smokeloader | 6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5

General

Target

6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
Size

333KB
MD5

e3f8420f349cbe1ae3374627b54dcef8
SHA1

5069862dc27f4aaa8e2cb90de17c4543c5dbd56c
SHA256

6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5
SHA512

8d8bd93fe6d232c3ca529d4e36b4b2891a4386b912e0ced6d594ab4948d71ec054c9b8d51b847110d805c17a0ad4653d6aa3cd9fdbd982c28cc795cd99659397

Score

10^/10

smokeloader backdoor collection evasion trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

2017.exe

pid process

1816 2017.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

3068

pid	process
1816	2017.exe

pid	process
3068

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

700 3668 WerFault.exe DllHost.exe

pid	pid_target	process	target process
700	3668	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe2017.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2017.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2017.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2017.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2600 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeNETSTAT.EXENETSTAT.EXE

pid process

2928 ipconfig.exe
2896 ipconfig.exe
2124 NETSTAT.EXE
2528 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3708 systeminfo.exe

pid	process
2600	tasklist.exe

pid	process
2928	ipconfig.exe
2896	ipconfig.exe
2124	NETSTAT.EXE
2528	NETSTAT.EXE

pid	process
3708	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0058645F-7E43-11EC-9231-D241B17F579F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe

pid	process
2700	6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
2700	6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3068

pid	process
3068

Suspicious behavior: MapViewOfSection 48 IoCs

Processes:

6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe2017.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2700	6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
1816	2017.exe
3068
3068
3068
3068
3068
3068
2144	explorer.exe
2144	explorer.exe
3068
3068
3124	explorer.exe
3124	explorer.exe
3068
3068
3772	explorer.exe
3772	explorer.exe
3068
3068
388	explorer.exe
388	explorer.exe
3068
3068
3984	explorer.exe
3984	explorer.exe
3068
3068
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	700	WMIC.exe
Token: SeSecurityPrivilege	700	WMIC.exe
Token: SeTakeOwnershipPrivilege	700	WMIC.exe
Token: SeLoadDriverPrivilege	700	WMIC.exe
Token: SeSystemProfilePrivilege	700	WMIC.exe
Token: SeSystemtimePrivilege	700	WMIC.exe
Token: SeProfSingleProcessPrivilege	700	WMIC.exe
Token: SeIncBasePriorityPrivilege	700	WMIC.exe
Token: SeCreatePagefilePrivilege	700	WMIC.exe
Token: SeBackupPrivilege	700	WMIC.exe
Token: SeRestorePrivilege	700	WMIC.exe
Token: SeShutdownPrivilege	700	WMIC.exe
Token: SeDebugPrivilege	700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	700	WMIC.exe
Token: SeRemoteShutdownPrivilege	700	WMIC.exe
Token: SeUndockPrivilege	700	WMIC.exe
Token: SeManageVolumePrivilege	700	WMIC.exe
Token: 33	700	WMIC.exe
Token: 34	700	WMIC.exe
Token: 35	700	WMIC.exe
Token: 36	700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	700	WMIC.exe
Token: SeSecurityPrivilege	700	WMIC.exe
Token: SeTakeOwnershipPrivilege	700	WMIC.exe
Token: SeLoadDriverPrivilege	700	WMIC.exe
Token: SeSystemProfilePrivilege	700	WMIC.exe
Token: SeSystemtimePrivilege	700	WMIC.exe
Token: SeProfSingleProcessPrivilege	700	WMIC.exe
Token: SeIncBasePriorityPrivilege	700	WMIC.exe
Token: SeCreatePagefilePrivilege	700	WMIC.exe
Token: SeBackupPrivilege	700	WMIC.exe
Token: SeRestorePrivilege	700	WMIC.exe
Token: SeShutdownPrivilege	700	WMIC.exe
Token: SeDebugPrivilege	700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	700	WMIC.exe
Token: SeRemoteShutdownPrivilege	700	WMIC.exe
Token: SeUndockPrivilege	700	WMIC.exe
Token: SeManageVolumePrivilege	700	WMIC.exe
Token: 33	700	WMIC.exe
Token: 34	700	WMIC.exe
Token: 35	700	WMIC.exe
Token: 36	700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3136	WMIC.exe
Token: SeSecurityPrivilege	3136	WMIC.exe
Token: SeTakeOwnershipPrivilege	3136	WMIC.exe
Token: SeLoadDriverPrivilege	3136	WMIC.exe
Token: SeSystemProfilePrivilege	3136	WMIC.exe
Token: SeSystemtimePrivilege	3136	WMIC.exe
Token: SeProfSingleProcessPrivilege	3136	WMIC.exe
Token: SeIncBasePriorityPrivilege	3136	WMIC.exe
Token: SeCreatePagefilePrivilege	3136	WMIC.exe
Token: SeBackupPrivilege	3136	WMIC.exe
Token: SeRestorePrivilege	3136	WMIC.exe
Token: SeShutdownPrivilege	3136	WMIC.exe
Token: SeDebugPrivilege	3136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3136	WMIC.exe
Token: SeRemoteShutdownPrivilege	3136	WMIC.exe
Token: SeUndockPrivilege	3136	WMIC.exe
Token: SeManageVolumePrivilege	3136	WMIC.exe
Token: 33	3136	WMIC.exe
Token: 34	3136	WMIC.exe
Token: 35	3136	WMIC.exe
Token: 36	3136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3136	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1688 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1688 iexplore.exe
1688 iexplore.exe
3436 IEXPLORE.EXE
3436 IEXPLORE.EXE

