Analysis
-
max time kernel
154s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 00:40
Static task
static1
Behavioral task
behavioral1
Sample
6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
Resource
win10-en-20211208
General
-
Target
6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe
-
Size
333KB
-
MD5
e3f8420f349cbe1ae3374627b54dcef8
-
SHA1
5069862dc27f4aaa8e2cb90de17c4543c5dbd56c
-
SHA256
6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5
-
SHA512
8d8bd93fe6d232c3ca529d4e36b4b2891a4386b912e0ced6d594ab4948d71ec054c9b8d51b847110d805c17a0ad4653d6aa3cd9fdbd982c28cc795cd99659397
Malware Config
Extracted
smokeloader
2020
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
2017.exepid process 1816 2017.exe -
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 3068 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 700 3668 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe2017.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2017.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2017.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2017.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeNETSTAT.EXENETSTAT.EXEpid process 2928 ipconfig.exe 2896 ipconfig.exe 2124 NETSTAT.EXE 2528 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0058645F-7E43-11EC-9231-D241B17F579F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exepid process 2700 6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe 2700 6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3068 -
Suspicious behavior: MapViewOfSection 48 IoCs
Processes:
6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe2017.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2700 6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe 1816 2017.exe 3068 3068 3068 3068 3068 3068 2144 explorer.exe 2144 explorer.exe 3068 3068 3124 explorer.exe 3124 explorer.exe 3068 3068 3772 explorer.exe 3772 explorer.exe 3068 3068 388 explorer.exe 388 explorer.exe 3068 3068 3984 explorer.exe 3984 explorer.exe 3068 3068 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 700 WMIC.exe Token: SeSecurityPrivilege 700 WMIC.exe Token: SeTakeOwnershipPrivilege 700 WMIC.exe Token: SeLoadDriverPrivilege 700 WMIC.exe Token: SeSystemProfilePrivilege 700 WMIC.exe Token: SeSystemtimePrivilege 700 WMIC.exe Token: SeProfSingleProcessPrivilege 700 WMIC.exe Token: SeIncBasePriorityPrivilege 700 WMIC.exe Token: SeCreatePagefilePrivilege 700 WMIC.exe Token: SeBackupPrivilege 700 WMIC.exe Token: SeRestorePrivilege 700 WMIC.exe Token: SeShutdownPrivilege 700 WMIC.exe Token: SeDebugPrivilege 700 WMIC.exe Token: SeSystemEnvironmentPrivilege 700 WMIC.exe Token: SeRemoteShutdownPrivilege 700 WMIC.exe Token: SeUndockPrivilege 700 WMIC.exe Token: SeManageVolumePrivilege 700 WMIC.exe Token: 33 700 WMIC.exe Token: 34 700 WMIC.exe Token: 35 700 WMIC.exe Token: 36 700 WMIC.exe Token: SeIncreaseQuotaPrivilege 700 WMIC.exe Token: SeSecurityPrivilege 700 WMIC.exe Token: SeTakeOwnershipPrivilege 700 WMIC.exe Token: SeLoadDriverPrivilege 700 WMIC.exe Token: SeSystemProfilePrivilege 700 WMIC.exe Token: SeSystemtimePrivilege 700 WMIC.exe Token: SeProfSingleProcessPrivilege 700 WMIC.exe Token: SeIncBasePriorityPrivilege 700 WMIC.exe Token: SeCreatePagefilePrivilege 700 WMIC.exe Token: SeBackupPrivilege 700 WMIC.exe Token: SeRestorePrivilege 700 WMIC.exe Token: SeShutdownPrivilege 700 WMIC.exe Token: SeDebugPrivilege 700 WMIC.exe Token: SeSystemEnvironmentPrivilege 700 WMIC.exe Token: SeRemoteShutdownPrivilege 700 WMIC.exe Token: SeUndockPrivilege 700 WMIC.exe Token: SeManageVolumePrivilege 700 WMIC.exe Token: 33 700 WMIC.exe Token: 34 700 WMIC.exe Token: 35 700 WMIC.exe Token: 36 700 WMIC.exe Token: SeIncreaseQuotaPrivilege 3136 WMIC.exe Token: SeSecurityPrivilege 3136 WMIC.exe Token: SeTakeOwnershipPrivilege 3136 WMIC.exe Token: SeLoadDriverPrivilege 3136 WMIC.exe Token: SeSystemProfilePrivilege 3136 WMIC.exe Token: SeSystemtimePrivilege 3136 WMIC.exe Token: SeProfSingleProcessPrivilege 3136 WMIC.exe Token: SeIncBasePriorityPrivilege 3136 WMIC.exe Token: SeCreatePagefilePrivilege 3136 WMIC.exe Token: SeBackupPrivilege 3136 WMIC.exe Token: SeRestorePrivilege 3136 WMIC.exe Token: SeShutdownPrivilege 3136 WMIC.exe Token: SeDebugPrivilege 3136 WMIC.exe Token: SeSystemEnvironmentPrivilege 3136 WMIC.exe Token: SeRemoteShutdownPrivilege 3136 WMIC.exe Token: SeUndockPrivilege 3136 WMIC.exe Token: SeManageVolumePrivilege 3136 WMIC.exe Token: 33 3136 WMIC.exe Token: 34 3136 WMIC.exe Token: 35 3136 WMIC.exe Token: 36 3136 WMIC.exe Token: SeIncreaseQuotaPrivilege 3136 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1688 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1688 iexplore.exe 1688 iexplore.exe 3436 IEXPLORE.EXE 3436 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3068 wrote to memory of 1816 3068 2017.exe PID 3068 wrote to memory of 1816 3068 2017.exe PID 3068 wrote to memory of 1816 3068 2017.exe PID 3068 wrote to memory of 1216 3068 cmd.exe PID 3068 wrote to memory of 1216 3068 cmd.exe PID 1216 wrote to memory of 700 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 700 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3136 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3136 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1236 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1236 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2328 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2328 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2716 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2716 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3968 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3968 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2084 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2084 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3196 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3196 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3556 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3556 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 960 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 960 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3648 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 3648 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2380 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2380 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1220 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1220 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1580 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 1580 1216 cmd.exe WMIC.exe PID 1216 wrote to memory of 2896 1216 cmd.exe ipconfig.exe PID 1216 wrote to memory of 2896 1216 cmd.exe ipconfig.exe PID 1216 wrote to memory of 3664 1216 cmd.exe ROUTE.EXE PID 1216 wrote to memory of 3664 1216 cmd.exe ROUTE.EXE PID 1216 wrote to memory of 2700 1216 cmd.exe netsh.exe PID 1216 wrote to memory of 2700 1216 cmd.exe netsh.exe PID 1216 wrote to memory of 3708 1216 cmd.exe systeminfo.exe PID 1216 wrote to memory of 3708 1216 cmd.exe systeminfo.exe PID 1216 wrote to memory of 2600 1216 cmd.exe tasklist.exe PID 1216 wrote to memory of 2600 1216 cmd.exe tasklist.exe PID 1216 wrote to memory of 1252 1216 cmd.exe net.exe PID 1216 wrote to memory of 1252 1216 cmd.exe net.exe PID 1252 wrote to memory of 2968 1252 net.exe net1.exe PID 1252 wrote to memory of 2968 1252 net.exe net1.exe PID 1216 wrote to memory of 3972 1216 cmd.exe net.exe PID 1216 wrote to memory of 3972 1216 cmd.exe net.exe PID 3972 wrote to memory of 700 3972 net.exe net1.exe PID 3972 wrote to memory of 700 3972 net.exe net1.exe PID 1216 wrote to memory of 3132 1216 cmd.exe net.exe PID 1216 wrote to memory of 3132 1216 cmd.exe net.exe PID 3132 wrote to memory of 1344 3132 net.exe net1.exe PID 3132 wrote to memory of 1344 3132 net.exe net1.exe PID 1216 wrote to memory of 1224 1216 cmd.exe net.exe PID 1216 wrote to memory of 1224 1216 cmd.exe net.exe PID 1224 wrote to memory of 2008 1224 net.exe net1.exe PID 1224 wrote to memory of 2008 1224 net.exe net1.exe PID 1216 wrote to memory of 972 1216 cmd.exe net.exe PID 1216 wrote to memory of 972 1216 cmd.exe net.exe PID 1216 wrote to memory of 1500 1216 cmd.exe net.exe PID 1216 wrote to memory of 1500 1216 cmd.exe net.exe PID 1500 wrote to memory of 2020 1500 net.exe net1.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3668 -s 9002⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe"C:\Users\Admin\AppData\Local\Temp\6052a36777a0cde2d97892453a107c777bf0b64bfacf18ca79078400cb6294d5.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2017.exeC:\Users\Admin\AppData\Local\Temp\2017.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2017.exeMD5
2eff80a8a31a284c5391d06178e0910c
SHA1a97af613b21b58e3815d43716aea52c612410480
SHA2563bee8c7529b62d1f7bf0e95a6e3bce7730b550fe043d9d9ac164d72fe01c441b
SHA51222249f6513eb7be0d1318bb9815b0c4e6f361abcdc009bb04c888783ac0a0fa66f6a9e7468f11201f736c19fce2a058c38e3003258fe1c43b04280e00687a1ae
-
C:\Users\Admin\AppData\Local\Temp\2017.exeMD5
2eff80a8a31a284c5391d06178e0910c
SHA1a97af613b21b58e3815d43716aea52c612410480
SHA2563bee8c7529b62d1f7bf0e95a6e3bce7730b550fe043d9d9ac164d72fe01c441b
SHA51222249f6513eb7be0d1318bb9815b0c4e6f361abcdc009bb04c888783ac0a0fa66f6a9e7468f11201f736c19fce2a058c38e3003258fe1c43b04280e00687a1ae
-
memory/388-144-0x00000000012D0000-0x00000000012DC000-memory.dmpFilesize
48KB
-
memory/388-143-0x00000000012E0000-0x00000000012E6000-memory.dmpFilesize
24KB
-
memory/676-148-0x0000000000DD0000-0x0000000000DDD000-memory.dmpFilesize
52KB
-
memory/676-147-0x0000000000DE0000-0x0000000000DE7000-memory.dmpFilesize
28KB
-
memory/700-154-0x000001EFA2580000-0x000001EFA2581000-memory.dmpFilesize
4KB
-
memory/1816-122-0x0000000000560000-0x0000000000569000-memory.dmpFilesize
36KB
-
memory/1816-123-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/2144-137-0x0000000000340000-0x0000000000347000-memory.dmpFilesize
28KB
-
memory/2144-138-0x0000000000330000-0x000000000033B000-memory.dmpFilesize
44KB
-
memory/2352-149-0x0000022AD85C0000-0x0000022AD85C1000-memory.dmpFilesize
4KB
-
memory/2368-150-0x0000029045B80000-0x0000029045B81000-memory.dmpFilesize
4KB
-
memory/2700-116-0x00000000005A0000-0x00000000006EA000-memory.dmpFilesize
1.3MB
-
memory/2700-117-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/2728-151-0x000002D4FE970000-0x000002D4FE971000-memory.dmpFilesize
4KB
-
memory/2728-153-0x000002D4FECB0000-0x000002D4FECB1000-memory.dmpFilesize
4KB
-
memory/3068-127-0x0000000004C10000-0x0000000004C1F000-memory.dmpFilesize
60KB
-
memory/3068-124-0x00000000031C0000-0x00000000031D6000-memory.dmpFilesize
88KB
-
memory/3068-118-0x0000000001100000-0x0000000001116000-memory.dmpFilesize
88KB
-
memory/3124-139-0x00000000006C0000-0x00000000006C9000-memory.dmpFilesize
36KB
-
memory/3124-140-0x00000000006B0000-0x00000000006BE000-memory.dmpFilesize
56KB
-
memory/3404-152-0x00000285E3910000-0x00000285E3911000-memory.dmpFilesize
4KB
-
memory/3580-135-0x0000000003030000-0x000000000309B000-memory.dmpFilesize
428KB
-
memory/3580-134-0x00000000030A0000-0x0000000003115000-memory.dmpFilesize
468KB
-
memory/3772-142-0x0000000000340000-0x0000000000349000-memory.dmpFilesize
36KB
-
memory/3772-141-0x0000000000350000-0x0000000000355000-memory.dmpFilesize
20KB
-
memory/3948-136-0x0000000000BD0000-0x0000000000BDC000-memory.dmpFilesize
48KB
-
memory/3984-146-0x00000000003B0000-0x00000000003BB000-memory.dmpFilesize
44KB
-
memory/3984-145-0x00000000003C0000-0x00000000003C6000-memory.dmpFilesize
24KB