Analysis
-
max time kernel
153s -
max time network
130s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 13:36
Static task
static1
Behavioral task
behavioral1
Sample
d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe
Resource
win10-en-20211208
General
-
Target
d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe
-
Size
317KB
-
MD5
0ef345cb01c76b5c447e54de6cbc8f53
-
SHA1
82751eec5c8a990d6d4f4de2b1ff0084ab2ef832
-
SHA256
d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb
-
SHA512
12e9f3e7ed50dfe41721bd66ac1fb221715fb1517e6757e272f4a793f8e13569fa7758fb3f736c5002ef0471999d952147e5ce120a07e3fadd17f375f5e8f5f4
Malware Config
Extracted
smokeloader
2020
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
-
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
6BA6.exepid process 820 6BA6.exe -
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 3024 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1664 3748 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe6BA6.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6BA6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6BA6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6BA6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 2328 ipconfig.exe 1840 NETSTAT.EXE 3020 NETSTAT.EXE 2284 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{431A4ED3-5B13-11EC-9231-6E964C5F562A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exepid process 3728 d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe 3728 d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3024 -
Suspicious behavior: MapViewOfSection 48 IoCs
Processes:
d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe6BA6.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 3728 d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe 820 6BA6.exe 3024 3024 3024 3024 3024 3024 3832 explorer.exe 3832 explorer.exe 3024 3024 1560 explorer.exe 1560 explorer.exe 3024 3024 2328 explorer.exe 2328 explorer.exe 3024 3024 3696 explorer.exe 3696 explorer.exe 3024 3024 2476 explorer.exe 2476 explorer.exe 3024 3024 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 372 WMIC.exe Token: SeSecurityPrivilege 372 WMIC.exe Token: SeTakeOwnershipPrivilege 372 WMIC.exe Token: SeLoadDriverPrivilege 372 WMIC.exe Token: SeSystemProfilePrivilege 372 WMIC.exe Token: SeSystemtimePrivilege 372 WMIC.exe Token: SeProfSingleProcessPrivilege 372 WMIC.exe Token: SeIncBasePriorityPrivilege 372 WMIC.exe Token: SeCreatePagefilePrivilege 372 WMIC.exe Token: SeBackupPrivilege 372 WMIC.exe Token: SeRestorePrivilege 372 WMIC.exe Token: SeShutdownPrivilege 372 WMIC.exe Token: SeDebugPrivilege 372 WMIC.exe Token: SeSystemEnvironmentPrivilege 372 WMIC.exe Token: SeRemoteShutdownPrivilege 372 WMIC.exe Token: SeUndockPrivilege 372 WMIC.exe Token: SeManageVolumePrivilege 372 WMIC.exe Token: 33 372 WMIC.exe Token: 34 372 WMIC.exe Token: 35 372 WMIC.exe Token: 36 372 WMIC.exe Token: SeIncreaseQuotaPrivilege 372 WMIC.exe Token: SeSecurityPrivilege 372 WMIC.exe Token: SeTakeOwnershipPrivilege 372 WMIC.exe Token: SeLoadDriverPrivilege 372 WMIC.exe Token: SeSystemProfilePrivilege 372 WMIC.exe Token: SeSystemtimePrivilege 372 WMIC.exe Token: SeProfSingleProcessPrivilege 372 WMIC.exe Token: SeIncBasePriorityPrivilege 372 WMIC.exe Token: SeCreatePagefilePrivilege 372 WMIC.exe Token: SeBackupPrivilege 372 WMIC.exe Token: SeRestorePrivilege 372 WMIC.exe Token: SeShutdownPrivilege 372 WMIC.exe Token: SeDebugPrivilege 372 WMIC.exe Token: SeSystemEnvironmentPrivilege 372 WMIC.exe Token: SeRemoteShutdownPrivilege 372 WMIC.exe Token: SeUndockPrivilege 372 WMIC.exe Token: SeManageVolumePrivilege 372 WMIC.exe Token: 33 372 WMIC.exe Token: 34 372 WMIC.exe Token: 35 372 WMIC.exe Token: 36 372 WMIC.exe Token: SeIncreaseQuotaPrivilege 1200 WMIC.exe Token: SeSecurityPrivilege 1200 WMIC.exe Token: SeTakeOwnershipPrivilege 1200 WMIC.exe Token: SeLoadDriverPrivilege 1200 WMIC.exe Token: SeSystemProfilePrivilege 1200 WMIC.exe Token: SeSystemtimePrivilege 1200 WMIC.exe Token: SeProfSingleProcessPrivilege 1200 WMIC.exe Token: SeIncBasePriorityPrivilege 1200 WMIC.exe Token: SeCreatePagefilePrivilege 1200 WMIC.exe Token: SeBackupPrivilege 1200 WMIC.exe Token: SeRestorePrivilege 1200 WMIC.exe Token: SeShutdownPrivilege 1200 WMIC.exe Token: SeDebugPrivilege 1200 WMIC.exe Token: SeSystemEnvironmentPrivilege 1200 WMIC.exe Token: SeRemoteShutdownPrivilege 1200 WMIC.exe Token: SeUndockPrivilege 1200 WMIC.exe Token: SeManageVolumePrivilege 1200 WMIC.exe Token: 33 1200 WMIC.exe Token: 34 1200 WMIC.exe Token: 35 1200 WMIC.exe Token: 36 1200 WMIC.exe Token: SeIncreaseQuotaPrivilege 1200 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1328 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1328 iexplore.exe 1328 iexplore.exe 2960 IEXPLORE.EXE 2960 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3024 