pid	process
1688	iexplore.exe

pid	process
1688	iexplore.exe
1688	iexplore.exe
3436	IEXPLORE.EXE
3436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3068 wrote to memory of 1816	3068		2017.exe
PID 3068 wrote to memory of 1816	3068		2017.exe
PID 3068 wrote to memory of 1816	3068		2017.exe
PID 3068 wrote to memory of 1216	3068		cmd.exe
PID 3068 wrote to memory of 1216	3068		cmd.exe
PID 1216 wrote to memory of 700	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 700	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3136	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3136	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 1236	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 1236	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 2328	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 2328	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 2716	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 2716	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3968	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3968	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 2084	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 2084	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3196	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3196	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3556	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3556	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 960	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 960	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3648	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 3648	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 2380	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 2380	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 1220	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 1220	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 1580	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 1580	1216	cmd.exe	WMIC.exe
PID 1216 wrote to memory of 2896	1216	cmd.exe	ipconfig.exe
PID 1216 wrote to memory of 2896	1216	cmd.exe	ipconfig.exe
PID 1216 wrote to memory of 3664	1216	cmd.exe	ROUTE.EXE
PID 1216 wrote to memory of 3664	1216	cmd.exe	ROUTE.EXE
PID 1216 wrote to memory of 2700	1216	cmd.exe	netsh.exe
PID 1216 wrote to memory of 2700	1216	cmd.exe	netsh.exe
PID 1216 wrote to memory of 3708	1216	cmd.exe	systeminfo.exe
PID 1216 wrote to memory of 3708	1216	cmd.exe	systeminfo.exe
PID 1216 wrote to memory of 2600	1216	cmd.exe	tasklist.exe
PID 1216 wrote to memory of 2600	1216	cmd.exe	tasklist.exe
PID 1216 wrote to memory of 1252	1216	cmd.exe	net.exe
PID 1216 wrote to memory of 1252	1216	cmd.exe	net.exe
PID 1252 wrote to memory of 2968	1252	net.exe	net1.exe
PID 1252 wrote to memory of 2968	1252	net.exe	net1.exe
PID 1216 wrote to memory of 3972	1216	cmd.exe	net.exe
PID 1216 wrote to memory of 3972	1216	cmd.exe	net.exe
PID 3972 wrote to memory of 700	3972	net.exe	net1.exe
PID 3972 wrote to memory of 700	3972	net.exe	net1.exe
PID 1216 wrote to memory of 3132	1216	cmd.exe	net.exe
PID 1216 wrote to memory of 3132	1216	cmd.exe	net.exe
PID 3132 wrote to memory of 1344	3132	net.exe	net1.exe
PID 3132 wrote to memory of 1344	3132	net.exe	net1.exe
PID 1216 wrote to memory of 1224	1216	cmd.exe	net.exe
PID 1216 wrote to memory of 1224	1216	cmd.exe	net.exe
PID 1224 wrote to memory of 2008	1224	net.exe	net1.exe
PID 1224 wrote to memory of 2008	1224	net.exe	net1.exe
PID 1216 wrote to memory of 972	1216	cmd.exe	net.exe
PID 1216 wrote to memory of 972	1216	cmd.exe	net.exe
PID 1216 wrote to memory of 1500	1216	cmd.exe	net.exe
PID 1216 wrote to memory of 1500	1216	cmd.exe	net.exe
PID 1500 wrote to memory of 2020	1500	net.exe	net1.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3668 -s 900
2⤵
- Program crash
PID:700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3404

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3216

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3208

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2368

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
"C:\Users\Admin\AppData\Local\Temp\6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2700

C:\Users\Admin\AppData\Local\Temp\2017.exe
C:\Users\Admin\AppData\Local\Temp\2017.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1816

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:1236

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:2328

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:2716

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3968

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:2084

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3196

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:3556

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:960

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3648

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2380

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:1220

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:1580

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:2896

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3664

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:2700

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:3708

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:2600

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:2968

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:700

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:1344

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:2008

C:\Windows\system32\net.exe
net use
2⤵
PID:972

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:2020

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:4020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:1936

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:2180

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2240

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:2528

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:3056

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:2928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3436

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3580

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2144

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3124

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3772

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3984

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2017.exe
MD5
2eff80a8a31a284c5391d06178e0910c

SHA1
a97af613b21b58e3815d43716aea52c612410480

SHA256
3bee8c7529b62d1f7bf0e95a6e3bce7730b550fe043d9d9ac164d72fe01c441b

SHA512
22249f6513eb7be0d1318bb9815b0c4e6f361abcdc009bb04c888783ac0a0fa66f6a9e7468f11201f736c19fce2a058c38e3003258fe1c43b04280e00687a1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\2017.exe
MD5
2eff80a8a31a284c5391d06178e0910c

SHA1
a97af613b21b58e3815d43716aea52c612410480

SHA256
3bee8c7529b62d1f7bf0e95a6e3bce7730b550fe043d9d9ac164d72fe01c441b

SHA512
22249f6513eb7be0d1318bb9815b0c4e6f361abcdc009bb04c888783ac0a0fa66f6a9e7468f11201f736c19fce2a058c38e3003258fe1c43b04280e00687a1ae

Download Submit
memory/388-144-0x00000000012D0000-0x00000000012DC000-memory.dmp

Filesize
48KB

Download
memory/388-143-0x00000000012E0000-0x00000000012E6000-memory.dmp

Filesize
24KB

Download
memory/676-148-0x0000000000DD0000-0x0000000000DDD000-memory.dmp

Filesize
52KB

Download
memory/676-147-0x0000000000DE0000-0x0000000000DE7000-memory.dmp

Filesize
28KB

Download
memory/700-154-0x000001EFA2580000-0x000001EFA2581000-memory.dmp

Filesize
4KB

Download
memory/1816-122-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/1816-123-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2144-137-0x0000000000340000-0x0000000000347000-memory.dmp

Filesize
28KB

Download
memory/2144-138-0x0000000000330000-0x000000000033B000-memory.dmp

Filesize
44KB

Download
memory/2352-149-0x0000022AD85C0000-0x0000022AD85C1000-memory.dmp

Filesize
4KB

Download
memory/2368-150-0x0000029045B80000-0x0000029045B81000-memory.dmp

Filesize
4KB

Download
memory/2700-116-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/2700-117-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2728-151-0x000002D4FE970000-0x000002D4FE971000-memory.dmp

Filesize
4KB

Download
memory/2728-153-0x000002D4FECB0000-0x000002D4FECB1000-memory.dmp

Filesize
4KB

Download
memory/3068-127-0x0000000004C10000-0x0000000004C1F000-memory.dmp

Filesize
60KB

Download
memory/3068-124-0x00000000031C0000-0x00000000031D6000-memory.dmp

Filesize
88KB

Download
memory/3068-118-0x0000000001100000-0x0000000001116000-memory.dmp

Filesize
88KB

Download
memory/3124-139-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/3124-140-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/3404-152-0x00000285E3910000-0x00000285E3911000-memory.dmp

Filesize
4KB

Download
memory/3580-135-0x0000000003030000-0x000000000309B000-memory.dmp

Filesize
428KB

Download
memory/3580-134-0x00000000030A0000-0x0000000003115000-memory.dmp

Filesize
468KB

Download
memory/3772-142-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/3772-141-0x0000000000350000-0x0000000000355000-memory.dmp

Filesize
20KB

Download
memory/3948-136-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/3984-146-0x00000000003B0000-0x00000000003BB000-memory.dmp

Filesize
44KB

Download
memory/3984-145-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads