smokeloader | 3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e

Analysis

max time kernel
151s
max time network
145s
platform
windows10_x64
resource
win10-en-20211104
submitted
03-12-2021 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe
Size

318KB
MD5

392562636ab2d7aafc43c18a7540ef57
SHA1

326d538909ece8442b3c5c73869c24e56e24e181
SHA256

3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e
SHA512

e85f5f9c958a4f344cf88dc6fb126474d44381e92b6a0407818af74407e91c3d1ec436f6d8623bde25e1bf6cd62f43674ed48f4c52d9ce99e8abdfa84bcf9419

Score

10^/10

smokeloader backdoor collection evasion suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Executes dropped EXE 1 IoCs

Processes:

ecrvsgi

pid process

4692 ecrvsgi
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

2060

pid	process
4692	ecrvsgi

pid	process
2060

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2348 3796 WerFault.exe DllHost.exe

pid	pid_target	process	target process
2348	3796	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exeecrvsgi

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ecrvsgi
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ecrvsgi
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ecrvsgi

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2548 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

4920 ipconfig.exe
1244 NETSTAT.EXE
4352 NETSTAT.EXE
1900 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4620 systeminfo.exe

pid	process
2548	tasklist.exe

pid	process
4920	ipconfig.exe
1244	NETSTAT.EXE
4352	NETSTAT.EXE
1900	ipconfig.exe

pid	process
4620	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2104C791-56C8-11EC-B34F-F23AFFACC4A0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe

pid	process
3552	3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe
3552	3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2060

pid	process
2060

Suspicious behavior: MapViewOfSection 48 IoCs

Processes:

3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exeecrvsgiexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3552	3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe
4692	ecrvsgi
2060
2060
2060
2060
2060
2060
3764	explorer.exe
3764	explorer.exe
2060
2060
4584	explorer.exe
4584	explorer.exe
2060
2060
3156	explorer.exe
3156	explorer.exe
2060
2060
3396	explorer.exe
3396	explorer.exe
2060
2060
3152	explorer.exe
3152	explorer.exe
2060
2060
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe
1020	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3692	WMIC.exe
Token: SeSecurityPrivilege	3692	WMIC.exe
Token: SeTakeOwnershipPrivilege	3692	WMIC.exe
Token: SeLoadDriverPrivilege	3692	WMIC.exe
Token: SeSystemProfilePrivilege	3692	WMIC.exe
Token: SeSystemtimePrivilege	3692	WMIC.exe
Token: SeProfSingleProcessPrivilege	3692	WMIC.exe
Token: SeIncBasePriorityPrivilege	3692	WMIC.exe
Token: SeCreatePagefilePrivilege	3692	WMIC.exe
Token: SeBackupPrivilege	3692	WMIC.exe
Token: SeRestorePrivilege	3692	WMIC.exe
Token: SeShutdownPrivilege	3692	WMIC.exe
Token: SeDebugPrivilege	3692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3692	WMIC.exe
Token: SeRemoteShutdownPrivilege	3692	WMIC.exe
Token: SeUndockPrivilege	3692	WMIC.exe
Token: SeManageVolumePrivilege	3692	WMIC.exe
Token: 33	3692	WMIC.exe
Token: 34	3692	WMIC.exe
Token: 35	3692	WMIC.exe
Token: 36	3692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3692	WMIC.exe
Token: SeSecurityPrivilege	3692	WMIC.exe
Token: SeTakeOwnershipPrivilege	3692	WMIC.exe
Token: SeLoadDriverPrivilege	3692	WMIC.exe
Token: SeSystemProfilePrivilege	3692	WMIC.exe
Token: SeSystemtimePrivilege	3692	WMIC.exe
Token: SeProfSingleProcessPrivilege	3692	WMIC.exe
Token: SeIncBasePriorityPrivilege	3692	WMIC.exe
Token: SeCreatePagefilePrivilege	3692	WMIC.exe
Token: SeBackupPrivilege	3692	WMIC.exe
Token: SeRestorePrivilege	3692	WMIC.exe
Token: SeShutdownPrivilege	3692	WMIC.exe
Token: SeDebugPrivilege	3692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3692	WMIC.exe
Token: SeRemoteShutdownPrivilege	3692	WMIC.exe
Token: SeUndockPrivilege	3692	WMIC.exe
Token: SeManageVolumePrivilege	3692	WMIC.exe
Token: 33	3692	WMIC.exe
Token: 34	3692	WMIC.exe
Token: 35	3692	WMIC.exe
Token: 36	3692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3396	WMIC.exe
Token: SeSecurityPrivilege	3396	WMIC.exe
Token: SeTakeOwnershipPrivilege	3396	WMIC.exe
Token: SeLoadDriverPrivilege	3396	WMIC.exe
Token: SeSystemProfilePrivilege	3396	WMIC.exe
Token: SeSystemtimePrivilege	3396	WMIC.exe
Token: SeProfSingleProcessPrivilege	3396	WMIC.exe
Token: SeIncBasePriorityPrivilege	3396	WMIC.exe
Token: SeCreatePagefilePrivilege	3396	WMIC.exe
Token: SeBackupPrivilege	3396	WMIC.exe
Token: SeRestorePrivilege	3396	WMIC.exe
Token: SeShutdownPrivilege	3396	WMIC.exe
Token: SeDebugPrivilege	3396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3396	WMIC.exe
Token: SeRemoteShutdownPrivilege	3396	WMIC.exe
Token: SeUndockPrivilege	3396	WMIC.exe
Token: SeManageVolumePrivilege	3396	WMIC.exe
Token: 33	3396	WMIC.exe
Token: 34	3396	WMIC.exe
Token: 35	3396	WMIC.exe
Token: 36	3396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3396	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1480 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1480 iexplore.exe
1480 iexplore.exe
688 IEXPLORE.EXE
688 IEXPLORE.EXE

