Analysis
-
max time kernel
154s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe
Resource
win10-en-20211208
General
-
Target
af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe
-
Size
240KB
-
MD5
6c9efcdf0e025d5b7d37b244e0408305
-
SHA1
218393e59e3d97ea4eaa9394d7fbe7c1862890ab
-
SHA256
af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537
-
SHA512
449ffc5d049416e7193cfb834635527b2be5c397ff67fbc02c3f445ebf1f748516b4a1a54cf182cd2d4224ce23ad42bf94e4570f18f0be06bf32e3fcff17d8ac
Malware Config
Extracted
smokeloader
2020
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
DC14.exepid process 868 DC14.exe -
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 2880 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1848 3664 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exeDC14.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DC14.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DC14.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DC14.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEipconfig.exeipconfig.exeNETSTAT.EXEpid process 2604 NETSTAT.EXE 1320 ipconfig.exe 3812 ipconfig.exe 484 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60E8EC49-7F03-11EC-876A-D6A35E44B3F8} = "0" iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exepid process 3488 af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe 3488 af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2880 -
Suspicious behavior: MapViewOfSection 48 IoCs
Processes:
af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exeDC14.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 3488 af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe 868 DC14.exe 2880 2880 2880 2880 2880 2880 2936 explorer.exe 2936 explorer.exe 2880 2880 3564 explorer.exe 3564 explorer.exe 2880 2880 1472 explorer.exe 1472 explorer.exe 2880 2880 3800 explorer.exe 3800 explorer.exe 2880 2880 2912 explorer.exe 2912 explorer.exe 2880 2880 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe 2332 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 380 WMIC.exe Token: SeSecurityPrivilege 380 WMIC.exe Token: SeTakeOwnershipPrivilege 380 WMIC.exe Token: SeLoadDriverPrivilege 380 WMIC.exe Token: SeSystemProfilePrivilege 380 WMIC.exe Token: SeSystemtimePrivilege 380 WMIC.exe Token: SeProfSingleProcessPrivilege 380 WMIC.exe Token: SeIncBasePriorityPrivilege 380 WMIC.exe Token: SeCreatePagefilePrivilege 380 WMIC.exe Token: SeBackupPrivilege 380 WMIC.exe Token: SeRestorePrivilege 380 WMIC.exe Token: SeShutdownPrivilege 380 WMIC.exe Token: SeDebugPrivilege 380 WMIC.exe Token: SeSystemEnvironmentPrivilege 380 WMIC.exe Token: SeRemoteShutdownPrivilege 380 WMIC.exe Token: SeUndockPrivilege 380 WMIC.exe Token: SeManageVolumePrivilege 380 WMIC.exe Token: 33 380 WMIC.exe Token: 34 380 WMIC.exe Token: 35 380 WMIC.exe Token: 36 380 WMIC.exe Token: SeIncreaseQuotaPrivilege 380 WMIC.exe Token: SeSecurityPrivilege 380 WMIC.exe Token: SeTakeOwnershipPrivilege 380 WMIC.exe Token: SeLoadDriverPrivilege 380 WMIC.exe Token: SeSystemProfilePrivilege 380 WMIC.exe Token: SeSystemtimePrivilege 380 WMIC.exe Token: SeProfSingleProcessPrivilege 380 WMIC.exe Token: SeIncBasePriorityPrivilege 380 WMIC.exe Token: SeCreatePagefilePrivilege 380 WMIC.exe Token: SeBackupPrivilege 380 WMIC.exe Token: SeRestorePrivilege 380 WMIC.exe Token: SeShutdownPrivilege 380 WMIC.exe Token: SeDebugPrivilege 380 WMIC.exe Token: SeSystemEnvironmentPrivilege 380 WMIC.exe Token: SeRemoteShutdownPrivilege 380 WMIC.exe Token: SeUndockPrivilege 380 WMIC.exe Token: SeManageVolumePrivilege 380 WMIC.exe Token: 33 380 WMIC.exe Token: 34 380 WMIC.exe Token: 35 380 WMIC.exe Token: 36 380 WMIC.exe Token: SeIncreaseQuotaPrivilege 1148 WMIC.exe Token: SeSecurityPrivilege 1148 WMIC.exe Token: SeTakeOwnershipPrivilege 1148 WMIC.exe Token: SeLoadDriverPrivilege 1148 WMIC.exe Token: SeSystemProfilePrivilege 1148 WMIC.exe