smokeloader | ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2

General

Target

ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe
Size

241KB
MD5

cffd474ad7818304eb575dae2b0c52b1
SHA1

b27607d79eed909c629cc78e0fbd1bb830470db7
SHA256

ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2
SHA512

1f9d7d934c81c902b19c877c150e1c44ce1db8b777b3bfd5099c20fca8c73a4861a98a2648751bbd9e6e0643218aad256b760555e559897ab2adcd26a6777975

Score

10^/10

smokeloader backdoor collection evasion suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

3360.exe

pid process

4396 3360.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

2612

pid	process
4396	3360.exe

pid	process
2612

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3360.exeee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3360.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3360.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3304 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

1604 ipconfig.exe
1216 NETSTAT.EXE
2968 NETSTAT.EXE
1680 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2912 systeminfo.exe

pid	process
3304	tasklist.exe

pid	process
1604	ipconfig.exe
1216	NETSTAT.EXE
2968	NETSTAT.EXE
1680	ipconfig.exe

pid	process
2912	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01e26193613d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d70000000002000000000010660000000100002000000045255b64a1059007d5e19079f626f3317a59e883ad38cec33333efb2abfb5eed000000000e8000000002000020000000817190049ac759f9b98adce331ef79fd1e51c6a27108d4ba9411dcb75d71380d20000000ef6e6eb2e58dcc4847b8052cfbeca85b450828184254c4e11d3ae7f0a18bb90640000000df72cc0896d99f169c208b61ae4faf02be59c4959115604aee6126286ee3801a138b4a533c918bcbf33f546bfa52534ef7da3c74decb09ffd485773e68a372a6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d7000000000200000000001066000000010000200000009a34cf2fb830cf2b4be32d541a22922beac021eb3cdae17dc2dbefb3771a8419000000000e8000000002000020000000f99e9efac113b89eb7a1832918526560e950ae0d0f925de559158d26c56b76ac20000000d0c6441104950142131482528b06dc026052fdd2b39c3d2878c287c3c58d273e400000009152e78a555ae812b78020f30e97d561426623325cebc48880ae32928e596fc14ec43475b35f46198f154ecf12d530537e8db237a3114ce79a11aa43525aeaa9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "383341379"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "373809362"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937910"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "373809362"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41CDA53C-7F29-11EC-9231-46AC2453C65E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937910"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937910"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805d40193613d801	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe

pid	process
3380	ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe
3380	ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612
2612

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2612

pid	process
2612

Suspicious behavior: MapViewOfSection 28 IoCs

Processes:

ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe3360.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3380	ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe
4396	3360.exe
2612
2612
2612
2612
2612
2612
1900	explorer.exe
1900	explorer.exe
2612
2612
3712	explorer.exe
3712	explorer.exe
2612
2612
3648	explorer.exe
3648	explorer.exe
2612
2612
3252	explorer.exe
3252	explorer.exe
2612
2612
2472	explorer.exe
2472	explorer.exe
2612
2612

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	396	WMIC.exe
Token: SeSecurityPrivilege	396	WMIC.exe
Token: SeTakeOwnershipPrivilege	396	WMIC.exe
Token: SeLoadDriverPrivilege	396	WMIC.exe
Token: SeSystemProfilePrivilege	396	WMIC.exe
Token: SeSystemtimePrivilege	396	WMIC.exe
Token: SeProfSingleProcessPrivilege	396	WMIC.exe
Token: SeIncBasePriorityPrivilege	396	WMIC.exe
Token: SeCreatePagefilePrivilege	396	WMIC.exe
Token: SeBackupPrivilege	396	WMIC.exe
Token: SeRestorePrivilege	396	WMIC.exe
Token: SeShutdownPrivilege	396	WMIC.exe
Token: SeDebugPrivilege	396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	396	WMIC.exe
Token: SeRemoteShutdownPrivilege	396	WMIC.exe
Token: SeUndockPrivilege	396	WMIC.exe
Token: SeManageVolumePrivilege	396	WMIC.exe
Token: 33	396	WMIC.exe
Token: 34	396	WMIC.exe
Token: 35	396	WMIC.exe
Token: 36	396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	396	WMIC.exe
Token: SeSecurityPrivilege	396	WMIC.exe
Token: SeTakeOwnershipPrivilege	396	WMIC.exe
Token: SeLoadDriverPrivilege	396	WMIC.exe
Token: SeSystemProfilePrivilege	396	WMIC.exe
Token: SeSystemtimePrivilege	396	WMIC.exe
Token: SeProfSingleProcessPrivilege	396	WMIC.exe
Token: SeIncBasePriorityPrivilege	396	WMIC.exe
Token: SeCreatePagefilePrivilege	396	WMIC.exe
Token: SeBackupPrivilege	396	WMIC.exe
Token: SeRestorePrivilege	396	WMIC.exe
Token: SeShutdownPrivilege	396	WMIC.exe
Token: SeDebugPrivilege	396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	396	WMIC.exe
Token: SeRemoteShutdownPrivilege	396	WMIC.exe
Token: SeUndockPrivilege	396	WMIC.exe
Token: SeManageVolumePrivilege	396	WMIC.exe
Token: 33	396	WMIC.exe
Token: 34	396	WMIC.exe
Token: 35	396	WMIC.exe
Token: 36	396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3156	WMIC.exe
Token: SeSecurityPrivilege	3156	WMIC.exe
Token: SeTakeOwnershipPrivilege	3156	WMIC.exe
Token: SeLoadDriverPrivilege	3156	WMIC.exe
Token: SeSystemProfilePrivilege	3156	WMIC.exe
Token: SeSystemtimePrivilege	3156	WMIC.exe
Token: SeProfSingleProcessPrivilege	3156	WMIC.exe
Token: SeIncBasePriorityPrivilege	3156	WMIC.exe
Token: SeCreatePagefilePrivilege	3156	WMIC.exe
Token: SeBackupPrivilege	3156	WMIC.exe
Token: SeRestorePrivilege	3156	WMIC.exe
Token: SeShutdownPrivilege	3156	WMIC.exe
Token: SeDebugPrivilege	3156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3156	WMIC.exe
Token: SeRemoteShutdownPrivilege	3156	WMIC.exe
Token: SeUndockPrivilege	3156	WMIC.exe
Token: SeManageVolumePrivilege	3156	WMIC.exe
Token: 33	3156	WMIC.exe
Token: 34	3156	WMIC.exe
Token: 35	3156	WMIC.exe
Token: 36	3156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3156	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1956 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1956 iexplore.exe
1956 iexplore.exe
2504 IEXPLORE.EXE
2504 IEXPLORE.EXE

pid	process
1956	iexplore.exe

pid	process
1956	iexplore.exe
1956	iexplore.exe
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2612 wrote to memory of 4396	2612		3360.exe
PID 2612 wrote to memory of 4396	2612		3360.exe
PID 2612 wrote to memory of 4396	2612		3360.exe
PID 2612 wrote to memory of 3928	2612		cmd.exe
PID 2612 wrote to memory of 3928	2612		cmd.exe
PID 3928 wrote to memory of 396	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 396	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 3156	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 3156	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 532	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 532	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 768	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 768	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 1096	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 1096	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 3052	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 3052	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 3812	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 3812	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4256	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4256	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4804	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4804	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4920	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4920	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 1464	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 1464	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 2896	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 2896	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4880	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4880	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4568	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4568	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 1604	3928	cmd.exe	ipconfig.exe
PID 3928 wrote to memory of 1604	3928	cmd.exe	ipconfig.exe
PID 3928 wrote to memory of 4600	3928	cmd.exe	ROUTE.EXE
PID 3928 wrote to memory of 4600	3928	cmd.exe	ROUTE.EXE
PID 3928 wrote to memory of 4276	3928	cmd.exe	netsh.exe
PID 3928 wrote to memory of 4276	3928	cmd.exe	netsh.exe
PID 3928 wrote to memory of 2912	3928	cmd.exe	systeminfo.exe
PID 3928 wrote to memory of 2912	3928	cmd.exe	systeminfo.exe
PID 3928 wrote to memory of 3304	3928	cmd.exe	tasklist.exe
PID 3928 wrote to memory of 3304	3928	cmd.exe	tasklist.exe
PID 3928 wrote to memory of 716	3928	cmd.exe	net.exe
PID 3928 wrote to memory of 716	3928	cmd.exe	net.exe
PID 716 wrote to memory of 4780	716	net.exe	net1.exe
PID 716 wrote to memory of 4780	716	net.exe	net1.exe
PID 3928 wrote to memory of 4956	3928	cmd.exe	net.exe
PID 3928 wrote to memory of 4956	3928	cmd.exe	net.exe
PID 4956 wrote to memory of 1784	4956	net.exe	net1.exe
PID 4956 wrote to memory of 1784	4956	net.exe	net1.exe
PID 3928 wrote to memory of 4584	3928	cmd.exe	net.exe
PID 3928 wrote to memory of 4584	3928	cmd.exe	net.exe
PID 4584 wrote to memory of 4732	4584	net.exe	net1.exe
PID 4584 wrote to memory of 4732	4584	net.exe	net1.exe
PID 3928 wrote to memory of 4972	3928	cmd.exe	net.exe
PID 3928 wrote to memory of 4972	3928	cmd.exe	net.exe
PID 4972 wrote to memory of 1444	4972	net.exe	net1.exe
PID 4972 wrote to memory of 1444	4972	net.exe	net1.exe
PID 3928 wrote to memory of 968	3928	cmd.exe	net.exe
PID 3928 wrote to memory of 968	3928	cmd.exe	net.exe
PID 3928 wrote to memory of 1928	3928	cmd.exe	net.exe
PID 3928 wrote to memory of 1928	3928	cmd.exe	net.exe
PID 1928 wrote to memory of 2176	1928	net.exe	net1.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe
"C:\Users\Admin\AppData\Local\Temp\ee1f203a8db154c323fc1d72950a1ad367a94ca45da2ba726cbcb8708ab12cd2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3380

C:\Users\Admin\AppData\Local\Temp\3360.exe
C:\Users\Admin\AppData\Local\Temp\3360.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4396

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:532

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:768

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:1096

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3052

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3812

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:4256

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:4804

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:4920

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:1464

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2896

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:4880

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:4568

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:1604

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:4600

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:4276

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:2912

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3304

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:4780

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:1784

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:4732

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:1444

C:\Windows\system32\net.exe
net use
2⤵
PID:968

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:2176

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:2184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:1340

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1520

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2576

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:2968

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:1684

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:1680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1044

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1996

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3712

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3648

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2472

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
942e4b875d6fc324829d7add8972da18

SHA1
85d7d93c66f7f016b506120e7b5926ffda63b19f

SHA256
496c2463e42319b77f2981e69f606e96ee02090b60c254c5320f93dfd1367023

SHA512
0017d70098b97e5b8d2dcc7aae644ed7dd5faf842c5d854268ddcec7e930b8224390f11bd400753e72c046ffa52c109cbedeebb065f434a286c5e4af75163903

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
e4abbadff6fcda7211b05f2e9dcd528a

SHA1
c71676f029797babf72ac01e60cb26eae33eef73

SHA256
04d77570c316685b8eb9688685cf9c4d1e620e326ea889dae20ac0fad01aa007

SHA512
0eabdbcf94d967288c9666870822c2d4bafb1325e04f498c36913da3880349108cccfa2b9926fbc3346be5c028e037230862b586295df997944c6d937331026c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3360.exe
MD5
bda013087a8132ffc38bf59af9362f50

SHA1
5217d721e45a3bb2a7606ce81fcf17d33aa806a6

SHA256
20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585

SHA512
a6557e218b99b8576d9601d99d1c3844eef14f624b488e90ae5bbf5491f596af758c70590df4c8dc2a54abe8073001efc54235c39309d65c12bed152ff5b629e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3360.exe
MD5
bda013087a8132ffc38bf59af9362f50

SHA1
5217d721e45a3bb2a7606ce81fcf17d33aa806a6

SHA256
20bce27320334129950e98b7e60d3b55ba86e94174ff8316fc48fe03b8c43585

SHA512
a6557e218b99b8576d9601d99d1c3844eef14f624b488e90ae5bbf5491f596af758c70590df4c8dc2a54abe8073001efc54235c39309d65c12bed152ff5b629e

Download Submit
memory/1044-134-0x0000000003270000-0x00000000032E5000-memory.dmp

Filesize
468KB

Download
memory/1044-135-0x0000000003200000-0x000000000326B000-memory.dmp

Filesize
428KB

Download
memory/1900-138-0x00000000025C0000-0x00000000025CB000-memory.dmp

Filesize
44KB

Download
memory/1900-137-0x00000000025D0000-0x00000000025D7000-memory.dmp

Filesize
28KB

Download
memory/1996-136-0x0000000001230000-0x000000000123C000-memory.dmp

Filesize
48KB

Download
memory/2472-146-0x00000000025C0000-0x00000000025CB000-memory.dmp

Filesize
44KB

Download
memory/2472-145-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/2612-127-0x0000000002FD0000-0x0000000002FDF000-memory.dmp

Filesize
60KB

Download
memory/2612-124-0x0000000002E30000-0x0000000002E46000-memory.dmp

Filesize
88KB

Download
memory/2612-118-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/3252-143-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/3252-144-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/3380-117-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3380-116-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/3380-115-0x00000000006D0000-0x00000000006F3000-memory.dmp

Filesize
140KB

Download
memory/3648-142-0x0000000002EA0000-0x0000000002EA9000-memory.dmp

Filesize
36KB

Download
memory/3648-141-0x0000000002EB0000-0x0000000002EB5000-memory.dmp

Filesize
20KB

Download
memory/3712-140-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/3712-139-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

Filesize
36KB

Download
memory/4396-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4396-122-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/4964-147-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/4964-148-0x00000000004F0000-0x00000000004FD000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads