Analysis
-
max time kernel
155s -
max time network
133s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 04:24
Static task
static1
Behavioral task
behavioral1
Sample
ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe
Resource
win10-en-20211208
General
-
Target
ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe
-
Size
241KB
-
MD5
cffd474ad7818304eb575dae2b0c52b1
-
SHA1
b27607d79eed909c629cc78e0fbd1bb830470db7
-
SHA256
ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2
-
SHA512
1f9d7d934c81c902b19c877c150e1c44ce1db8b777b3bfd5099c20fca8c73a4861a98a2648751bbd9e6e0643218aad256b760555e559897ab2adcd26a6777975
Malware Config
Extracted
smokeloader
2020
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
-
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
3360.exepid process 4396 3360.exe -
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 2612 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3360.exeee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3360.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3360.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3360.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 1604 ipconfig.exe 1216 NETSTAT.EXE 2968 NETSTAT.EXE 1680 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01e26193613d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d70000000002000000000010660000000100002000000045255b64a1059007d5e19079f626f3317a59e883ad38cec33333efb2abfb5eed000000000e8000000002000020000000817190049ac759f9b98adce331ef79fd1e51c6a27108d4ba9411dcb75d71380d20000000ef6e6eb2e58dcc4847b8052cfbeca85b450828184254c4e11d3ae7f0a18bb90640000000df72cc0896d99f169c208b61ae4faf02be59c4959115604aee6126286ee3801a138b4a533c918bcbf33f546bfa52534ef7da3c74decb09ffd485773e68a372a6 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d7000000000200000000001066000000010000200000009a34cf2fb830cf2b4be32d541a22922beac021eb3cdae17dc2dbefb3771a8419000000000e8000000002000020000000f99e9efac113b89eb7a1832918526560e950ae0d0f925de559158d26c56b76ac20000000d0c6441104950142131482528b06dc026052fdd2b39c3d2878c287c3c58d273e400000009152e78a555ae812b78020f30e97d561426623325cebc48880ae32928e596fc14ec43475b35f46198f154ecf12d530537e8db237a3114ce79a11aa43525aeaa9 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "383341379" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "373809362" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937910" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "373809362" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41CDA53C-7F29-11EC-9231-46AC2453C65E} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937910" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937910" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805d40193613d801 iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exepid process 3380 ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe 3380 ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 2612 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2612 -
Suspicious behavior: MapViewOfSection 28 IoCs
Processes:
ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe3360.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 3380 ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe 4396 3360.exe 2612 2612 2612 2612 2612 2612 1900 explorer.exe 1900 explorer.exe 2612 2612 3712 explorer.exe 3712 explorer.exe 2612 2612 3648 explorer.exe 3648 explorer.exe 2612 2612 3252 explorer.exe 3252 explorer.exe 2612 2612 2472 explorer.exe 2472 explorer.exe 2612 2612 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 396 WMIC.exe Token: SeSecurityPrivilege 396 WMIC.exe Token: SeTakeOwnershipPrivilege 396 WMIC.exe Token: SeLoadDriverPrivilege 396 WMIC.exe Token: SeSystemProfilePrivilege 396 WMIC.exe Token: SeSystemtimePrivilege 396 WMIC.exe Token: SeProfSingleProcessPrivilege 396 WMIC.exe Token: SeIncBasePriorityPrivilege 396 WMIC.exe Token: SeCreatePagefilePrivilege 396 WMIC.exe Token: SeBackupPrivilege 396 WMIC.exe Token: SeRestorePrivilege 396 WMIC.exe Token: SeShutdownPrivilege 396 WMIC.exe Token: SeDebugPrivilege 396 WMIC.exe Token: SeSystemEnvironmentPrivilege 396 WMIC.exe Token: SeRemoteShutdownPrivilege 396 WMIC.exe Token: SeUndockPrivilege 396 WMIC.exe Token: SeManageVolumePrivilege 396 WMIC.exe Token: 33 396 WMIC.exe Token: 34 396 WMIC.exe Token: 35 396 WMIC.exe Token: 36 396 WMIC.exe Token: SeIncreaseQuotaPrivilege 396 WMIC.exe Token: SeSecurityPrivilege 396 WMIC.exe Token: SeTakeOwnershipPrivilege 396 WMIC.exe Token: SeLoadDriverPrivilege 396 WMIC.exe Token: SeSystemProfilePrivilege 396 WMIC.exe Token: SeSystemtimePrivilege 396 WMIC.exe Token: SeProfSingleProcessPrivilege 396 WMIC.exe Token: SeIncBasePriorityPrivilege 396 WMIC.exe Token: SeCreatePagefilePrivilege 396 WMIC.exe Token: SeBackupPrivilege 396 WMIC.exe Token: SeRestorePrivilege 396 WMIC.exe Token: SeShutdownPrivilege 396 WMIC.exe Token: SeDebugPrivilege 396 WMIC.exe Token: SeSystemEnvironmentPrivilege 396 WMIC.exe Token: SeRemoteShutdownPrivilege 396 WMIC.exe Token: SeUndockPrivilege 396 WMIC.exe Token: SeManageVolumePrivilege 396 WMIC.exe Token: 33 396 WMIC.exe Token: 34 396 WMIC.exe Token: 35 396 WMIC.exe Token: 36 396 WMIC.exe Token: SeIncreaseQuotaPrivilege 3156 WMIC.exe Token: SeSecurityPrivilege 3156 WMIC.exe Token: SeTakeOwnershipPrivilege 3156 WMIC.exe Token: SeLoadDriverPrivilege 3156 WMIC.exe Token: SeSystemProfilePrivilege 3156 WMIC.exe Token: SeSystemtimePrivilege 3156 WMIC.exe Token: SeProfSingleProcessPrivilege 3156 WMIC.exe Token: SeIncBasePriorityPrivilege 3156 WMIC.exe Token: SeCreatePagefilePrivilege 3156 WMIC.exe Token: SeBackupPrivilege 3156 WMIC.exe Token: SeRestorePrivilege 3156 WMIC.exe Token: SeShutdownPrivilege 3156 WMIC.exe Token: SeDebugPrivilege 3156 WMIC.exe Token: SeSystemEnvironmentPrivilege 3156 WMIC.exe Token: SeRemoteShutdownPrivilege 3156 WMIC.exe Token: SeUndockPrivilege 3156 WMIC.exe Token: SeManageVolumePrivilege 3156 WMIC.exe Token: 33 3156 WMIC.exe Token: 34 3156 WMIC.exe Token: 35 3156 WMIC.exe Token: 36 3156 WMIC.exe Token: SeIncreaseQuotaPrivilege 3156 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1956 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1956 iexplore.exe 1956 iexplore.exe 2504 IEXPLORE.EXE 2504 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2612 wrote to memory of 4396 2612 3360.exe PID 2612 wrote to memory of 4396 2612 3360.exe PID 2612 wrote to memory of 4396 2612 3360.exe PID 2612 wrote to memory of 3928 2612 cmd.exe PID 2612 wrote to memory of 3928 2612 cmd.exe PID 3928 wrote to memory of 396 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 396 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 3156 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 3156 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 532 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 532 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 768 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 768 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 1096 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 1096 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 3052 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 3052 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 3812 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 3812 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4256 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4256 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4804 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4804 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4920 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4920 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 1464 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 1464 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 2896 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 2896 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4880 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4880 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4568 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 4568 3928 cmd.exe WMIC.exe PID 3928 wrote to memory of 1604 3928 cmd.exe ipconfig.exe PID 3928 wrote to memory of 1604 3928 cmd.exe ipconfig.exe PID 3928 wrote to memory of 4600 3928 cmd.exe ROUTE.EXE PID 3928 wrote to memory of 4600 3928 cmd.exe ROUTE.EXE PID 3928 wrote to memory of 4276 3928 cmd.exe netsh.exe PID 3928 wrote to memory of 4276 3928 cmd.exe netsh.exe PID 3928 wrote to memory of 2912 3928 cmd.exe systeminfo.exe PID 3928 wrote to memory of 2912 3928 cmd.exe systeminfo.exe PID 3928 wrote to memory of 3304 3928 cmd.exe tasklist.exe PID 3928 wrote to memory of 3304 3928 cmd.exe tasklist.exe PID 3928 wrote to memory of 716 3928 cmd.exe net.exe PID 3928 wrote to memory of 716 3928 cmd.exe net.exe PID 716 wrote to memory of 4780 716 net.exe net1.exe PID 716 wrote to memory of 4780 716 net.exe net1.exe PID 3928 wrote to memory of 4956 3928 cmd.exe net.exe PID 3928 wrote to memory of 4956 3928 cmd.exe net.exe PID 4956 wrote to memory of 1784 4956 net.exe net1.exe PID 4956 wrote to memory of 1784 4956 net.exe net1.exe PID 3928 wrote to memory of 4584 3928 cmd.exe net.exe PID 3928 wrote to memory of 4584 3928 cmd.exe net.exe PID 4584 wrote to memory of 4732 4584 net.exe net1.exe PID 4584 wrote to memory of 4732 4584 net.exe net1.exe PID 3928 wrote to memory of 4972 3928 cmd.exe net.exe PID 3928 wrote to memory of 4972 3928 cmd.exe net.exe PID 4972 wrote to memory of 1444 4972 net.exe net1.exe PID 4972 wrote to memory of 1444 4972 net.exe net1.exe PID 3928 wrote to memory of 968 3928 cmd.exe net.exe PID 3928 wrote to memory of 968 3928 cmd.exe net.exe PID 3928 wrote to memory of 1928 3928 cmd.exe net.exe PID 3928 wrote to memory of 1928 3928 cmd.exe net.exe PID 1928 wrote to memory of 2176 1928 net.exe net1.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe"C:\Users\Admin\AppData\Local\Temp\ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3360.exeC:\Users\Admin\AppData\Local\Temp\3360.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
942e4b875d6fc324829d7add8972da18
SHA185d7d93c66f7f016b506120e7b5926ffda63b19f
SHA256496c2463e42319b77f2981e69f606e96ee02090b60c254c5320f93dfd1367023
SHA5120017d70098b97e5b8d2dcc7aae644ed7dd5faf842c5d854268ddcec7e930b8224390f11bd400753e72c046ffa52c109cbedeebb065f434a286c5e4af75163903
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
e4abbadff6fcda7211b05f2e9dcd528a
SHA1c71676f029797babf72ac01e60cb26eae33eef73
SHA25604d77570c316685b8eb9688685cf9c4d1e620e326ea889dae20ac0fad01aa007
SHA5120eabdbcf94d967288c9666870822c2d4bafb1325e04f498c36913da3880349108cccfa2b9926fbc3346be5c028e037230862b586295df997944c6d937331026c
-
C:\Users\Admin\AppData\Local\Temp\3360.exeMD5
bda013087a8132ffc38bf59af9362f50
SHA15217d721e45a3bb2a7606ce81fcf17d33aa806a6
SHA25620bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585
SHA512a6557e218b99b8576d9601d99d1c3844eef14f624b488e90ae5bbf5491f596af758c70590df4c8dc2a54abe8073001efc54235c39309d65c12bed152ff5b629e
-
C:\Users\Admin\AppData\Local\Temp\3360.exeMD5
bda013087a8132ffc38bf59af9362f50
SHA15217d721e45a3bb2a7606ce81fcf17d33aa806a6
SHA25620bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585
SHA512a6557e218b99b8576d9601d99d1c3844eef14f624b488e90ae5bbf5491f596af758c70590df4c8dc2a54abe8073001efc54235c39309d65c12bed152ff5b629e
-
memory/1044-134-0x0000000003270000-0x00000000032E5000-memory.dmpFilesize
468KB
-
memory/1044-135-0x0000000003200000-0x000000000326B000-memory.dmpFilesize
428KB
-
memory/1900-138-0x00000000025C0000-0x00000000025CB000-memory.dmpFilesize
44KB
-
memory/1900-137-0x00000000025D0000-0x00000000025D7000-memory.dmpFilesize
28KB
-
memory/1996-136-0x0000000001230000-0x000000000123C000-memory.dmpFilesize
48KB
-
memory/2472-146-0x00000000025C0000-0x00000000025CB000-memory.dmpFilesize
44KB
-
memory/2472-145-0x00000000025D0000-0x00000000025D6000-memory.dmpFilesize
24KB
-
memory/2612-127-0x0000000002FD0000-0x0000000002FDF000-memory.dmpFilesize
60KB
-
memory/2612-124-0x0000000002E30000-0x0000000002E46000-memory.dmpFilesize
88KB
-
memory/2612-118-0x0000000000D20000-0x0000000000D36000-memory.dmpFilesize
88KB
-
memory/3252-143-0x0000000000950000-0x0000000000956000-memory.dmpFilesize
24KB
-
memory/3252-144-0x0000000000940000-0x000000000094C000-memory.dmpFilesize
48KB
-
memory/3380-117-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3380-116-0x0000000000570000-0x0000000000579000-memory.dmpFilesize
36KB
-
memory/3380-115-0x00000000006D0000-0x00000000006F3000-memory.dmpFilesize
140KB
-
memory/3648-142-0x0000000002EA0000-0x0000000002EA9000-memory.dmpFilesize
36KB
-
memory/3648-141-0x0000000002EB0000-0x0000000002EB5000-memory.dmpFilesize
20KB
-
memory/3712-140-0x0000000000AC0000-0x0000000000ACE000-memory.dmpFilesize
56KB
-
memory/3712-139-0x0000000000AD0000-0x0000000000AD9000-memory.dmpFilesize
36KB
-
memory/4396-123-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4396-122-0x0000000000450000-0x00000000004FE000-memory.dmpFilesize
696KB
-
memory/4964-147-0x0000000000500000-0x0000000000507000-memory.dmpFilesize
28KB
-
memory/4964-148-0x00000000004F0000-0x00000000004FD000-memory.dmpFilesize
52KB