smokeloader | f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece

General

Target

f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe
Size

262KB
MD5

bc40f27825365026cbec6c48b5ce10d9
SHA1

aee0add1e95c97a9a3b659a9dbf490db66f60a05
SHA256

f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece
SHA512

9a4720a3985c32017585c0fd72aa0ab8a2481f39effee8276eafa973a36890b92ffa355a97bea68038e1c8ff0f19fb84602747b8fdad417f6bd1ea95efd651bc

Score

10^/10

smokeloader backdoor evasion persistence suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 456 created 3116	456	WerFault.exe	explorer.exe
PID 3420 created 2844	3420	WerFault.exe	DllHost.exe
PID 3612 created 1788	3612	WerFault.exe	DllHost.exe
PID 3636 created 3988	3636	WerFault.exe	DllHost.exe
PID 3260 created 964	3260	WerFault.exe	DllHost.exe
PID 2864 created 3036	2864	WerFault.exe	DllHost.exe

suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Executes dropped EXE 1 IoCs

Processes:

uubewce

pid process

468 uubewce
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Drops file in Windows directory 1 IoCs

Processes:

TiWorker.exe

description ioc process

File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe

pid	process
468	uubewce

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
988	3116	WerFault.exe	explorer.exe
1572	2844	WerFault.exe	DllHost.exe
3752	1788	WerFault.exe	DllHost.exe
3556	3988	WerFault.exe	DllHost.exe
2580	964	WerFault.exe	DllHost.exe
1568	3036	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exeuubewce

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uubewce
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uubewce
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uubewce
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2740 tasklist.exe

pid	process
2740	tasklist.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

3516 ipconfig.exe
2684 NETSTAT.EXE
2232 NETSTAT.EXE
2808 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2520 systeminfo.exe

pid	process
3516	ipconfig.exe
2684	NETSTAT.EXE
2232	NETSTAT.EXE
2808	ipconfig.exe

pid	process
2520	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000003cd81bdd252220c9849c8c2726f80437c4bead61e7eb9d59fe82a5f75079963a000000000e80000000020000200000009c93bd7b1a5f9601d9e6d8c3a574e240f15d2167084e68683f8b1f87091f01ed200000009ba65c91a44a13a64619e254227bc6f6ead67d231f3b3acf41d0e6cbbc474c9540000000c7fe8e5a5b98a2b846c45c6cfa606c3336f63561b71b2efa949d6dcd4d5417f7447a07eca0a89901b0be34aaebe033693189f9265aeb7ff28cb2b673f8c5e3ee	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000071c5e843bc65f1fe6b82d346e6abf98105a3b53a43e178bc3d33f1ae7e0ace62000000000e80000000020000200000003bb66ae2d24de077c3f97389a4c40d2a419dcaa2fa923667f1f77ef9dc81052f20000000b129e199ea916e7a2e01e7045084cf84e4e10e99faf1e41d070cc7f0545915fc40000000ad015c847aefbd1e29757ace2ef2e51569a8dc6bc2975b4e18c9ec10dc95eefc79a94568288ee27d3655f4f5e4bb77b4f25ead97437f031ca68004591c30493c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1079576b0912d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1624180697"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1624180697"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30924b6b0912d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4969E46E-73F8-11EC-82D0-DE0FC891F8E3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937609"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937609"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349893399"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1624180697"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937609"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937609"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1624180697"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe

pid	process
1888	f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe
1888	f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540
2540

