Analysis
-
max time kernel
153s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
27-01-2022 00:03
Static task
static1
Behavioral task
behavioral1
Sample
20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe
Resource
win10v2004-en-20220112
General
-
Target
20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe
-
Size
240KB
-
MD5
bda013087a8132ffc38bf59af9362f50
-
SHA1
5217d721e45a3bb2a7606ce81fcf17d33aa806a6
-
SHA256
20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585
-
SHA512
a6557e218b99b8576d9601d99d1c3844eef14f624b488e90ae5bbf5491f596af758c70590df4c8dc2a54abe8073001efc54235c39309d65c12bed152ff5b629e
Malware Config
Extracted
smokeloader
2020
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3112 created 1424 3112 WerFault.exe explorer.exe PID 2296 created 2712 2296 WerFault.exe DllHost.exe -
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 216 1424 WerFault.exe explorer.exe 3696 2712 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 376 ipconfig.exe 2824 NETSTAT.EXE 2480 NETSTAT.EXE 2100 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{239F5F41-7F0D-11EC-82D0-F2F412B024C7} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4204303045" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4204303045" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4258052332" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937881" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937881" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937881" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exepid process 2448 20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe 2448 20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2424 -
Suspicious behavior: MapViewOfSection 47 IoCs
Processes:
20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2448 20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe 2424 2424 2424 2424 2424 2424 2576 explorer.exe 2576 explorer.exe 2424 2424 2900 explorer.exe 2900 explorer.exe 2424 2424 820 explorer.exe 820 explorer.exe 2424 2424 1848 explorer.exe 1848 explorer.exe 2424 2424 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 2424 2424 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1952 explorer.exe 1952 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3180 WMIC.exe Token: SeSecurityPrivilege 3180 WMIC.exe Token: SeTakeOwnershipPrivilege 3180 WMIC.exe Token: SeLoadDriverPrivilege 3180 WMIC.exe Token: SeSystemProfilePrivilege 3180 WMIC.exe Token: SeSystemtimePrivilege 3180 WMIC.exe Token: SeProfSingleProcessPrivilege 3180 WMIC.exe Token: SeIncBasePriorityPrivilege 3180 WMIC.exe Token: SeCreatePagefilePrivilege 3180 WMIC.exe Token: SeBackupPrivilege 3180 WMIC.exe Token: SeRestorePrivilege 3180 WMIC.exe Token: SeShutdownPrivilege 3180 WMIC.exe Token: SeDebugPrivilege 3180 WMIC.exe Token: SeSystemEnvironmentPrivilege 3180 WMIC.exe Token: SeRemoteShutdownPrivilege 3180 WMIC.exe Token: SeUndockPrivilege 3180 WMIC.exe Token: SeManageVolumePrivilege 3180 WMIC.exe Token: 33 3180 WMIC.exe Token: 34 3180 WMIC.exe Token: 35 3180 WMIC.exe Token: 36 3180 WMIC.exe Token: SeIncreaseQuotaPrivilege 3180 WMIC.exe Token: SeSecurityPrivilege 3180 WMIC.exe Token: SeTakeOwnershipPrivilege 3180 WMIC.exe Token: SeLoadDriverPrivilege 3180 WMIC.exe Token: SeSystemProfilePrivilege 3180 WMIC.exe Token: SeSystemtimePrivilege 3180 WMIC.exe Token: SeProfSingleProcessPrivilege 3180 WMIC.exe Token: SeIncBasePriorityPrivilege 3180 WMIC.exe Token: SeCreatePagefilePrivilege 3180 WMIC.exe Token: SeBackupPrivilege 3180 WMIC.exe Token: SeRestorePrivilege 3180 WMIC.exe Token: SeShutdownPrivilege 3180 WMIC.exe Token: SeDebugPrivilege 3180 WMIC.exe Token: SeSystemEnvironmentPrivilege 3180 WMIC.exe Token: SeRemoteShutdownPrivilege 3180 WMIC.exe Token: SeUndockPrivilege 3180 WMIC.exe Token: SeManageVolumePrivilege 3180 WMIC.exe Token: 33 3180 WMIC.exe Token: 34 3180 WMIC.exe Token: 35 3180 WMIC.exe Token: 36 3180 WMIC.exe Token: SeIncreaseQuotaPrivilege 1328 WMIC.exe Token: SeSecurityPrivilege 1328 WMIC.exe Token: SeTakeOwnershipPrivilege 1328 WMIC.exe Token: SeLoadDriverPrivilege 1328 WMIC.exe Token: SeSystemProfilePrivilege 1328 WMIC.exe Token: SeSystemtimePrivilege 1328 WMIC.exe Token: SeProfSingleProcessPrivilege 1328 WMIC.exe Token: SeIncBasePriorityPrivilege 1328 WMIC.exe Token: SeCreatePagefilePrivilege 1328 WMIC.exe Token: SeBackupPrivilege 1328 WMIC.exe Token: SeRestorePrivilege 1328 WMIC.exe Token: SeShutdownPrivilege 1328 WMIC.exe Token: SeDebugPrivilege 1328 WMIC.exe Token: SeSystemEnvironmentPrivilege 1328 WMIC.exe Token: SeRemoteShutdownPrivilege 1328 WMIC.exe Token: SeUndockPrivilege 1328 WMIC.exe Token: SeManageVolumePrivilege 1328 WMIC.exe Token: 33 1328 WMIC.exe Token: 34 1328 WMIC.exe Token: 35 1328 WMIC.exe Token: 36 1328 WMIC.exe Token: SeIncreaseQuotaPrivilege 1328 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2980 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2980 iexplore.exe 2980 iexplore.exe 2684 IEXPLORE.EXE 2684 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2424 wrote to memory of 1532 2424 cmd.exe PID 2424 wrote to memory of 1532 2424 cmd.exe PID 1532 wrote to memory of 3180 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 3180 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 1328 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 1328 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 984 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 984 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 204 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 204 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 3932 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 3932 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 3092 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 3092 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 1952 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 1952 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 3396 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 3396 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 2412 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 2412 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 3640 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 3640 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 1244 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 1244 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 2956 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 2956 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 1936 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 1936 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 688 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 688 1532 cmd.exe WMIC.exe PID 1532 wrote to memory of 376 1532 cmd.exe ipconfig.exe PID 1532 wrote to memory of 376 1532 cmd.exe ipconfig.exe PID 1532 wrote to memory of 2764 1532 cmd.exe ROUTE.EXE PID 1532 wrote to memory of 2764 1532 cmd.exe ROUTE.EXE PID 1532 wrote to memory of 60 1532 cmd.exe netsh.exe PID 1532 wrote to memory of 60 1532 cmd.exe netsh.exe PID 1532 wrote to memory of 3756 1532 cmd.exe systeminfo.exe PID 1532 wrote to memory of 3756 1532 cmd.exe systeminfo.exe PID 1532 wrote to memory of 3932 1532 cmd.exe tasklist.exe PID 1532 wrote to memory of 3932 1532 cmd.exe tasklist.exe PID 1532 wrote to memory of 1276 1532 cmd.exe net.exe PID 1532 wrote to memory of 1276 1532 cmd.exe net.exe PID 1276 wrote to memory of 736 1276 net.exe net1.exe PID 1276 wrote to memory of 736 1276 net.exe net1.exe PID 1532 wrote to memory of 1676 1532 cmd.exe net.exe PID 1532 wrote to memory of 1676 1532 cmd.exe net.exe PID 1676 wrote to memory of 3176 1676 net.exe net1.exe PID 1676 wrote to memory of 3176 1676 net.exe net1.exe PID 1532 wrote to memory of 1256 1532 cmd.exe net.exe PID 1532 wrote to memory of 1256 1532 cmd.exe net.exe PID 1256 wrote to memory of 632 1256 net.exe net1.exe PID 1256 wrote to memory of 632 1256 net.exe net1.exe PID 1532 wrote to memory of 3916 1532 cmd.exe net.exe PID 1532 wrote to memory of 3916 1532 cmd.exe net.exe PID 3916 wrote to memory of 552 3916 net.exe net1.exe PID 3916 wrote to memory of 552 3916 net.exe net1.exe PID 1532 wrote to memory of 1316 1532 cmd.exe net.exe PID 1532 wrote to memory of 1316 1532 cmd.exe net.exe PID 1532 wrote to memory of 1932 1532 cmd.exe net.exe PID 1532 wrote to memory of 1932 1532 cmd.exe net.exe PID 1932 wrote to memory of 3244 1932 net.exe net1.exe PID 1932 wrote to memory of 3244 1932 net.exe net1.exe PID 1532 wrote to memory of 1860 1532 cmd.exe net.exe PID 1532 wrote to memory of 1860 1532 cmd.exe net.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2712 -s 3922⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe"C:\Users\Admin\AppData\Local\Temp\20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8778b8adcc7134b4ebb7d9af8defd959 YgVdqpoXwUiqHaJ9UTdVaQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 8722⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1424 -ip 14241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 360 -p 2712 -ip 27121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/216-186-0x00000000032C0000-0x00000000032CB000-memory.dmpFilesize
44KB
-
memory/216-185-0x00000000032D0000-0x00000000032D1000-memory.dmpFilesize
4KB
-
memory/820-171-0x0000000000530000-0x0000000000535000-memory.dmpFilesize
20KB
-
memory/820-172-0x0000000000520000-0x0000000000529000-memory.dmpFilesize
36KB
-
memory/1340-180-0x00000000005A0000-0x00000000005AD000-memory.dmpFilesize
52KB
-
memory/1340-179-0x00000000005B0000-0x00000000005B7000-memory.dmpFilesize
28KB
-
memory/1424-166-0x0000000003000000-0x000000000306B000-memory.dmpFilesize
428KB
-
memory/1424-165-0x0000000003070000-0x00000000030E5000-memory.dmpFilesize
468KB
-
memory/1848-174-0x00000000001F0000-0x00000000001FC000-memory.dmpFilesize
48KB
-
memory/1848-173-0x0000000000480000-0x0000000000486000-memory.dmpFilesize
24KB
-
memory/1952-175-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB
-
memory/1952-176-0x0000000000110000-0x000000000011B000-memory.dmpFilesize
44KB
-
memory/2216-181-0x0000017C09D80000-0x0000017C09D81000-memory.dmpFilesize
4KB
-
memory/2248-182-0x000001A3E4F10000-0x000001A3E4F11000-memory.dmpFilesize
4KB
-
memory/2284-183-0x0000011A0C040000-0x0000011A0C041000-memory.dmpFilesize
4KB
-
memory/2424-133-0x0000000000B60000-0x0000000000B76000-memory.dmpFilesize
88KB
-
memory/2424-135-0x0000000007430000-0x000000000743F000-memory.dmpFilesize
60KB
-
memory/2448-131-0x00000000005D0000-0x00000000005D9000-memory.dmpFilesize
36KB
-
memory/2448-132-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2448-130-0x0000000000730000-0x0000000000758000-memory.dmpFilesize
160KB
-
memory/2512-184-0x00000165E3AD0000-0x00000165E3AD1000-memory.dmpFilesize
4KB
-
memory/2548-178-0x0000000004530000-0x000000000453B000-memory.dmpFilesize
44KB
-
memory/2548-177-0x0000000004540000-0x0000000004541000-memory.dmpFilesize
4KB
-
memory/2576-167-0x0000000003100000-0x0000000003107000-memory.dmpFilesize
28KB
-
memory/2576-168-0x00000000030F0000-0x00000000030FB000-memory.dmpFilesize
44KB
-
memory/2816-187-0x000001D585490000-0x000001D585491000-memory.dmpFilesize
4KB
-
memory/2884-188-0x0000022A2FDE0000-0x0000022A2FDE1000-memory.dmpFilesize
4KB
-
memory/2900-170-0x0000000000E30000-0x0000000000E3E000-memory.dmpFilesize
56KB
-
memory/2900-169-0x0000000000E40000-0x0000000000E49000-memory.dmpFilesize
36KB
-
memory/3436-164-0x0000000000AC0000-0x0000000000ACC000-memory.dmpFilesize
48KB