pid	process
1480	iexplore.exe

pid	process
1480	iexplore.exe
1480	iexplore.exe
688	IEXPLORE.EXE
688	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2060 wrote to memory of 764	2060		cmd.exe
PID 2060 wrote to memory of 764	2060		cmd.exe
PID 764 wrote to memory of 3692	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 3692	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 3396	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 3396	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 4116	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 4116	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 3948	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 3948	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 652	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 652	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2492	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2492	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2652	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2652	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2148	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2148	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2608	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2608	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 4016	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 4016	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2312	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 2312	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 1256	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 1256	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 4964	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 4964	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 1444	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 1444	764	cmd.exe	WMIC.exe
PID 764 wrote to memory of 4920	764	cmd.exe	ipconfig.exe
PID 764 wrote to memory of 4920	764	cmd.exe	ipconfig.exe
PID 764 wrote to memory of 4952	764	cmd.exe	ROUTE.EXE
PID 764 wrote to memory of 4952	764	cmd.exe	ROUTE.EXE
PID 764 wrote to memory of 1476	764	cmd.exe	netsh.exe
PID 764 wrote to memory of 1476	764	cmd.exe	netsh.exe
PID 764 wrote to memory of 4620	764	cmd.exe	systeminfo.exe
PID 764 wrote to memory of 4620	764	cmd.exe	systeminfo.exe
PID 764 wrote to memory of 2548	764	cmd.exe	tasklist.exe
PID 764 wrote to memory of 2548	764	cmd.exe	tasklist.exe
PID 764 wrote to memory of 5112	764	cmd.exe	net.exe
PID 764 wrote to memory of 5112	764	cmd.exe	net.exe
PID 5112 wrote to memory of 540	5112	net.exe	net1.exe
PID 5112 wrote to memory of 540	5112	net.exe	net1.exe
PID 764 wrote to memory of 608	764	cmd.exe	net.exe
PID 764 wrote to memory of 608	764	cmd.exe	net.exe
PID 608 wrote to memory of 1080	608	net.exe	net1.exe
PID 608 wrote to memory of 1080	608	net.exe	net1.exe
PID 764 wrote to memory of 1132	764	cmd.exe	net.exe
PID 764 wrote to memory of 1132	764	cmd.exe	net.exe
PID 1132 wrote to memory of 5044	1132	net.exe	net1.exe
PID 1132 wrote to memory of 5044	1132	net.exe	net1.exe
PID 764 wrote to memory of 1072	764	cmd.exe	net.exe
PID 764 wrote to memory of 1072	764	cmd.exe	net.exe
PID 1072 wrote to memory of 4724	1072	net.exe	net1.exe
PID 1072 wrote to memory of 4724	1072	net.exe	net1.exe
PID 764 wrote to memory of 4988	764	cmd.exe	net.exe
PID 764 wrote to memory of 4988	764	cmd.exe	net.exe
PID 764 wrote to memory of 956	764	cmd.exe	net.exe
PID 764 wrote to memory of 956	764	cmd.exe	net.exe
PID 956 wrote to memory of 2336	956	net.exe	net1.exe
PID 956 wrote to memory of 2336	956	net.exe	net1.exe
PID 764 wrote to memory of 2324	764	cmd.exe	net.exe
PID 764 wrote to memory of 2324	764	cmd.exe	net.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2408

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3236

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3252

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2704

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3796 -s 900
2⤵
- Program crash
PID:2348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe
"C:\Users\Admin\AppData\Local\Temp\3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3552