Token: SeSystemtimePrivilege 1148 WMIC.exe Token: SeProfSingleProcessPrivilege 1148 WMIC.exe Token: SeIncBasePriorityPrivilege 1148 WMIC.exe Token: SeCreatePagefilePrivilege 1148 WMIC.exe Token: SeBackupPrivilege 1148 WMIC.exe Token: SeRestorePrivilege 1148 WMIC.exe Token: SeShutdownPrivilege 1148 WMIC.exe Token: SeDebugPrivilege 1148 WMIC.exe Token: SeSystemEnvironmentPrivilege 1148 WMIC.exe Token: SeRemoteShutdownPrivilege 1148 WMIC.exe Token: SeUndockPrivilege 1148 WMIC.exe Token: SeManageVolumePrivilege 1148 WMIC.exe Token: 33 1148 WMIC.exe Token: 34 1148 WMIC.exe Token: 35 1148 WMIC.exe Token: 36 1148 WMIC.exe Token: SeIncreaseQuotaPrivilege 1148 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2140 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2140 iexplore.exe 2140 iexplore.exe 2112 IEXPLORE.EXE 2112 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2880 wrote to memory of 868 2880 DC14.exe PID 2880 wrote to memory of 868 2880 DC14.exe PID 2880 wrote to memory of 868 2880 DC14.exe PID 2880 wrote to memory of 1052 2880 cmd.exe PID 2880 wrote to memory of 1052 2880 cmd.exe PID 1052 wrote to memory of 380 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 380 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1148 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1148 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1088 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1088 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1448 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1448 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 2504 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 2504 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 2444 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 2444 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 3768 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 3768 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1928 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1928 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1056 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 1056 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 2468 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 2468 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 3140 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 3140 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 4088 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 4088 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 2236 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 2236 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 3548 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 3548 1052 cmd.exe WMIC.exe PID 1052 wrote to memory of 3812 1052 cmd.exe ipconfig.exe PID 1052 wrote to memory of 3812 1052 cmd.exe ipconfig.exe PID 1052 wrote to memory of 652 1052 cmd.exe ROUTE.EXE PID 1052 wrote to memory of 652 1052 cmd.exe ROUTE.EXE PID 1052 wrote to memory of 2652 1052 cmd.exe netsh.exe PID 1052 wrote to memory of 2652 1052 cmd.exe netsh.exe PID 1052 wrote to memory of 3832 1052 cmd.exe systeminfo.exe PID 1052 wrote to memory of 3832 1052 cmd.exe systeminfo.exe PID 1052 wrote to memory of 4004 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 4004 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 3992 1052 cmd.exe net.exe PID 1052 wrote to memory of 3992 1052 cmd.exe net.exe PID 3992 wrote to memory of 3952 3992 net.exe net1.exe PID 3992 wrote to memory of 3952 3992 net.exe net1.exe PID 1052 wrote to memory of 3292 1052 cmd.exe net.exe PID 1052 wrote to memory of 3292 1052 cmd.exe net.exe PID 3292 wrote to memory of 2584 3292 net.exe net1.exe PID 3292 wrote to memory of 2584 3292 net.exe net1.exe PID 1052 wrote to memory of 3268 1052 cmd.exe net.exe PID 1052 wrote to memory of 3268 1052 cmd.exe net.exe PID 3268 wrote to memory of 592 3268 net.exe net1.exe PID 3268 wrote to memory of 592 3268 net.exe net1.exe PID 1052 wrote to memory of 2424 1052 cmd.exe net.exe PID 1052 wrote to memory of 2424 1052 cmd.exe net.exe PID 2424 wrote to memory of 3936 2424 net.exe net1.exe PID 2424 wrote to memory of 3936 2424 net.exe net1.exe PID 1052 wrote to memory of 3236 1052 cmd.exe net.exe PID 1052 wrote to memory of 3236 1052 cmd.exe net.exe PID 1052 wrote to memory of 1488 1052 cmd.exe net.exe PID 1052 wrote to memory of 1488 1052 cmd.exe net.exe PID 1488 wrote to memory of 1172 1488 net.exe net1.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3664 -s 9282⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe"C:\Users\Admin\AppData\Local\Temp\af2e0581425abfefb8a608892e3cb92f0bfb4bb4e9886b71aebf1bf4f1206537.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DC14.exeC:\Users\Admin\AppData\Local\Temp\DC14.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DC14.exeMD5
594a5d0869620855f89487ba04420a6e
SHA10694e7e225cae7c8039e1feb20fe1784acd52061
SHA256a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101
SHA5122f7715a4bd64d8f45eb5e47b6edff1f6f6fa403659badbfd08528a6a95d4e7f152412e084de7fd5ba8ada2da22a2539c9cc6e23e6e620b3748b5beef11d0f5dc
-
C:\Users\Admin\AppData\Local\Temp\DC14.exeMD5
594a5d0869620855f89487ba04420a6e
SHA10694e7e225cae7c8039e1feb20fe1784acd52061
SHA256a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101
SHA5122f7715a4bd64d8f45eb5e47b6edff1f6f6fa403659badbfd08528a6a95d4e7f152412e084de7fd5ba8ada2da22a2539c9cc6e23e6e620b3748b5beef11d0f5dc
-
memory/868-123-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/868-121-0x0000000000678000-0x0000000000688000-memory.dmpFilesize
64KB
-
memory/868-122-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/1472-142-0x0000000002B70000-0x0000000002B79000-memory.dmpFilesize
36KB
-
memory/1472-141-0x0000000002B80000-0x0000000002B85000-memory.dmpFilesize
20KB
-
memory/1848-153-0x0000020307F40000-0x0000020307F41000-memory.dmpFilesize
4KB
-
memory/2332-147-0x0000000001080000-0x0000000001087000-memory.dmpFilesize
28KB
-
memory/2332-148-0x0000000000DF0000-0x0000000000DFD000-memory.dmpFilesize
52KB
-
memory/2340-149-0x000001DE8CCD0000-0x000001DE8CCD1000-memory.dmpFilesize
4KB
-
memory/2360-150-0x00000187885C0000-0x00000187885C1000-memory.dmpFilesize
4KB
-
memory/2400-134-0x0000000003000000-0x0000000003075000-memory.dmpFilesize
468KB
-
memory/2400-135-0x0000000002D90000-0x0000000002DFB000-memory.dmpFilesize
428KB
-
memory/2456-154-0x0000029650D70000-0x0000029650D71000-memory.dmpFilesize
4KB
-
memory/2456-151-0x0000029650A30000-0x0000029650A31000-memory.dmpFilesize
4KB
-
memory/2872-136-0x0000000000FE0000-0x0000000000FEC000-memory.dmpFilesize
48KB
-
memory/2880-118-0x0000000001040000-0x0000000001056000-memory.dmpFilesize
88KB
-
memory/2880-124-0x0000000002E20000-0x0000000002E36000-memory.dmpFilesize
88KB
-
memory/2880-127-0x0000000002FB0000-0x0000000002FBF000-memory.dmpFilesize
60KB
-
memory/2912-145-0x0000000002D30000-0x0000000002D36000-memory.dmpFilesize
24KB
-
memory/2912-146-0x0000000002D20000-0x0000000002D2B000-memory.dmpFilesize
44KB
-
memory/2936-138-0x0000000002A20000-0x0000000002A2B000-memory.dmpFilesize
44KB
-
memory/2936-137-0x0000000002A30000-0x0000000002A37000-memory.dmpFilesize
28KB
-
memory/3480-152-0x000001D2F2150000-0x000001D2F2151000-memory.dmpFilesize
4KB
-
memory/3488-117-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3488-115-0x0000000000700000-0x0000000000724000-memory.dmpFilesize
144KB
-
memory/3488-116-0x0000000000450000-0x00000000004FE000-memory.dmpFilesize
696KB
-
memory/3564-140-0x0000000000D60000-0x0000000000D6E000-memory.dmpFilesize
56KB
-
memory/3564-139-0x0000000000D70000-0x0000000000D79000-memory.dmpFilesize
36KB
-
memory/3800-144-0x00000000004F0000-0x00000000004FC000-memory.dmpFilesize
48KB
-
memory/3800-143-0x0000000000500000-0x0000000000506000-memory.dmpFilesize
24KB