smokeloader | 0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

725A.exeawcwuuc0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	725A.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	725A.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	awcwuuc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	awcwuuc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	awcwuuc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	725A.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3636 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

752 systeminfo.exe

pid	process
3636	ipconfig.exe

pid	process
752	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "659278702"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda00000000020000000000106600000001000020000000192aa63a0d675afa11195c1c4af008d707b97f18ff73e01d08ff19567a079295000000000e80000000020000200000003896ee9228b75492e22d6620e06a7be8d6f05431c1183169be4c03b6ca06523d20000000fc0e1b3618c98245c48bfd9a59ba69239d6d8af4aa624b710fc92ef7e5caea7f4000000017d1f4744c41db4f13bfe164c86cca461e3047de86b718b200ff1eb52c91832c9bcdb61bfbc7c88b233998a8b6ecda6c737e3b8c01cab553116abd117e74342e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e3ea2da212d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937762"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a059f42da212d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937762"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "694436831"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{522F6ED3-7E95-11EC-82D0-D2C6621C002E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "659278702"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937762"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000003c41a9ea878d04c140f7639f39f82516d71ef0b0bc074afd0d8a6f5eeb8527cc000000000e8000000002000020000000ac61edbbb4a2a661332db2821d8bca96e521ca3f900142cf17770875d08af138200000002fff5a59a1329533f103174d4b688ace0e7ccd287ce87932535e0ec00e7d71dd40000000537fb925b6dae5d15e1c3091922811571e6b3075e76effe790f8388b765e0748675ac35ea7bfbaa58c33eca42a936ae3439f68bd4d6e45643534a2da91f6ac73	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe

pid	process
3872	0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe
3872	0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308
2308

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2308

pid	process
2308

Suspicious behavior: MapViewOfSection 63 IoCs

Processes:

0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe725A.exeawcwuucexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3872	0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe
2184	725A.exe
3008	awcwuuc
2308
2308
2308
2308
2308
2308
2184	explorer.exe
2184	explorer.exe
2308
2308
3012	explorer.exe
3012	explorer.exe
2308
2308
2904	explorer.exe
2904	explorer.exe
2308
2308
3692	explorer.exe
3692	explorer.exe
2308
2308
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
4040	explorer.exe
2308
2308
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe
3720	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3388	WMIC.exe
Token: SeSecurityPrivilege	3388	WMIC.exe
Token: SeTakeOwnershipPrivilege	3388	WMIC.exe
Token: SeLoadDriverPrivilege	3388	WMIC.exe
Token: SeSystemProfilePrivilege	3388	WMIC.exe
Token: SeSystemtimePrivilege	3388	WMIC.exe
Token: SeProfSingleProcessPrivilege	3388	WMIC.exe
Token: SeIncBasePriorityPrivilege	3388	WMIC.exe
Token: SeCreatePagefilePrivilege	3388	WMIC.exe
Token: SeBackupPrivilege	3388	WMIC.exe
Token: SeRestorePrivilege	3388	WMIC.exe
Token: SeShutdownPrivilege	3388	WMIC.exe
Token: SeDebugPrivilege	3388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3388	WMIC.exe
Token: SeRemoteShutdownPrivilege	3388	WMIC.exe
Token: SeUndockPrivilege	3388	WMIC.exe
Token: SeManageVolumePrivilege	3388	WMIC.exe
Token: 33	3388	WMIC.exe
Token: 34	3388	WMIC.exe
Token: 35	3388	WMIC.exe
Token: 36	3388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3388	WMIC.exe
Token: SeSecurityPrivilege	3388	WMIC.exe
Token: SeTakeOwnershipPrivilege	3388	WMIC.exe
Token: SeLoadDriverPrivilege	3388	WMIC.exe
Token: SeSystemProfilePrivilege	3388	WMIC.exe
Token: SeSystemtimePrivilege	3388	WMIC.exe
Token: SeProfSingleProcessPrivilege	3388	WMIC.exe
Token: SeIncBasePriorityPrivilege	3388	WMIC.exe
Token: SeCreatePagefilePrivilege	3388	WMIC.exe
Token: SeBackupPrivilege	3388	WMIC.exe
Token: SeRestorePrivilege	3388	WMIC.exe
Token: SeShutdownPrivilege	3388	WMIC.exe
Token: SeDebugPrivilege	3388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3388	WMIC.exe
Token: SeRemoteShutdownPrivilege	3388	WMIC.exe
Token: SeUndockPrivilege	3388	WMIC.exe
Token: SeManageVolumePrivilege	3388	WMIC.exe
Token: 33	3388	WMIC.exe
Token: 34	3388	WMIC.exe
Token: 35	3388	WMIC.exe
Token: 36	3388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe
Token: SeSecurityPrivilege	1588	WMIC.exe
Token: SeTakeOwnershipPrivilege	1588	WMIC.exe
Token: SeLoadDriverPrivilege	1588	WMIC.exe
Token: SeSystemProfilePrivilege	1588	WMIC.exe
Token: SeSystemtimePrivilege	1588	WMIC.exe
Token: SeProfSingleProcessPrivilege	1588	WMIC.exe
Token: SeIncBasePriorityPrivilege	1588	WMIC.exe
Token: SeCreatePagefilePrivilege	1588	WMIC.exe
Token: SeBackupPrivilege	1588	WMIC.exe
Token: SeRestorePrivilege	1588	WMIC.exe
Token: SeShutdownPrivilege	1588	WMIC.exe
Token: SeDebugPrivilege	1588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1588	WMIC.exe
Token: SeRemoteShutdownPrivilege	1588	WMIC.exe
Token: SeUndockPrivilege	1588	WMIC.exe
Token: SeManageVolumePrivilege	1588	WMIC.exe
Token: 33	1588	WMIC.exe
Token: 34	1588	WMIC.exe
Token: 35	1588	WMIC.exe
Token: 36	1588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1588	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4000 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4000 iexplore.exe
4000 iexplore.exe
3400 IEXPLORE.EXE
3400 IEXPLORE.EXE

pid	process
4000	iexplore.exe

pid	process
4000	iexplore.exe
4000	iexplore.exe
3400	IEXPLORE.EXE
3400	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeWerFault.exeiexplore.exeWerFault.exeexplorer.exe

description	pid	process	target process
PID 2308 wrote to memory of 2184	2308		725A.exe
PID 2308 wrote to memory of 2184	2308		725A.exe
PID 2308 wrote to memory of 2184	2308		725A.exe
PID 2308 wrote to memory of 3284	2308		cmd.exe
PID 2308 wrote to memory of 3284	2308		cmd.exe
PID 3284 wrote to memory of 3388	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 3388	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 1588	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 1588	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 1568	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 1568	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 392	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 392	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 4020	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 4020	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 3252	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 3252	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 1840	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 1840	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 3536	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 3536	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 1096	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 1096	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 2320	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 2320	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 2500	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 2500	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 2520	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 2520	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 2608	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 2608	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 3172	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 3172	3284	cmd.exe	WMIC.exe
PID 3284 wrote to memory of 3636	3284	cmd.exe	ipconfig.exe
PID 3284 wrote to memory of 3636	3284	cmd.exe	ipconfig.exe
PID 3284 wrote to memory of 1804	3284	cmd.exe	ROUTE.EXE
PID 3284 wrote to memory of 1804	3284	cmd.exe	ROUTE.EXE
PID 3284 wrote to memory of 3776	3284	cmd.exe	netsh.exe
PID 3284 wrote to memory of 3776	3284	cmd.exe	netsh.exe
PID 3284 wrote to memory of 752	3284	cmd.exe	systeminfo.exe
PID 3284 wrote to memory of 752	3284	cmd.exe	systeminfo.exe
PID 4088 wrote to memory of 2888	4088	WerFault.exe	swcwuuc
PID 4088 wrote to memory of 2888	4088	WerFault.exe	swcwuuc
PID 4000 wrote to memory of 3400	4000	iexplore.exe	IEXPLORE.EXE
PID 4000 wrote to memory of 3400	4000	iexplore.exe	IEXPLORE.EXE
PID 4000 wrote to memory of 3400	4000	iexplore.exe	IEXPLORE.EXE
PID 2308 wrote to memory of 2520	2308		explorer.exe
PID 2308 wrote to memory of 2520	2308		explorer.exe
PID 2308 wrote to memory of 2520	2308		explorer.exe
PID 2308 wrote to memory of 2520	2308		explorer.exe
PID 2308 wrote to memory of 696	2308		explorer.exe
PID 2308 wrote to memory of 696	2308		explorer.exe
PID 2308 wrote to memory of 696	2308		explorer.exe
PID 3484 wrote to memory of 2520	3484	WerFault.exe	explorer.exe
PID 3484 wrote to memory of 2520	3484	WerFault.exe	explorer.exe
PID 2308 wrote to memory of 2184	2308		explorer.exe
PID 2308 wrote to memory of 2184	2308		explorer.exe
PID 2308 wrote to memory of 2184	2308		explorer.exe
PID 2308 wrote to memory of 2184	2308		explorer.exe
PID 2184 wrote to memory of 3400	2184	explorer.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 3400	2184	explorer.exe	IEXPLORE.EXE
PID 2308 wrote to memory of 3012	2308		explorer.exe
PID 2308 wrote to memory of 3012	2308		explorer.exe
PID 2308 wrote to memory of 3012	2308		explorer.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2592 -s 956
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2400

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2112

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe
"C:\Users\Admin\AppData\Local\Temp\0b8c0422dfc65a0d559a0002b26fc3e8585391aae590b10ce59d8bbbf033329f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3872

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe dac22ac013e68b278886ffa71ee0f452 v3ZlOpwF30iFnWPJhhsB+A.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1644

C:\Users\Admin\AppData\Local\Temp\725A.exe
C:\Users\Admin\AppData\Local\Temp\725A.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2184

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:1568

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:392

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:4020

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3252

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:1840

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3536

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:1096

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:2320

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:2500

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2520

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:2608

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3172

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:3636

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:1804

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3776

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4064

C:\Users\Admin\AppData\Roaming\swcwuuc
C:\Users\Admin\AppData\Roaming\swcwuuc
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 340
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3672

C:\Users\Admin\AppData\Roaming\awcwuuc
C:\Users\Admin\AppData\Roaming\awcwuuc
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3008

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:2180

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:392

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2888 -ip 2888
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4000 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:3624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 884
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2520 -ip 2520
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2904

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4040

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 2592 -ip 2592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1216 -s 840
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 368 -p 1216 -ip 1216
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3928 -s 812
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 3928 -ip 3928
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2080

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2080 -s 808
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 2080 -ip 2080
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

Peripheral Device Discovery

T1120

System Information Discovery

5