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2540

pid	process
2540

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeuubewce

pid	process
1888	f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe
2540
2540
2540
2540
2540
2540
492	explorer.exe
492	explorer.exe
2540
2540
2520	explorer.exe
2520	explorer.exe
2540
2540
2540
2540
1784	explorer.exe
1784	explorer.exe
1068	explorer.exe
1068	explorer.exe
2540
2540
548	explorer.exe
548	explorer.exe
2540
2540
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
548	explorer.exe
548	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
548	explorer.exe
548	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
548	explorer.exe
548	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
468	uubewce
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3940	WMIC.exe
Token: SeSecurityPrivilege	3940	WMIC.exe
Token: SeTakeOwnershipPrivilege	3940	WMIC.exe
Token: SeLoadDriverPrivilege	3940	WMIC.exe
Token: SeSystemProfilePrivilege	3940	WMIC.exe
Token: SeSystemtimePrivilege	3940	WMIC.exe
Token: SeProfSingleProcessPrivilege	3940	WMIC.exe
Token: SeIncBasePriorityPrivilege	3940	WMIC.exe
Token: SeCreatePagefilePrivilege	3940	WMIC.exe
Token: SeBackupPrivilege	3940	WMIC.exe
Token: SeRestorePrivilege	3940	WMIC.exe
Token: SeShutdownPrivilege	3940	WMIC.exe
Token: SeDebugPrivilege	3940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3940	WMIC.exe
Token: SeRemoteShutdownPrivilege	3940	WMIC.exe
Token: SeUndockPrivilege	3940	WMIC.exe
Token: SeManageVolumePrivilege	3940	WMIC.exe
Token: 33	3940	WMIC.exe
Token: 34	3940	WMIC.exe
Token: 35	3940	WMIC.exe
Token: 36	3940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3940	WMIC.exe
Token: SeSecurityPrivilege	3940	WMIC.exe
Token: SeTakeOwnershipPrivilege	3940	WMIC.exe
Token: SeLoadDriverPrivilege	3940	WMIC.exe
Token: SeSystemProfilePrivilege	3940	WMIC.exe
Token: SeSystemtimePrivilege	3940	WMIC.exe
Token: SeProfSingleProcessPrivilege	3940	WMIC.exe
Token: SeIncBasePriorityPrivilege	3940	WMIC.exe
Token: SeCreatePagefilePrivilege	3940	WMIC.exe
Token: SeBackupPrivilege	3940	WMIC.exe
Token: SeRestorePrivilege	3940	WMIC.exe
Token: SeShutdownPrivilege	3940	WMIC.exe
Token: SeDebugPrivilege	3940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3940	WMIC.exe
Token: SeRemoteShutdownPrivilege	3940	WMIC.exe
Token: SeUndockPrivilege	3940	WMIC.exe
Token: SeManageVolumePrivilege	3940	WMIC.exe
Token: 33	3940	WMIC.exe
Token: 34	3940	WMIC.exe
Token: 35	3940	WMIC.exe
Token: 36	3940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe
Token: SeSecurityPrivilege	3944	WMIC.exe
Token: SeTakeOwnershipPrivilege	3944	WMIC.exe
Token: SeLoadDriverPrivilege	3944	WMIC.exe
Token: SeSystemProfilePrivilege	3944	WMIC.exe
Token: SeSystemtimePrivilege	3944	WMIC.exe
Token: SeProfSingleProcessPrivilege	3944	WMIC.exe
Token: SeIncBasePriorityPrivilege	3944	WMIC.exe
Token: SeCreatePagefilePrivilege	3944	WMIC.exe
Token: SeBackupPrivilege	3944	WMIC.exe
Token: SeRestorePrivilege	3944	WMIC.exe
Token: SeShutdownPrivilege	3944	WMIC.exe
Token: SeDebugPrivilege	3944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3944	WMIC.exe
Token: SeRemoteShutdownPrivilege	3944	WMIC.exe
Token: SeUndockPrivilege	3944	WMIC.exe
Token: SeManageVolumePrivilege	3944	WMIC.exe
Token: 33	3944	WMIC.exe
Token: 34	3944	WMIC.exe
Token: 35	3944	WMIC.exe
Token: 36	3944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2692 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2692 iexplore.exe
2692 iexplore.exe
3208 IEXPLORE.EXE
3208 IEXPLORE.EXE

pid	process
2692	iexplore.exe

pid	process
2692	iexplore.exe
2692	iexplore.exe
3208	IEXPLORE.EXE
3208	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2540 wrote to memory of 1800	2540		cmd.exe
PID 2540 wrote to memory of 1800	2540		cmd.exe
PID 1800 wrote to memory of 3940	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3940	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3944	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3944	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2288	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2288	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 1056	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 1056	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3868	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3868	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3708	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3708	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3928	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3928	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3428	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3428	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2692	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2692	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 640	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 640	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 928	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 928	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 436	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 436	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3660	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3660	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2624	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2624	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 3516	1800	cmd.exe	ipconfig.exe
PID 1800 wrote to memory of 3516	1800	cmd.exe	ipconfig.exe
PID 1800 wrote to memory of 3956	1800	cmd.exe	ROUTE.EXE
PID 1800 wrote to memory of 3956	1800	cmd.exe	ROUTE.EXE
PID 1800 wrote to memory of 3060	1800	cmd.exe	netsh.exe
PID 1800 wrote to memory of 3060	1800	cmd.exe	netsh.exe
PID 1800 wrote to memory of 2520	1800	cmd.exe	systeminfo.exe
PID 1800 wrote to memory of 2520	1800	cmd.exe	systeminfo.exe
PID 1800 wrote to memory of 2740	1800	cmd.exe	tasklist.exe
PID 1800 wrote to memory of 2740	1800	cmd.exe	tasklist.exe
PID 1800 wrote to memory of 988	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 988	1800	cmd.exe	net.exe
PID 988 wrote to memory of 688	988	net.exe	net1.exe
PID 988 wrote to memory of 688	988	net.exe	net1.exe
PID 1800 wrote to memory of 3764	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 3764	1800	cmd.exe	net.exe
PID 3764 wrote to memory of 3876	3764	net.exe	net1.exe
PID 3764 wrote to memory of 3876	3764	net.exe	net1.exe
PID 1800 wrote to memory of 2128	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 2128	1800	cmd.exe	net.exe
PID 2128 wrote to memory of 1208	2128	net.exe	net1.exe
PID 2128 wrote to memory of 1208	2128	net.exe	net1.exe
PID 1800 wrote to memory of 4044	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 4044	1800	cmd.exe	net.exe
PID 4044 wrote to memory of 2904	4044	net.exe	net1.exe
PID 4044 wrote to memory of 2904	4044	net.exe	net1.exe
PID 1800 wrote to memory of 1656	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 1656	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 2580	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 2580	1800	cmd.exe	net.exe
PID 2580 wrote to memory of 1648	2580	net.exe	net1.exe
PID 2580 wrote to memory of 1648	2580	net.exe	net1.exe
PID 1800 wrote to memory of 1684	1800	cmd.exe	net.exe
PID 1800 wrote to memory of 1684	1800	cmd.exe	net.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2340