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:4116

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:3948

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:652

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:2492

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:2652

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:2148

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2608

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:4016

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:2312

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:1256

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:4964

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:1444

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:4920

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:4952

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:1476

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:4620

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:2548

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:540

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:1080

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:5044

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:4724

C:\Windows\system32\net.exe
net use
2⤵
PID:4988

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:2336

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:2324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:1292

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1440

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:1412

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:4352

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:1780

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:1900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:488

C:\Users\Admin\AppData\Roaming\ecrvsgi
C:\Users\Admin\AppData\Roaming\ecrvsgi
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:688

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3544

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4408

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3764

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4584

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3156

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3396

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3152

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ecrvsgi
MD5
392562636ab2d7aafc43c18a7540ef57

SHA1
326d538909ece8442b3c5c73869c24e56e24e181

SHA256
3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e

SHA512
e85f5f9c958a4f344cf88dc6fb126474d44381e92b6a0407818af74407e91c3d1ec436f6d8623bde25e1bf6cd62f43674ed48f4c52d9ce99e8abdfa84bcf9419

Download Submit
C:\Users\Admin\AppData\Roaming\ecrvsgi
MD5
392562636ab2d7aafc43c18a7540ef57

SHA1
326d538909ece8442b3c5c73869c24e56e24e181

SHA256
3d3df80f62c7b2ae830dcccf38626443004f61f0c44750cd8e8b3a84b615fc0e

SHA512
e85f5f9c958a4f344cf88dc6fb126474d44381e92b6a0407818af74407e91c3d1ec436f6d8623bde25e1bf6cd62f43674ed48f4c52d9ce99e8abdfa84bcf9419

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/488-132-0x0000027C7ACE0000-0x0000027C7ACE2000-memory.dmp

Filesize
8KB

Download
memory/488-131-0x0000027C7ACE0000-0x0000027C7ACE2000-memory.dmp

Filesize
8KB

Download
memory/540-150-0x0000000000000000-mapping.dmp

Download
memory/608-151-0x0000000000000000-mapping.dmp

Download
memory/652-130-0x0000000000000000-mapping.dmp

Download
memory/688-200-0x0000000000000000-mapping.dmp

Download
memory/764-125-0x0000000000000000-mapping.dmp

Download
memory/956-160-0x0000000000000000-mapping.dmp

Download
memory/1020-254-0x00000000010D0000-0x00000000010DD000-memory.dmp

Filesize
52KB

Download
memory/1020-253-0x00000000010E0000-0x00000000010E7000-memory.dmp

Filesize
28KB

Download
memory/1020-252-0x0000000000000000-mapping.dmp

Download
memory/1072-156-0x0000000000000000-mapping.dmp

Download
memory/1080-152-0x0000000000000000-mapping.dmp

Download
memory/1132-154-0x0000000000000000-mapping.dmp

Download
memory/1244-165-0x0000000000000000-mapping.dmp

Download
memory/1256-139-0x0000000000000000-mapping.dmp

Download
memory/1292-163-0x0000000000000000-mapping.dmp

Download
memory/1412-167-0x0000000000000000-mapping.dmp

Download
memory/1440-166-0x0000000000000000-mapping.dmp

Download
memory/1444-141-0x0000000000000000-mapping.dmp

Download
memory/1476-144-0x0000000000000000-mapping.dmp

Download
memory/1480-184-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-205-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-262-0x000001C09CB90000-0x000001C09CB91000-memory.dmp

Filesize
4KB

Download
memory/1480-260-0x000001C09EC80000-0x000001C09EC81000-memory.dmp

Filesize
4KB

Download
memory/1480-259-0x000001C09EC80000-0x000001C09EC81000-memory.dmp

Filesize
4KB

Download
memory/1480-248-0x000001C09EBD0000-0x000001C09EBD1000-memory.dmp

Filesize
4KB

Download
memory/1480-241-0x000001C09CB80000-0x000001C09CB81000-memory.dmp

Filesize
4KB

Download
memory/1480-226-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-224-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-223-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-222-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-221-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-220-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-219-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-218-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-217-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-216-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-212-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-210-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-209-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-207-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-189-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-204-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-202-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-201-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-198-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-197-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-188-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-196-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-195-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-193-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-192-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-175-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-176-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-177-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-179-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-180-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-181-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-182-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-183-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-191-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-185-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1480-187-0x00007FFAE0A20000-0x00007FFAE0A8B000-memory.dmp

Filesize
428KB

Download
memory/1780-169-0x0000000000000000-mapping.dmp

Download
memory/1900-170-0x0000000000000000-mapping.dmp

Download
memory/2060-211-0x0000000002020000-0x0000000002036000-memory.dmp

Filesize
88KB

Download
memory/2060-174-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2060-173-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2060-171-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2060-121-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/2060-122-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2060-123-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2060-124-0x0000000001FD0000-0x0000000001FDF000-memory.dmp

Filesize
60KB

Download
memory/2148-135-0x0000000000000000-mapping.dmp

Download
memory/2312-138-0x0000000000000000-mapping.dmp

Download
memory/2324-162-0x0000000000000000-mapping.dmp

Download
memory/2336-161-0x0000000000000000-mapping.dmp

Download
memory/2348-261-0x0000024CECF70000-0x0000024CECF71000-memory.dmp

Filesize
4KB

Download
memory/2408-255-0x0000016FD2F80000-0x0000016FD2F81000-memory.dmp

Filesize
4KB

Download
memory/2424-256-0x000002623AD40000-0x000002623AD41000-memory.dmp

Filesize
4KB

Download
memory/2492-133-0x0000000000000000-mapping.dmp

Download
memory/2548-148-0x0000000000000000-mapping.dmp

Download
memory/2608-136-0x0000000000000000-mapping.dmp

Download
memory/2652-134-0x0000000000000000-mapping.dmp

Download
memory/2704-257-0x000001C85FF40000-0x000001C85FF41000-memory.dmp

Filesize
4KB

Download
memory/3152-250-0x0000000002F30000-0x0000000002F36000-memory.dmp

Filesize
24KB

Download
memory/3152-249-0x0000000000000000-mapping.dmp

Download
memory/3152-251-0x0000000002F20000-0x0000000002F2B000-memory.dmp

Filesize
44KB

Download
memory/3156-242-0x0000000000000000-mapping.dmp

Download
memory/3156-243-0x0000000003260000-0x0000000003265000-memory.dmp

Filesize
20KB

Download
memory/3156-244-0x0000000003250000-0x0000000003259000-memory.dmp

Filesize
36KB

Download
memory/3396-127-0x0000000000000000-mapping.dmp

Download
memory/3396-246-0x0000000000D50000-0x0000000000D56000-memory.dmp

Filesize
24KB

Download
memory/3396-247-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/3396-245-0x0000000000000000-mapping.dmp

Download
memory/3460-258-0x00000201F57F0000-0x00000201F57F1000-memory.dmp

Filesize
4KB

Download
memory/3544-230-0x0000000000860000-0x00000000008D5000-memory.dmp

Filesize
468KB

Download
memory/3544-231-0x00000000007F0000-0x000000000085B000-memory.dmp

Filesize
428KB

Download
memory/3544-225-0x0000000000000000-mapping.dmp

Download
memory/3552-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3552-118-0x00000000006B1000-0x00000000006C2000-memory.dmp

Filesize
68KB

Download
memory/3552-120-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3692-126-0x0000000000000000-mapping.dmp

Download
memory/3764-237-0x00000000032D0000-0x00000000032DB000-memory.dmp

Filesize
44KB

Download
memory/3764-236-0x00000000032E0000-0x00000000032E7000-memory.dmp

Filesize
28KB

Download
memory/3764-235-0x0000000000000000-mapping.dmp

Download
memory/3948-129-0x0000000000000000-mapping.dmp

Download
memory/4016-137-0x0000000000000000-mapping.dmp

Download
memory/4116-128-0x0000000000000000-mapping.dmp

Download
memory/4352-168-0x0000000000000000-mapping.dmp

Download
memory/4408-234-0x0000000000E80000-0x0000000000E8C000-memory.dmp

Filesize
48KB

Download
memory/4408-233-0x0000000000E90000-0x0000000000E97000-memory.dmp

Filesize
28KB

Download
memory/4408-232-0x0000000000000000-mapping.dmp

Download
memory/4584-240-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/4584-238-0x0000000000000000-mapping.dmp

Download
memory/4584-239-0x0000000000880000-0x0000000000889000-memory.dmp

Filesize
36KB

Download
memory/4620-145-0x0000000000000000-mapping.dmp

Download
memory/4692-153-0x00000000006B1000-0x00000000006C2000-memory.dmp

Filesize
68KB

Download
memory/4692-158-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4724-157-0x0000000000000000-mapping.dmp

Download
memory/4920-142-0x0000000000000000-mapping.dmp

Download
memory/4952-143-0x0000000000000000-mapping.dmp

Download
memory/4964-140-0x0000000000000000-mapping.dmp

Download
memory/4988-159-0x0000000000000000-mapping.dmp

Download
memory/5044-155-0x0000000000000000-mapping.dmp

Download
memory/5112-149-0x0000000000000000-mapping.dmp

Download