Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe
Resource
win10-en-20211208
General
-
Target
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe
-
Size
289KB
-
MD5
e18d00380ca446a2e8e9b6ba9f4bc10c
-
SHA1
c012d7c5a8374805c31cf3dd3bfe52af562e704c
-
SHA256
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b
-
SHA512
ae9738815e1d6673a4a6de2d97309a4c46235cfc038789e82d1a228353e6ddbcaeadd4523b7fbd4a732d19efed8d4235d87166640b3ef94a117801577bce1fee
Malware Config
Extracted
smokeloader
2020
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Extracted
redline
45.32.171.34:42954
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-130-0x0000000002210000-0x000000000224E000-memory.dmp family_redline behavioral2/memory/2192-135-0x0000000002400000-0x000000000243A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
A8FE.exeBC19.exepid process 4000 A8FE.exe 2192 BC19.exe -
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 2648 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1700 3796 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exeA8FE.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A8FE.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A8FE.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A8FE.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEipconfig.exeipconfig.exeNETSTAT.EXEpid process 1480 NETSTAT.EXE 1764 ipconfig.exe 1736 ipconfig.exe 1740 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\Main Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C199876-5B13-11EC-876A-766FED0E297F} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exepid process 736 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe 736 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 2648 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2648 -
Suspicious behavior: MapViewOfSection 48 IoCs
Processes:
36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exeA8FE.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 736 36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe 4000 A8FE.exe 2648 2648 2648 2648 2648 2648 2592 explorer.exe 2592 explorer.exe 2648 2648 1536 explorer.exe 1536 explorer.exe 2648 2648 2848 explorer.exe 2848 explorer.exe 2648 2648 1616 explorer.exe 1616 explorer.exe 2648 2648 2804 explorer.exe 2804 explorer.exe 2648 2648 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe 960 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
BC19.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2192 BC19.exe Token: SeIncreaseQuotaPrivilege 3100 WMIC.exe Token: SeSecurityPrivilege 3100 WMIC.exe Token: SeTakeOwnershipPrivilege 3100 WMIC.exe Token: SeLoadDriverPrivilege 3100 WMIC.exe Token: SeSystemProfilePrivilege 3100 WMIC.exe Token: SeSystemtimePrivilege 3100 WMIC.exe Token: SeProfSingleProcessPrivilege 3100 WMIC.exe Token: SeIncBasePriorityPrivilege 3100 WMIC.exe Token: SeCreatePagefilePrivilege 3100 WMIC.exe Token: SeBackupPrivilege 3100 WMIC.exe Token: SeRestorePrivilege 3100 WMIC.exe Token: SeShutdownPrivilege 3100 WMIC.exe Token: SeDebugPrivilege 3100 WMIC.exe Token: SeSystemEnvironmentPrivilege 3100 WMIC.exe Token: SeRemoteShutdownPrivilege 3100 WMIC.exe Token: SeUndockPrivilege 3100 WMIC.exe Token: SeManageVolumePrivilege 3100 WMIC.exe Token: 33 3100 WMIC.exe Token: 34 3100 WMIC.exe Token: 35 3100 WMIC.exe Token: 36 3100 WMIC.exe Token: SeIncreaseQuotaPrivilege 3100 WMIC.exe Token: SeSecurityPrivilege 3100 WMIC.exe Token: SeTakeOwnershipPrivilege 3100 WMIC.exe Token: SeLoadDriverPrivilege 3100 WMIC.exe Token: SeSystemProfilePrivilege 3100 WMIC.exe Token: SeSystemtimePrivilege 3100 WMIC.exe Token: SeProfSingleProcessPrivilege 3100 WMIC.exe Token: SeIncBasePriorityPrivilege 3100 WMIC.exe Token: SeCreatePagefilePrivilege 3100 WMIC.exe Token: SeBackupPrivilege 3100 WMIC.exe Token: SeRestorePrivilege 3100 WMIC.exe Token: SeShutdownPrivilege 3100 WMIC.exe Token: SeDebugPrivilege 3100 WMIC.exe Token: SeSystemEnvironmentPrivilege 3100 WMIC.exe Token: SeRemoteShutdownPrivilege 3100 WMIC.exe Token: SeUndockPrivilege 3100 WMIC.exe Token: SeManageVolumePrivilege 3100 WMIC.exe Token: 33 3100 WMIC.exe Token: 34 3100 WMIC.exe Token: 35 3100 WMIC.exe Token: 36 3100 WMIC.exe Token: SeIncreaseQuotaPrivilege 1068 WMIC.exe Token: SeSecurityPrivilege 1068 WMIC.exe Token: SeTakeOwnershipPrivilege 1068 WMIC.exe Token: SeLoadDriverPrivilege 1068 WMIC.exe Token: SeSystemProfilePrivilege 1068 WMIC.exe Token: SeSystemtimePrivilege 1068 WMIC.exe Token: SeProfSingleProcessPrivilege 1068 WMIC.exe Token: SeIncBasePriorityPrivilege 1068 WMIC.exe Token: SeCreatePagefilePrivilege 1068 WMIC.exe Token: SeBackupPrivilege 1068 WMIC.exe Token: SeRestorePrivilege 1068 WMIC.exe Token: SeShutdownPrivilege 1068 WMIC.exe Token: SeDebugPrivilege 1068 WMIC.exe Token: SeSystemEnvironmentPrivilege 1068 WMIC.exe Token: SeRemoteShutdownPrivilege 1068 WMIC.exe Token: SeUndockPrivilege 1068 WMIC.exe Token: SeManageVolumePrivilege 1068 WMIC.exe Token: 33 1068 WMIC.exe Token: 34 1068 WMIC.exe Token: 35 1068 WMIC.exe Token: 36 1068 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 3656 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 3656 iexplore.exe 3656 iexplore.exe 3808 IEXPLORE.EXE 3808 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2648 wrote to memory of 4000 2648 A8FE.exe PID 2648 wrote to memory of 4000 2648 A8FE.exe PID 2648 wrote to memory of 4000 2648 A8FE.exe PID 2648 wrote to memory of 2192 2648 BC19.exe PID 2648 wrote to memory of 2192 2648 BC19.exe PID 2648 wrote to memory of 2192 2648 BC19.exe PID 2648 wrote to memory of 2840 2648 cmd.exe PID 2648 wrote to memory of 2840 2648 cmd.exe PID 2840 wrote to memory of 3100 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 3100 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 1068 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 1068 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 1156 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 1156 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 1376 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 1376 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 1684 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 1684 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2128 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2128 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 3644 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 3644 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 3660 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 3660 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 3204 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 3204 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2220 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2220 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 3904 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 3904 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2312 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2312 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2644 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 2644 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 4008 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 4008 2840 cmd.exe WMIC.exe PID 2840 wrote to memory of 1736 2840 cmd.exe ipconfig.exe PID 2840 wrote to memory of 1736 2840 cmd.exe ipconfig.exe PID 2840 wrote to memory of 3064 2840 cmd.exe ROUTE.EXE PID 2840 wrote to memory of 3064 2840 cmd.exe ROUTE.EXE PID 2840 wrote to memory of 3336 2840 cmd.exe netsh.exe PID 2840 wrote to memory of 3336 2840 cmd.exe netsh.exe PID 2840 wrote to memory of 1172 2840 cmd.exe systeminfo.exe PID 2840 wrote to memory of 1172 2840 cmd.exe systeminfo.exe PID 2840 wrote to memory of 1936 2840 cmd.exe tasklist.exe PID 2840 wrote to memory of 1936 2840 cmd.exe tasklist.exe PID 2840 wrote to memory of 2940 2840 cmd.exe net.exe PID 2840 wrote to memory of 2940 2840 cmd.exe net.exe PID 2940 wrote to memory of 2236 2940 net.exe net1.exe PID 2940 wrote to memory of 2236 2940 net.exe net1.exe PID 2840 wrote to memory of 2736 2840 cmd.exe net.exe PID 2840 wrote to memory of 2736 2840 cmd.exe net.exe PID 2736 wrote to memory of 3544 2736 net.exe net1.exe PID 2736 wrote to memory of 3544 2736 net.exe net1.exe PID 2840 wrote to memory of 1068 2840 cmd.exe net.exe PID 2840 wrote to memory of 1068 2840 cmd.exe net.exe PID 1068 wrote to memory of 1412 1068 net.exe net1.exe PID 1068 wrote to memory of 1412 1068 net.exe net1.exe PID 2840 wrote to memory of 1376 2840 cmd.exe net.exe PID 2840 wrote to memory of 1376 2840 cmd.exe net.exe PID 1376 wrote to memory of 1064 1376 net.exe net1.exe PID 1376 wrote to memory of 1064 1376 net.exe net1.exe PID 2840 wrote to memory of 2956 2840 cmd.exe net.exe PID 2840 wrote to memory of 2956 2840 cmd.exe net.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3796 -s 9162⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe"C:\Users\Admin\AppData\Local\Temp\36df1b8107d34e30f7cb609bd06f1008d7f92c24a7475d9428e15373aa6d9a8b.bin.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A8FE.exeC:\Users\Admin\AppData\Local\Temp\A8FE.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BC19.exeC:\Users\Admin\AppData\Local\Temp\BC19.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3656 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A8FE.exeMD5
c1d7d3c37cb954a86b42287ca35986ec
SHA17b5ba6597b26fe3b0136e5cd0fbe8dc1060f96d0
SHA256f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc
SHA512b22a8e4f5b9b66660fa7fe42fcd06283c52b00384684b349959cf6580bd57895ddb57439e7527577d5635800da7e4c8ea3e84a3e2058aba6aef25f6b77e6e142
-
C:\Users\Admin\AppData\Local\Temp\A8FE.exeMD5
c1d7d3c37cb954a86b42287ca35986ec
SHA17b5ba6597b26fe3b0136e5cd0fbe8dc1060f96d0
SHA256f7c09d9f4183a4e024b1a943b13d599540df81bffa5175223d10f5f344f5f6bc
SHA512b22a8e4f5b9b66660fa7fe42fcd06283c52b00384684b349959cf6580bd57895ddb57439e7527577d5635800da7e4c8ea3e84a3e2058aba6aef25f6b77e6e142
-
C:\Users\Admin\AppData\Local\Temp\BC19.exeMD5
a7e31a1a4ef916d45f6cea16f383605a
SHA121f3adb10382136b80e020d91979c57bbdc06595
SHA25678036f7fbb657ea16be0810cd7522f790d72dde3cd060f106d48d947addd5ffd
SHA51234d6781d76a058bfb44a451d48d3bd4cf1ba1f72c1d5218ec4a8963e289940242ce080513d171ab4fe9497c4071100a0f8489cee611677b676c12b3585a96b37
-
C:\Users\Admin\AppData\Local\Temp\BC19.exeMD5
a7e31a1a4ef916d45f6cea16f383605a
SHA121f3adb10382136b80e020d91979c57bbdc06595
SHA25678036f7fbb657ea16be0810cd7522f790d72dde3cd060f106d48d947addd5ffd
SHA51234d6781d76a058bfb44a451d48d3bd4cf1ba1f72c1d5218ec4a8963e289940242ce080513d171ab4fe9497c4071100a0f8489cee611677b676c12b3585a96b37
-
memory/736-116-0x0000000002CB0000-0x0000000002DFA000-memory.dmpFilesize
1.3MB
-
memory/736-117-0x0000000000400000-0x0000000002B7E000-memory.dmpFilesize
39.5MB
-
memory/736-115-0x0000000002CB0000-0x0000000002DFA000-memory.dmpFilesize
1.3MB
-
memory/960-172-0x00000000005E0000-0x00000000005ED000-memory.dmpFilesize
52KB
-
memory/960-171-0x00000000005F0000-0x00000000005F7000-memory.dmpFilesize
28KB
-
memory/1512-158-0x00000000007C0000-0x00000000007CC000-memory.dmpFilesize
48KB
-
memory/1536-164-0x0000000000E20000-0x0000000000E2E000-memory.dmpFilesize
56KB
-
memory/1536-163-0x0000000000E30000-0x0000000000E39000-memory.dmpFilesize
36KB
-
memory/1616-168-0x0000000000DC0000-0x0000000000DCC000-memory.dmpFilesize
48KB
-
memory/1616-167-0x0000000000DD0000-0x0000000000DD6000-memory.dmpFilesize
24KB
-
memory/1700-177-0x00000264DE470000-0x00000264DE471000-memory.dmpFilesize
4KB
-
memory/2192-130-0x0000000002210000-0x000000000224E000-memory.dmpFilesize
248KB
-
memory/2192-127-0x0000000001F80000-0x0000000001FC5000-memory.dmpFilesize
276KB
-
memory/2192-133-0x0000000004CF3000-0x0000000004CF4000-memory.dmpFilesize
4KB
-
memory/2192-134-0x0000000004D00000-0x00000000051FE000-memory.dmpFilesize
5.0MB
-
memory/2192-135-0x0000000002400000-0x000000000243A000-memory.dmpFilesize
232KB
-
memory/2192-136-0x0000000005200000-0x0000000005806000-memory.dmpFilesize
6.0MB
-
memory/2192-137-0x0000000004C10000-0x0000000004C22000-memory.dmpFilesize
72KB
-
memory/2192-138-0x0000000005810000-0x000000000591A000-memory.dmpFilesize
1.0MB
-
memory/2192-139-0x0000000004CF4000-0x0000000004CF6000-memory.dmpFilesize
8KB
-
memory/2192-140-0x0000000004C60000-0x0000000004C9E000-memory.dmpFilesize
248KB
-
memory/2192-132-0x0000000004CF2000-0x0000000004CF3000-memory.dmpFilesize
4KB
-
memory/2192-144-0x0000000005A20000-0x0000000005A6B000-memory.dmpFilesize
300KB
-
memory/2192-147-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/2192-148-0x0000000006230000-0x00000000062A6000-memory.dmpFilesize
472KB
-
memory/2192-149-0x00000000062F0000-0x0000000006382000-memory.dmpFilesize
584KB
-
memory/2192-150-0x0000000006510000-0x000000000652E000-memory.dmpFilesize
120KB
-
memory/2192-151-0x0000000006620000-0x00000000067E2000-memory.dmpFilesize
1.8MB
-
memory/2192-152-0x00000000067F0000-0x0000000006D1C000-memory.dmpFilesize
5.2MB
-
memory/2192-153-0x0000000007890000-0x00000000078E0000-memory.dmpFilesize
320KB
-
memory/2192-131-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/2192-129-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/2592-162-0x00000000001E0000-0x00000000001EB000-memory.dmpFilesize
44KB
-
memory/2592-161-0x00000000001F0000-0x00000000001F7000-memory.dmpFilesize
28KB
-
memory/2648-118-0x0000000000B40000-0x0000000000B56000-memory.dmpFilesize
88KB
-
memory/2648-128-0x0000000002460000-0x0000000002476000-memory.dmpFilesize
88KB
-
memory/2648-143-0x0000000002A20000-0x0000000002A2F000-memory.dmpFilesize
60KB
-
memory/2772-173-0x000002817CBD0000-0x000002817CBD1000-memory.dmpFilesize
4KB
-
memory/2804-169-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB
-
memory/2804-170-0x0000000000440000-0x000000000044B000-memory.dmpFilesize
44KB
-
memory/2816-174-0x000001BC70AF0000-0x000001BC70AF1000-memory.dmpFilesize
4KB
-
memory/2848-166-0x00000000008D0000-0x00000000008D9000-memory.dmpFilesize
36KB
-
memory/2848-165-0x00000000008E0000-0x00000000008E5000-memory.dmpFilesize
20KB
-
memory/2924-178-0x0000024858ED0000-0x0000024858ED1000-memory.dmpFilesize
4KB
-
memory/2924-175-0x0000024858B90000-0x0000024858B91000-memory.dmpFilesize
4KB
-
memory/3220-160-0x0000000003100000-0x000000000316B000-memory.dmpFilesize
428KB
-
memory/3220-159-0x0000000003170000-0x00000000031E5000-memory.dmpFilesize
468KB
-
memory/3528-176-0x0000020042D30000-0x0000020042D31000-memory.dmpFilesize
4KB
-
memory/4000-123-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/4000-121-0x0000000000700000-0x0000000000723000-memory.dmpFilesize
140KB
-
memory/4000-122-0x0000000000680000-0x0000000000689000-memory.dmpFilesize
36KB