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3004

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2844 -s 996
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2636

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1584

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe
"C:\Users\Admin\AppData\Local\Temp\f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1888

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c0114be2cfd654ea85aa76487b47b6fc YorinnXjoUWhdGTRBe0mRA.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:652

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:2288

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:1056

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:3868

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3708

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3928

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3428

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2692

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:640

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:928

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:436

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3660

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:2624

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:3516

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3956

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3060

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:2520

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:2740

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:688

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:3876

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:1208

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:2904

C:\Windows\system32\net.exe
net use
2⤵
PID:1656

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:1648

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:3388

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1520

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2548

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:2232

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:3160

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:2808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1324

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2152

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3208

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 892
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:988

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:492

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3116 -ip 3116
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:456

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1068

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1784

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:548

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2844 -ip 2844
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3420

C:\Users\Admin\AppData\Roaming\uubewce
C:\Users\Admin\AppData\Roaming\uubewce
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:468

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:4084

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1788 -s 644
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 1788 -ip 1788
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3988 -s 852
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 3988 -ip 3988
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:964

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 964 -s 776
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 964 -ip 964
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3036 -s 848
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 3036 -ip 3036
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
MD5
5c352f78f835087295eddac015803d94

SHA1
65beeb5f41cf47fcb67c2702ad1245508daa364f

SHA256
35cc661cdef73841411c945fec1802003d3e4e7f2523829643e8dea56b8315c4

SHA512
5a17baa9a28ace927e2eba0d6fca88fb20211ab956cf02982f41e13a0a4f7dbb356ee1e7cc9e6ce7d6188cea7ca5dce7a1a0a3ecee5769990936efcb913cd088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log
MD5
59071590099d21dd439896592338bf95

SHA1
6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c

SHA256
07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541

SHA512
eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5
12016532a007a64af6b2db3112c0a803

SHA1
a0ec0402d2cc5db4788b2ad27cbae7a18fd20b99

SHA256
58392512b925a89ab723cad89924c961361d859416e1680c6efbe8aa4c98df34

SHA512
fc1c180f25c584450fc1096becdac64c2bc13c5e05900354e1eb535850aee7f68135468625784b5cffaa6a139406431d1849f496f97513a40752766d3e430872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
MD5
6d1cc8c50404c56a590854933fcb5d92

SHA1
6f31fc677396dc37b26305d63772eec5b85f2a6b

SHA256
eb3ce6dd79c49e38a9d614a1f2531a136a23eb107ea6811231d86808cfb8c53e

SHA512
c1e47e763f647a24eee6fce1ffd1f8267ce4571f870d26ef209d3dde54ec4f0c9f2f1858190851f28b7f2a04d03382d0cae74289bb83c9340ad8a103e62b5755

Download Submit
C:\Users\Admin\AppData\Roaming\uubewce
MD5
bc40f27825365026cbec6c48b5ce10d9

SHA1
aee0add1e95c97a9a3b659a9dbf490db66f60a05

SHA256
f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece

SHA512
9a4720a3985c32017585c0fd72aa0ab8a2481f39effee8276eafa973a36890b92ffa355a97bea68038e1c8ff0f19fb84602747b8fdad417f6bd1ea95efd651bc

Download Submit
C:\Users\Admin\AppData\Roaming\uubewce
MD5
bc40f27825365026cbec6c48b5ce10d9

SHA1
aee0add1e95c97a9a3b659a9dbf490db66f60a05

SHA256
f2b2282a889ead254365b72132d7afd29bd59efd3d60d5669e08f87a639c5ece

SHA512
9a4720a3985c32017585c0fd72aa0ab8a2481f39effee8276eafa973a36890b92ffa355a97bea68038e1c8ff0f19fb84602747b8fdad417f6bd1ea95efd651bc

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/468-187-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/468-188-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/468-190-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/492-160-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/492-161-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/548-169-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/548-168-0x0000000000C70000-0x0000000000C76000-memory.dmp

Filesize
24KB

Download
memory/964-197-0x000002371CB90000-0x000002371CB98000-memory.dmp

Filesize
32KB

Download
memory/964-198-0x000002371CB80000-0x000002371CB81000-memory.dmp

Filesize
4KB

Download
memory/964-199-0x000002371CB80000-0x000002371CB88000-memory.dmp

Filesize
32KB

Download
memory/964-203-0x000002371CB60000-0x000002371CB68000-memory.dmp

Filesize
32KB

Download
memory/964-204-0x000002371CD20000-0x000002371CD28000-memory.dmp

Filesize
32KB

Download
memory/964-205-0x000002371CD10000-0x000002371CD11000-memory.dmp

Filesize
4KB

Download
memory/988-178-0x0000000003560000-0x000000000380F000-memory.dmp

Filesize
2.7MB

Download
memory/988-179-0x0000000003550000-0x000000000355B000-memory.dmp

Filesize
44KB

Download
memory/1068-166-0x0000000003460000-0x0000000003465000-memory.dmp

Filesize
20KB

Download
memory/1068-167-0x0000000003450000-0x0000000003459000-memory.dmp

Filesize
36KB

Download
memory/1728-186-0x00000196FEBE0000-0x00000196FEBE1000-memory.dmp

Filesize
4KB

Download
memory/1784-165-0x0000000000100000-0x000000000010C000-memory.dmp

Filesize
48KB

Download
memory/1784-164-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download
memory/1788-192-0x000002138F2A0000-0x000002138F2B0000-memory.dmp

Filesize
64KB

Download
memory/1788-193-0x000002138F300000-0x000002138F310000-memory.dmp

Filesize
64KB

Download
memory/1788-194-0x0000021390660000-0x0000021390668000-memory.dmp

Filesize
32KB

Download
memory/1788-196-0x000002138F170000-0x000002138F178000-memory.dmp

Filesize
32KB

Download
memory/1888-131-0x00000000008A0000-0x00000000008A9000-memory.dmp

Filesize
36KB

Download
memory/1888-132-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1888-130-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/2324-172-0x00000295528D0000-0x00000295528D1000-memory.dmp

Filesize
4KB

Download
memory/2340-175-0x000001EB1A7E0000-0x000001EB1A7E1000-memory.dmp

Filesize
4KB

Download
memory/2388-176-0x00000289AFE80000-0x00000289AFE81000-memory.dmp

Filesize
4KB

Download
memory/2520-163-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download
memory/2520-162-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/2540-191-0x0000000003200000-0x0000000003216000-memory.dmp

Filesize
88KB

Download
memory/2540-134-0x00000000085E2000-0x0000000008676000-memory.dmp

Filesize
592KB

Download
memory/2540-133-0x0000000001350000-0x0000000001366000-memory.dmp

Filesize
88KB

Download
memory/2600-170-0x0000000000B50000-0x0000000000B57000-memory.dmp

Filesize
28KB

Download
memory/2600-171-0x0000000000B40000-0x0000000000B4D000-memory.dmp

Filesize
52KB

Download
memory/2636-177-0x0000018B359D0000-0x0000018B359D1000-memory.dmp

Filesize
4KB

Download
memory/2940-180-0x0000024800610000-0x0000024800611000-memory.dmp

Filesize
4KB

Download
memory/2940-185-0x0000024800610000-0x0000024800611000-memory.dmp

Filesize
4KB

Download
memory/2976-173-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/2976-174-0x0000000004A00000-0x0000000004A0B000-memory.dmp

Filesize
44KB

Download
memory/3004-181-0x0000029A7BE50000-0x0000029A7BE51000-memory.dmp

Filesize
4KB

Download
memory/3116-158-0x0000000003450000-0x00000000034BB000-memory.dmp

Filesize
428KB

Download
memory/3116-157-0x00000000034C0000-0x0000000003535000-memory.dmp

Filesize
468KB

Download
memory/3168-184-0x0000022D952A0000-0x0000022D952A1000-memory.dmp

Filesize
4KB

Download
memory/3516-159-0x0000000000140000-0x000000000014C000-memory.dmp

Filesize
48KB

Download
memory/3544-189-0x000001963D810000-0x000001963D811000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads