14:33:03 2020 Launched at: 2020.09.19 - 00:18:31 GMT Bot_ID: BAE8C589-5DA1-4C62-BE46-F8D74908CB8C_Admin Running on a desktop =R=A=C=C=O=O=N= - Cookies: 0 - Passwords: 0 - Files: 0 System Information: - System Language: English - System TimeZone: -0 hrs - IP: 154.61.71.51 - Location: 37.750999, -97.821999 | ?, ?, United States (?) - ComputerName: AVGLFESB - Username: Admin - Windows version: NT 6.1 - Product name: Windows 7 Professional - System arch: x64 - CPU: Persocon Processor 2.5+ (2 cores) - RAM: 2047 MB (419 MB used) - Screen resolution: 1280x720 - Display devices: 0) Standard VGA Graphics Adapter ============

Extracted

Family

smokeloader

Version

2020

http://dkajsdjiqwdwnfj.info/

http://2831ujedkdajsdj.info/

http://928eijdksasnfss.info/

https://dkajsdjiqwdwnfj.info/

https://2831ujedkdajsdj.info/

https://928eijdksasnfss.info/

rc4.i32

Extracted

Family

zloader

Botnet

DLLobnova

Campaign

02.09.2020dll

https://fqnvtmqsywublocpheas.ru/gate.php

https://fqnvtmqsywublocpheas.su/gate.php

https://fqnvtmqsywublocpheas.eu/gate.php

https://fqnvtmqsywuikdjsmasablocpheas.eu/gate.php

https://fqnssvtmqsywufblocpheas.eu/gate.php

https://fqnvtmqsywublfocpheas.eu/gate.php

https://fqnvtmqsyfwublocpheas.eu/gate.php

https://fqnvtmqsywubflocpheas.eu/gate.php

rc4.plain

rsa_pubkey.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon log file 1 IoCs

Detects a log file produced by the Raccoon Stealer.

Processes:

yara_rule
raccoon_log_file

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Blacklisted process makes network request 15 IoCs

Processes:

msiexec.exe

flow	pid	Process
20	1064	msiexec.exe
21	1064	msiexec.exe
22	1064	msiexec.exe
23	1064	msiexec.exe
24	1064	msiexec.exe
25	1064	msiexec.exe
26	1064	msiexec.exe
27	1064	msiexec.exe
28	1064	msiexec.exe
29	1064	msiexec.exe
30	1064	msiexec.exe
31	1064	msiexec.exe
32	1064	msiexec.exe
33	1064	msiexec.exe
34	1064	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

975F.exe

pid	Process
1864	975F.exe

Deletes itself 1 IoCs

Processes:

pid	Process
1324

Loads dropped DLL 10 IoCs

Processes:

3Z8QHEBk.tmp.exeregsvr32.exe975F.exe

pid	Process
1060	3Z8QHEBk.tmp.exe
1964	regsvr32.exe
1864	975F.exe
1864	975F.exe
1864	975F.exe
1864	975F.exe
1864	975F.exe
1864	975F.exe
1864	975F.exe
1864	975F.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meis = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Cexaox\\fukymiyr.dll"	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00030000000131d1-15.dat	js

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ipconfig.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description	pid	Process	procid_target
PID 1964 set thread context of 1064	1964	regsvr32.exe	36

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3Z8QHEBk.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Z8QHEBk.tmp.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Z8QHEBk.tmp.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Z8QHEBk.tmp.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
688	timeout.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

Processes:

net.exenet.exe

pid	Process
1096	net.exe
1448	net.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

ipconfig.exe

pid	Process
956	ipconfig.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

975F.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	975F.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	975F.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 774 IoCs

Processes:

3Z8QHEBk.tmp.exe

pid	Process
1060	3Z8QHEBk.tmp.exe
1060	3Z8QHEBk.tmp.exe
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1064	msiexec.exe
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3Z8QHEBk.tmp.exe

pid	Process
1060	3Z8QHEBk.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description	pid	Process
Token: SeSecurityPrivilege	1064	msiexec.exe
Token: SeSecurityPrivilege	1064	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid	Process
1324
1324
1324
1324

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid	Process
1324
1324
1324
1324

Suspicious use of WriteProcessMemory 69 IoCs

Processes:

regsvr32.exe975F.execmd.exeregsvr32.exemsiexec.execmd.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 1324 wrote to memory of 1864	1324		28
PID 1324 wrote to memory of 1864	1324		28
PID 1324 wrote to memory of 1864	1324		28
PID 1324 wrote to memory of 1864	1324		28
PID 1324 wrote to memory of 1880	1324		29
PID 1324 wrote to memory of 1880	1324		29
PID 1324 wrote to memory of 1880	1324		29
PID 1324 wrote to memory of 1880	1324		29
PID 1324 wrote to memory of 1880	1324		29
PID 1880 wrote to memory of 1964	1880	regsvr32.exe	30
PID 1880 wrote to memory of 1964	1880	regsvr32.exe	30
PID 1880 wrote to memory of 1964	1880	regsvr32.exe	30
PID 1880 wrote to memory of 1964	1880	regsvr32.exe	30
PID 1880 wrote to memory of 1964	1880	regsvr32.exe	30
PID 1880 wrote to memory of 1964	1880	regsvr32.exe	30
PID 1880 wrote to memory of 1964	1880	regsvr32.exe	30
PID 1864 wrote to memory of 580	1864	975F.exe	33
PID 1864 wrote to memory of 580	1864	975F.exe	33
PID 1864 wrote to memory of 580	1864	975F.exe	33
PID 1864 wrote to memory of 580	1864	975F.exe	33
PID 580 wrote to memory of 688	580	cmd.exe	35
PID 580 wrote to memory of 688	580	cmd.exe	35
PID 580 wrote to memory of 688	580	cmd.exe	35
PID 580 wrote to memory of 688	580	cmd.exe	35
PID 1964 wrote to memory of 1064	1964	regsvr32.exe	36
PID 1964 wrote to memory of 1064	1964	regsvr32.exe	36
PID 1964 wrote to memory of 1064	1964	regsvr32.exe	36
PID 1964 wrote to memory of 1064	1964	regsvr32.exe	36
PID 1964 wrote to memory of 1064	1964	regsvr32.exe	36
PID 1964 wrote to memory of 1064	1964	regsvr32.exe	36
PID 1964 wrote to memory of 1064	1964	regsvr32.exe	36
PID 1964 wrote to memory of 1064	1964	regsvr32.exe	36
PID 1964 wrote to memory of 1064	1964	regsvr32.exe	36
PID 1064 wrote to memory of 788	1064	msiexec.exe	38
PID 1064 wrote to memory of 788	1064	msiexec.exe	38
PID 1064 wrote to memory of 788	1064	msiexec.exe	38
PID 1064 wrote to memory of 788	1064	msiexec.exe	38
PID 788 wrote to memory of 956	788	cmd.exe	40
PID 788 wrote to memory of 956	788	cmd.exe	40
PID 788 wrote to memory of 956	788	cmd.exe	40
PID 788 wrote to memory of 956	788	cmd.exe	40
PID 1064 wrote to memory of 1400	1064	msiexec.exe	41
PID 1064 wrote to memory of 1400	1064	msiexec.exe	41
PID 1064 wrote to memory of 1400	1064	msiexec.exe	41
PID 1064 wrote to memory of 1400	1064	msiexec.exe	41
PID 1400 wrote to memory of 1320	1400	cmd.exe	43
PID 1400 wrote to memory of 1320	1400	cmd.exe	43
PID 1400 wrote to memory of 1320	1400	cmd.exe	43
PID 1400 wrote to memory of 1320	1400	cmd.exe	43
PID 1320 wrote to memory of 1332	1320	net.exe	44
PID 1320 wrote to memory of 1332	1320	net.exe	44
PID 1320 wrote to memory of 1332	1320	net.exe	44
PID 1320 wrote to memory of 1332	1320	net.exe	44
PID 1064 wrote to memory of 1068	1064	msiexec.exe	45
PID 1064 wrote to memory of 1068	1064	msiexec.exe	45
PID 1064 wrote to memory of 1068	1064	msiexec.exe	45
PID 1064 wrote to memory of 1068	1064	msiexec.exe	45
PID 1068 wrote to memory of 1096	1068	cmd.exe	47
PID 1068 wrote to memory of 1096	1068	cmd.exe	47
PID 1068 wrote to memory of 1096	1068	cmd.exe	47
PID 1068 wrote to memory of 1096	1068	cmd.exe	47
PID 1064 wrote to memory of 1244	1064	msiexec.exe	49
PID 1064 wrote to memory of 1244	1064	msiexec.exe	49
PID 1064 wrote to memory of 1244	1064	msiexec.exe	49
PID 1064 wrote to memory of 1244	1064	msiexec.exe	49
PID 1244 wrote to memory of 1448	1244	cmd.exe	51
PID 1244 wrote to memory of 1448	1244	cmd.exe	51
PID 1244 wrote to memory of 1448	1244	cmd.exe	51
PID 1244 wrote to memory of 1448	1244	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\3Z8QHEBk.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\3Z8QHEBk.tmp.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1060

C:\Users\Admin\AppData\Local\Temp\975F.exe
C:\Users\Admin\AppData\Local\Temp\975F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\975F.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:688

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\982B.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\982B.dll
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Blacklisted process makes network request
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ipconfig /all
      4⤵
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Modifies service
        Gathers network information
        
        PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net config workstation
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Windows\SysWOW64\net.exe
        
        net config workstation
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 config workstation
        6⤵
        
        PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net view /all
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\net.exe
        
        net view /all
        5⤵
        Discovers systems in the same network
        
        PID:1096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net view /all /domain
      4⤵
      PID:1244
    - - C:\Windows\SysWOW64\net.exe
        
        net view /all /domain
        5⤵
        Discovers systems in the same network
        
        PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\975F.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\975F.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\982B.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll

Download Submit
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\210A.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\982B.dll

Download Submit
memory/468-12-0x000007FEF6B70000-0x000007FEF6DEA000-memory.dmp

Filesize
2.5MB

Download
memory/580-22-0x0000000000000000-mapping.dmp

Download
memory/688-23-0x0000000000000000-mapping.dmp

Download
memory/788-28-0x0000000000000000-mapping.dmp

Download
memory/956-29-0x0000000000000000-mapping.dmp

Download
memory/1060-0-0x00000000061AB000-0x00000000061AC000-memory.dmp

Filesize
4KB

Download
memory/1060-1-0x0000000007820000-0x0000000007831000-memory.dmp

Filesize
68KB

Download
memory/1064-27-0x0000000000000000-mapping.dmp

Download
memory/1064-24-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download
memory/1064-25-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1064-26-0x0000000000090000-0x00000000000BB000-memory.dmp

Filesize
172KB

Download
memory/1068-33-0x0000000000000000-mapping.dmp

Download
memory/1096-34-0x0000000000000000-mapping.dmp

Download
memory/1244-35-0x0000000000000000-mapping.dmp

Download
memory/1320-31-0x0000000000000000-mapping.dmp

Download
memory/1324-3-0x0000000003C70000-0x0000000003C86000-memory.dmp

Filesize
88KB

Download
memory/1332-32-0x0000000000000000-mapping.dmp

Download
memory/1400-30-0x0000000000000000-mapping.dmp

Download
memory/1448-36-0x0000000000000000-mapping.dmp

Download
memory/1864-4-0x0000000000000000-mapping.dmp

Download
memory/1864-10-0x0000000002948000-0x0000000002959000-memory.dmp

Filesize
68KB

Download
memory/1864-11-0x0000000002C00000-0x0000000002C11000-memory.dmp

Filesize
68KB

Download
memory/1880-6-0x0000000000000000-mapping.dmp

Download
memory/1964-8-0x0000000000000000-mapping.dmp

Download