wrote to memory of 820 3024 6BA6.exe PID 3024 wrote to memory of 820 3024 6BA6.exe PID 3024 wrote to memory of 820 3024 6BA6.exe PID 3024 wrote to memory of 408 3024 cmd.exe PID 3024 wrote to memory of 408 3024 cmd.exe PID 408 wrote to memory of 372 408 cmd.exe WMIC.exe PID 408 wrote to memory of 372 408 cmd.exe WMIC.exe PID 408 wrote to memory of 1200 408 cmd.exe WMIC.exe PID 408 wrote to memory of 1200 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2212 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2212 408 cmd.exe WMIC.exe PID 408 wrote to memory of 1468 408 cmd.exe WMIC.exe PID 408 wrote to memory of 1468 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2404 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2404 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2116 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2116 408 cmd.exe WMIC.exe PID 408 wrote to memory of 3580 408 cmd.exe WMIC.exe PID 408 wrote to memory of 3580 408 cmd.exe WMIC.exe PID 408 wrote to memory of 3216 408 cmd.exe WMIC.exe PID 408 wrote to memory of 3216 408 cmd.exe WMIC.exe PID 408 wrote to memory of 68 408 cmd.exe WMIC.exe PID 408 wrote to memory of 68 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2876 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2876 408 cmd.exe WMIC.exe PID 408 wrote to memory of 3612 408 cmd.exe WMIC.exe PID 408 wrote to memory of 3612 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2204 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2204 408 cmd.exe WMIC.exe PID 408 wrote to memory of 1528 408 cmd.exe WMIC.exe PID 408 wrote to memory of 1528 408 cmd.exe WMIC.exe PID 408 wrote to memory of 3808 408 cmd.exe WMIC.exe PID 408 wrote to memory of 3808 408 cmd.exe WMIC.exe PID 408 wrote to memory of 2328 408 cmd.exe ipconfig.exe PID 408 wrote to memory of 2328 408 cmd.exe ipconfig.exe PID 408 wrote to memory of 3652 408 cmd.exe ROUTE.EXE PID 408 wrote to memory of 3652 408 cmd.exe ROUTE.EXE PID 408 wrote to memory of 1160 408 cmd.exe netsh.exe PID 408 wrote to memory of 1160 408 cmd.exe netsh.exe PID 408 wrote to memory of 492 408 cmd.exe systeminfo.exe PID 408 wrote to memory of 492 408 cmd.exe systeminfo.exe PID 408 wrote to memory of 1000 408 cmd.exe tasklist.exe PID 408 wrote to memory of 1000 408 cmd.exe tasklist.exe PID 408 wrote to memory of 3600 408 cmd.exe net.exe PID 408 wrote to memory of 3600 408 cmd.exe net.exe PID 3600 wrote to memory of 2680 3600 net.exe net1.exe PID 3600 wrote to memory of 2680 3600 net.exe net1.exe PID 408 wrote to memory of 692 408 cmd.exe net.exe PID 408 wrote to memory of 692 408 cmd.exe net.exe PID 692 wrote to memory of 2716 692 net.exe net1.exe PID 692 wrote to memory of 2716 692 net.exe net1.exe PID 408 wrote to memory of 1872 408 cmd.exe net.exe PID 408 wrote to memory of 1872 408 cmd.exe net.exe PID 1872 wrote to memory of 372 1872 net.exe net1.exe PID 1872 wrote to memory of 372 1872 net.exe net1.exe PID 408 wrote to memory of 3220 408 cmd.exe net.exe PID 408 wrote to memory of 3220 408 cmd.exe net.exe PID 3220 wrote to memory of 1200 3220 net.exe net1.exe PID 3220 wrote to memory of 1200 3220 net.exe net1.exe PID 408 wrote to memory of 956 408 cmd.exe net.exe PID 408 wrote to memory of 956 408 cmd.exe net.exe PID 408 wrote to memory of 1376 408 cmd.exe net.exe PID 408 wrote to memory of 1376 408 cmd.exe net.exe PID 1376 wrote to memory of 1856 1376 net.exe net1.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3748 -s 9002⤵
- Program crash
PID:1664
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3480
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵PID:3268
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵PID:3248
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2444
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2352
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe"C:\Users\Admin\AppData\Local\Temp\d01bc9755704b973d76010375c96d4de026ac25a8ca4ae8792a05733ade07bdb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3728
-
C:\Users\Admin\AppData\Local\Temp\6BA6.exeC:\Users\Admin\AppData\Local\Temp\6BA6.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:820
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵PID:2212
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵PID:1468
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵PID:2404
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵PID:2116
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵PID:3580
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵PID:3216
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵PID:68
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵PID:2876
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵PID:3612
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵PID:2204
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵PID:1528
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵PID:3808
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
PID:2328 -
C:\Windows\system32\ROUTE.EXEroute print2⤵PID:3652
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵PID:1160
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:492 -
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
PID:1000 -
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵PID:2680
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵PID:2716
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵PID:372
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵PID:1200
-
C:\Windows\system32\net.exenet use2⤵PID:956
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵PID:1856
-
C:\Windows\system32\net.exenet localgroup2⤵PID:1920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵PID:1368
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
PID:1840 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵PID:1548
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵PID:2104
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
PID:3020 -
C:\Windows\system32\schtasks.exeschtasks /query2⤵PID:3948
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:2284
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:1572
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1328 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1328 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2960
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:68
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2180
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:3832
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1560
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:2328
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:3696
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:2476
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6BA6.exeMD5
d1645a2edd8f6a3487df0ecc21742fe8
SHA147e6fd6920e05711277a7bbeddeca6380dde9dae
SHA256bc4d286d54bb56c573d885cb56fd0294201809afd459310dd6fe092ee5fa4d3a
SHA512d611140c64bf9ec5c826a2ee24d7e1fe9b8dac166a405ab2672795739ebbdcde381b22c8565e5bd2a81f7019b43add5ee05845fd7a14dca82106865a3d65b85c
-
C:\Users\Admin\AppData\Local\Temp\6BA6.exeMD5
d1645a2edd8f6a3487df0ecc21742fe8
SHA147e6fd6920e05711277a7bbeddeca6380dde9dae
SHA256bc4d286d54bb56c573d885cb56fd0294201809afd459310dd6fe092ee5fa4d3a
SHA512d611140c64bf9ec5c826a2ee24d7e1fe9b8dac166a405ab2672795739ebbdcde381b22c8565e5bd2a81f7019b43add5ee05845fd7a14dca82106865a3d65b85c
-
memory/68-135-0x0000000000B80000-0x0000000000BEB000-memory.dmpFilesize
428KB
-
memory/68-134-0x0000000003050000-0x00000000030C5000-memory.dmpFilesize
468KB
-
memory/820-122-0x0000000000460000-0x00000000005AA000-memory.dmpFilesize
1.3MB
-
memory/820-123-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/820-121-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/1000-147-0x0000000000740000-0x0000000000747000-memory.dmpFilesize
28KB
-
memory/1000-148-0x0000000000730000-0x000000000073D000-memory.dmpFilesize
52KB
-
memory/1560-140-0x00000000006B0000-0x00000000006BE000-memory.dmpFilesize
56KB
-
memory/1560-139-0x00000000006C0000-0x00000000006C9000-memory.dmpFilesize
36KB
-
memory/1664-154-0x000001F923BA0000-0x000001F923BA1000-memory.dmpFilesize
4KB
-
memory/2180-136-0x0000000000D80000-0x0000000000D8C000-memory.dmpFilesize
48KB
-
memory/2328-142-0x0000000000900000-0x0000000000909000-memory.dmpFilesize
36KB
-
memory/2328-141-0x0000000000910000-0x0000000000915000-memory.dmpFilesize
20KB
-
memory/2336-149-0x000001C6C7040000-0x000001C6C7041000-memory.dmpFilesize
4KB
-
memory/2352-150-0x00000130BEA20000-0x00000130BEA21000-memory.dmpFilesize
4KB
-
memory/2444-153-0x000001D1337F0000-0x000001D1337F1000-memory.dmpFilesize
4KB
-
memory/2444-151-0x000001D1334B0000-0x000001D1334B1000-memory.dmpFilesize
4KB
-
memory/2476-145-0x0000000003160000-0x0000000003166000-memory.dmpFilesize
24KB
-
memory/2476-146-0x0000000003150000-0x000000000315B000-memory.dmpFilesize
44KB
-
memory/3024-118-0x00000000004A0000-0x00000000004B6000-memory.dmpFilesize
88KB
-
memory/3024-127-0x0000000002680000-0x000000000268F000-memory.dmpFilesize
60KB
-
memory/3024-124-0x0000000002000000-0x0000000002016000-memory.dmpFilesize
88KB
-
memory/3480-152-0x000001ABFC2F0000-0x000001ABFC2F1000-memory.dmpFilesize
4KB
-
memory/3696-143-0x00000000003C0000-0x00000000003C6000-memory.dmpFilesize
24KB
-
memory/3696-144-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/3728-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/3728-116-0x0000000000570000-0x0000000000579000-memory.dmpFilesize
36KB
-
memory/3728-117-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3832-138-0x0000000000970000-0x000000000097B000-memory.dmpFilesize
44KB
-
memory/3832-137-0x0000000000980000-0x0000000000987000-memory.dmpFilesize
28KB