smokeloader | 711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124

General

Target

711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe
Size

188KB
MD5

5e9f68bb219f2c8b129eaa9bf3af7f20
SHA1

7c1fd27ade6793e787e42c1b5dba78c002948b05
SHA256

711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124
SHA512

09305a5c392e7782c9787b95aa40ade538232cabf5dfde27fd4fd7c758aa3446727570cbd617f042c69ffecf6e8be39772b61cbc111e68765e55c32a6474c240

Score

10^/10

smokeloader backdoor evasion persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Drops file in Windows directory 1 IoCs

Processes:

TiWorker.exe

description ioc process

File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2984 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

1188 ipconfig.exe
3328 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1584 systeminfo.exe

pid	process
2984	tasklist.exe

pid	process
1188	ipconfig.exe
3328	NETSTAT.EXE

pid	process
1584	systeminfo.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe

pid	process
3948	711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe
3948	711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384
2384

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2384
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe

pid process

3948 711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe

pid	process
2384

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: 36	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemProfilePrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeProfSingleProcessPrivilege	2964	WMIC.exe
Token: SeIncBasePriorityPrivilege	2964	WMIC.exe
Token: SeCreatePagefilePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeDebugPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeRemoteShutdownPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: 33	2964	WMIC.exe
Token: 34	2964	WMIC.exe
Token: 35	2964	WMIC.exe
Token: 36	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4004	WMIC.exe
Token: SeSecurityPrivilege	4004	WMIC.exe
Token: SeTakeOwnershipPrivilege	4004	WMIC.exe
Token: SeLoadDriverPrivilege	4004	WMIC.exe
Token: SeSystemProfilePrivilege	4004	WMIC.exe
Token: SeSystemtimePrivilege	4004	WMIC.exe
Token: SeProfSingleProcessPrivilege	4004	WMIC.exe
Token: SeIncBasePriorityPrivilege	4004	WMIC.exe
Token: SeCreatePagefilePrivilege	4004	WMIC.exe
Token: SeBackupPrivilege	4004	WMIC.exe
Token: SeRestorePrivilege	4004	WMIC.exe
Token: SeShutdownPrivilege	4004	WMIC.exe
Token: SeDebugPrivilege	4004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4004	WMIC.exe
Token: SeRemoteShutdownPrivilege	4004	WMIC.exe
Token: SeUndockPrivilege	4004	WMIC.exe
Token: SeManageVolumePrivilege	4004	WMIC.exe
Token: 33	4004	WMIC.exe
Token: 34	4004	WMIC.exe
Token: 35	4004	WMIC.exe
Token: 36	4004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4004	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2384 wrote to memory of 976	2384		cmd.exe
PID 2384 wrote to memory of 976	2384		cmd.exe
PID 976 wrote to memory of 2964	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 2964	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 4004	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 4004	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3756	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3756	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3104	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3104	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 2456	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 2456	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 1220	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 1220	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 1124	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 1124	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 1716	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 1716	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3312	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3312	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3872	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3872	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3268	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3268	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 584	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 584	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3792	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 3792	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 2244	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 2244	976	cmd.exe	WMIC.exe
PID 976 wrote to memory of 1188	976	cmd.exe	ipconfig.exe
PID 976 wrote to memory of 1188	976	cmd.exe	ipconfig.exe
PID 976 wrote to memory of 3548	976	cmd.exe	ROUTE.EXE
PID 976 wrote to memory of 3548	976	cmd.exe	ROUTE.EXE
PID 976 wrote to memory of 3224	976	cmd.exe	netsh.exe
PID 976 wrote to memory of 3224	976	cmd.exe	netsh.exe
PID 976 wrote to memory of 1584	976	cmd.exe	systeminfo.exe
PID 976 wrote to memory of 1584	976	cmd.exe	systeminfo.exe
PID 976 wrote to memory of 2984	976	cmd.exe	tasklist.exe
PID 976 wrote to memory of 2984	976	cmd.exe	tasklist.exe
PID 976 wrote to memory of 920	976	cmd.exe	net.exe
PID 976 wrote to memory of 920	976	cmd.exe	net.exe
PID 920 wrote to memory of 3188	920	net.exe	net1.exe
PID 920 wrote to memory of 3188	920	net.exe	net1.exe
PID 976 wrote to memory of 3972	976	cmd.exe	net.exe
PID 976 wrote to memory of 3972	976	cmd.exe	net.exe
PID 3972 wrote to memory of 3804	3972	net.exe	net1.exe
PID 3972 wrote to memory of 3804	3972	net.exe	net1.exe
PID 976 wrote to memory of 2864	976	cmd.exe	net.exe
PID 976 wrote to memory of 2864	976	cmd.exe	net.exe
PID 2864 wrote to memory of 832	2864	net.exe	net1.exe
PID 2864 wrote to memory of 832	2864	net.exe	net1.exe
PID 976 wrote to memory of 3464	976	cmd.exe	net.exe
PID 976 wrote to memory of 3464	976	cmd.exe	net.exe
PID 3464 wrote to memory of 2784	3464	net.exe	net1.exe
PID 3464 wrote to memory of 2784	3464	net.exe	net1.exe
PID 976 wrote to memory of 1848	976	cmd.exe	net.exe
PID 976 wrote to memory of 1848	976	cmd.exe	net.exe
PID 976 wrote to memory of 3212	976	cmd.exe	net.exe
PID 976 wrote to memory of 3212	976	cmd.exe	net.exe
PID 3212 wrote to memory of 3332	3212	net.exe	net1.exe
PID 3212 wrote to memory of 3332	3212	net.exe	net1.exe
PID 976 wrote to memory of 3236	976	cmd.exe	net.exe
PID 976 wrote to memory of 3236	976	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe
"C:\Users\Admin\AppData\Local\Temp\711b1ffba35470c7341ee76ea2308d1aea7722573f827a909ff6950054571124.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3948

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 8eb3dc7ab0a98909d994ebf09c18891e siIubRRiTk+y8IxrmhWjIw.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3340

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:3756

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:3104

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:2456

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:1220

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:1124

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:1716

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:3312

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3872

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3268

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:584

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3792

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:2244

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:1188

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3548

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3224

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1584

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:2984

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:3188

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:3804

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:832

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:2784

C:\Windows\system32\net.exe
net use
2⤵
PID:1848

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:3332

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:3236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:888

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1332

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:1868

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2384-133-0x00000000027D0000-0x00000000027E6000-memory.dmp

Filesize
88KB

Download
memory/2384-134-0x0000000002DC0000-0x0000000002DCF000-memory.dmp

Filesize
60KB

Download
memory/3948-130-0x0000000000600000-0x0000000000628000-memory.dmp

Filesize
160KB

Download
memory/3948-131-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3948-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads