smokeloader | 20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585

General

Target

20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe
Size

240KB
MD5

bda013087a8132ffc38bf59af9362f50
SHA1

5217d721e45a3bb2a7606ce81fcf17d33aa806a6
SHA256

20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585
SHA512

a6557e218b99b8576d9601d99d1c3844eef14f624b488e90ae5bbf5491f596af758c70590df4c8dc2a54abe8073001efc54235c39309d65c12bed152ff5b629e

Score

10^/10

smokeloader backdoor evasion persistence suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3112 created 1424 3112 WerFault.exe explorer.exe
PID 2296 created 2712 2296 WerFault.exe DllHost.exe
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Drops file in Windows directory 1 IoCs

Processes:

TiWorker.exe

description ioc process

File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

216 1424 WerFault.exe explorer.exe
3696 2712 WerFault.exe DllHost.exe

description	pid	process	target process
PID 3112 created 1424	3112	WerFault.exe	explorer.exe
PID 2296 created 2712	2296	WerFault.exe	DllHost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

pid	pid_target	process	target process
216	1424	WerFault.exe	explorer.exe
3696	2712	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3932 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

376 ipconfig.exe
2824 NETSTAT.EXE
2480 NETSTAT.EXE
2100 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3756 systeminfo.exe

pid	process
3932	tasklist.exe

pid	process
376	ipconfig.exe
2824	NETSTAT.EXE
2480	NETSTAT.EXE
2100	ipconfig.exe

pid	process
3756	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{239F5F41-7F0D-11EC-82D0-F2F412B024C7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4204303045"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4204303045"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4258052332"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937881"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937881"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937881"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe

pid	process
2448	20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe
2448	20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424
2424

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2424

pid	process
2424

Suspicious behavior: MapViewOfSection 47 IoCs

Processes:

20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2448	20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe
2424
2424
2424
2424
2424
2424
2576	explorer.exe
2576	explorer.exe
2424
2424
2900	explorer.exe
2900	explorer.exe
2424
2424
820	explorer.exe
820	explorer.exe
2424
2424
1848	explorer.exe
1848	explorer.exe
2424
2424
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
2424
2424
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1952	explorer.exe
1952	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3180	WMIC.exe
Token: SeSecurityPrivilege	3180	WMIC.exe
Token: SeTakeOwnershipPrivilege	3180	WMIC.exe
Token: SeLoadDriverPrivilege	3180	WMIC.exe
Token: SeSystemProfilePrivilege	3180	WMIC.exe
Token: SeSystemtimePrivilege	3180	WMIC.exe
Token: SeProfSingleProcessPrivilege	3180	WMIC.exe
Token: SeIncBasePriorityPrivilege	3180	WMIC.exe
Token: SeCreatePagefilePrivilege	3180	WMIC.exe
Token: SeBackupPrivilege	3180	WMIC.exe
Token: SeRestorePrivilege	3180	WMIC.exe
Token: SeShutdownPrivilege	3180	WMIC.exe
Token: SeDebugPrivilege	3180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3180	WMIC.exe
Token: SeRemoteShutdownPrivilege	3180	WMIC.exe
Token: SeUndockPrivilege	3180	WMIC.exe
Token: SeManageVolumePrivilege	3180	WMIC.exe
Token: 33	3180	WMIC.exe
Token: 34	3180	WMIC.exe
Token: 35	3180	WMIC.exe
Token: 36	3180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3180	WMIC.exe
Token: SeSecurityPrivilege	3180	WMIC.exe
Token: SeTakeOwnershipPrivilege	3180	WMIC.exe
Token: SeLoadDriverPrivilege	3180	WMIC.exe
Token: SeSystemProfilePrivilege	3180	WMIC.exe
Token: SeSystemtimePrivilege	3180	WMIC.exe
Token: SeProfSingleProcessPrivilege	3180	WMIC.exe
Token: SeIncBasePriorityPrivilege	3180	WMIC.exe
Token: SeCreatePagefilePrivilege	3180	WMIC.exe
Token: SeBackupPrivilege	3180	WMIC.exe
Token: SeRestorePrivilege	3180	WMIC.exe
Token: SeShutdownPrivilege	3180	WMIC.exe
Token: SeDebugPrivilege	3180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3180	WMIC.exe
Token: SeRemoteShutdownPrivilege	3180	WMIC.exe
Token: SeUndockPrivilege	3180	WMIC.exe
Token: SeManageVolumePrivilege	3180	WMIC.exe
Token: 33	3180	WMIC.exe
Token: 34	3180	WMIC.exe
Token: 35	3180	WMIC.exe
Token: 36	3180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: 36	1328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2980 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2980 iexplore.exe
2980 iexplore.exe
2684 IEXPLORE.EXE
2684 IEXPLORE.EXE

pid	process
2980	iexplore.exe

pid	process
2980	iexplore.exe
2980	iexplore.exe
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2424 wrote to memory of 1532	2424		cmd.exe
PID 2424 wrote to memory of 1532	2424		cmd.exe
PID 1532 wrote to memory of 3180	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3180	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1328	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1328	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 984	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 984	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 204	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 204	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3932	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3932	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3092	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3092	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1952	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1952	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3396	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3396	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 2412	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 2412	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3640	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 3640	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1244	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1244	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 2956	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 2956	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1936	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1936	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 688	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 688	1532	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 376	1532	cmd.exe	ipconfig.exe
PID 1532 wrote to memory of 376	1532	cmd.exe	ipconfig.exe
PID 1532 wrote to memory of 2764	1532	cmd.exe	ROUTE.EXE
PID 1532 wrote to memory of 2764	1532	cmd.exe	ROUTE.EXE
PID 1532 wrote to memory of 60	1532	cmd.exe	netsh.exe
PID 1532 wrote to memory of 60	1532	cmd.exe	netsh.exe
PID 1532 wrote to memory of 3756	1532	cmd.exe	systeminfo.exe
PID 1532 wrote to memory of 3756	1532	cmd.exe	systeminfo.exe
PID 1532 wrote to memory of 3932	1532	cmd.exe	tasklist.exe
PID 1532 wrote to memory of 3932	1532	cmd.exe	tasklist.exe
PID 1532 wrote to memory of 1276	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 1276	1532	cmd.exe	net.exe
PID 1276 wrote to memory of 736	1276	net.exe	net1.exe
PID 1276 wrote to memory of 736	1276	net.exe	net1.exe
PID 1532 wrote to memory of 1676	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 1676	1532	cmd.exe	net.exe
PID 1676 wrote to memory of 3176	1676	net.exe	net1.exe
PID 1676 wrote to memory of 3176	1676	net.exe	net1.exe
PID 1532 wrote to memory of 1256	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 1256	1532	cmd.exe	net.exe
PID 1256 wrote to memory of 632	1256	net.exe	net1.exe
PID 1256 wrote to memory of 632	1256	net.exe	net1.exe
PID 1532 wrote to memory of 3916	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 3916	1532	cmd.exe	net.exe
PID 3916 wrote to memory of 552	3916	net.exe	net1.exe
PID 3916 wrote to memory of 552	3916	net.exe	net1.exe
PID 1532 wrote to memory of 1316	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 1316	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 1932	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 1932	1532	cmd.exe	net.exe
PID 1932 wrote to memory of 3244	1932	net.exe	net1.exe
PID 1932 wrote to memory of 3244	1932	net.exe	net1.exe
PID 1532 wrote to memory of 1860	1532	cmd.exe	net.exe
PID 1532 wrote to memory of 1860	1532	cmd.exe	net.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2248

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2964

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2712 -s 392
2⤵
- Program crash
PID:3696

C:\Users\Admin\AppData\Local\Temp\20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe
"C:\Users\Admin\AppData\Local\Temp\20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2448

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 8778b8adcc7134b4ebb7d9af8defd959 YgVdqpoXwUiqHaJ9UTdVaQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:4032

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:984

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:204

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:3932

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3092

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:1952

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3396

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2412

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3640

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:1244

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2956

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:1936

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:688

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:376

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:2764

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:60

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:3756

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3932

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:736

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:3176

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:632

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:552

C:\Windows\system32\net.exe
net use
2⤵
PID:1316

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:3244

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:1860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:2296

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:3892

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:3056

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:2480

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:3008

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:2100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1800

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3432

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 872
2⤵
- Program crash
PID:216

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3436

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1424 -ip 1424
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:820

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1848

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1952

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 2712 -ip 2712
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-186-0x00000000032C0000-0x00000000032CB000-memory.dmp

Filesize
44KB

Download
memory/216-185-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/820-171-0x0000000000530000-0x0000000000535000-memory.dmp

Filesize
20KB

Download
memory/820-172-0x0000000000520000-0x0000000000529000-memory.dmp

Filesize
36KB

Download
memory/1340-180-0x00000000005A0000-0x00000000005AD000-memory.dmp

Filesize
52KB

Download
memory/1340-179-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/1424-166-0x0000000003000000-0x000000000306B000-memory.dmp

Filesize
428KB

Download
memory/1424-165-0x0000000003070000-0x00000000030E5000-memory.dmp

Filesize
468KB

Download
memory/1848-174-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/1848-173-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/1952-175-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/1952-176-0x0000000000110000-0x000000000011B000-memory.dmp

Filesize
44KB

Download
memory/2216-181-0x0000017C09D80000-0x0000017C09D81000-memory.dmp

Filesize
4KB

Download
memory/2248-182-0x000001A3E4F10000-0x000001A3E4F11000-memory.dmp

Filesize
4KB

Download
memory/2284-183-0x0000011A0C040000-0x0000011A0C041000-memory.dmp

Filesize
4KB

Download
memory/2424-133-0x0000000000B60000-0x0000000000B76000-memory.dmp

Filesize
88KB

Download
memory/2424-135-0x0000000007430000-0x000000000743F000-memory.dmp

Filesize
60KB

Download
memory/2448-131-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/2448-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-130-0x0000000000730000-0x0000000000758000-memory.dmp

Filesize
160KB

Download
memory/2512-184-0x00000165E3AD0000-0x00000165E3AD1000-memory.dmp

Filesize
4KB

Download
memory/2548-178-0x0000000004530000-0x000000000453B000-memory.dmp

Filesize
44KB

Download
memory/2548-177-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/2576-167-0x0000000003100000-0x0000000003107000-memory.dmp

Filesize
28KB

Download
memory/2576-168-0x00000000030F0000-0x00000000030FB000-memory.dmp

Filesize
44KB

Download
memory/2816-187-0x000001D585490000-0x000001D585491000-memory.dmp

Filesize
4KB

Download
memory/2884-188-0x0000022A2FDE0000-0x0000022A2FDE1000-memory.dmp

Filesize
4KB

Download
memory/2900-170-0x0000000000E30000-0x0000000000E3E000-memory.dmp

Filesize
56KB

Download
memory/2900-169-0x0000000000E40000-0x0000000000E49000-memory.dmp

Filesize
36KB

Download
memory/3436-164-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads