icedid | 81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142

General

Target

81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
Size

292KB
MD5

f556e6b16e85811de359115fa95f9fce
SHA1

a055f68ab7b2d53e81aa77e3a3820319c6b25376
SHA256

81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142
SHA512

0e1b267c956e788ed9852f09da1b594143c7076a8b59642b88020ea68bddd2055951b97e001251ffed4225b4923dd78ba61f29d47875119c96b336ce7d5d6899

Score

10^/10

icedid smokeloader 2715004312 backdoor banker evasion loader suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Extracted

Family

icedid

Campaign

2715004312

C2

badgoodreason.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4020 created 3936 4020 WerFault.exe explorer.exe
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata

description	pid	process	target process
PID 4020 created 3936	4020	WerFault.exe	explorer.exe

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/3448-143-0x000002ADC8B00000-0x000002ADC8B0B000-memory.dmp	IcedidFirstLoader

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

F47F.exe10D2.exe

pid process

3008 F47F.exe
3448 10D2.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3028 3936 WerFault.exe explorer.exe

pid	process
3008	F47F.exe
3448	10D2.exe

pid	pid_target	process	target process
3028	3936	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

F47F.exe81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F47F.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F47F.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F47F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2084 tasklist.exe

pid	process
2084	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

3828 ipconfig.exe
2732 NETSTAT.EXE
4500 NETSTAT.EXE
1076 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3504 systeminfo.exe

pid	process
3828	ipconfig.exe
2732	NETSTAT.EXE
4500	NETSTAT.EXE
1076	ipconfig.exe

pid	process
3504	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C1EA0B7B-94F4-11EC-B9A4-724718AA7C81} = "0"	iexplore.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe

pid	process
2720	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
2720	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032

pid	process
3032

Suspicious behavior: MapViewOfSection 38 IoCs

Processes:

81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exeF47F.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2720	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
3008	F47F.exe
3032
3032
3032
3032
3032
3032
544	explorer.exe
544	explorer.exe
3032
3032
1300	explorer.exe
1300	explorer.exe
3032
3032
3468	explorer.exe
3468	explorer.exe
3032
3032
3424	explorer.exe
3424	explorer.exe
3032
3032
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3488	explorer.exe
3032
3032
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe
3904	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4044	WMIC.exe
Token: SeSecurityPrivilege	4044	WMIC.exe
Token: SeTakeOwnershipPrivilege	4044	WMIC.exe
Token: SeLoadDriverPrivilege	4044	WMIC.exe
Token: SeSystemProfilePrivilege	4044	WMIC.exe
Token: SeSystemtimePrivilege	4044	WMIC.exe
Token: SeProfSingleProcessPrivilege	4044	WMIC.exe
Token: SeIncBasePriorityPrivilege	4044	WMIC.exe
Token: SeCreatePagefilePrivilege	4044	WMIC.exe
Token: SeBackupPrivilege	4044	WMIC.exe
Token: SeRestorePrivilege	4044	WMIC.exe
Token: SeShutdownPrivilege	4044	WMIC.exe
Token: SeDebugPrivilege	4044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4044	WMIC.exe
Token: SeRemoteShutdownPrivilege	4044	WMIC.exe
Token: SeUndockPrivilege	4044	WMIC.exe
Token: SeManageVolumePrivilege	4044	WMIC.exe
Token: 33	4044	WMIC.exe
Token: 34	4044	WMIC.exe
Token: 35	4044	WMIC.exe
Token: 36	4044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4044	WMIC.exe
Token: SeSecurityPrivilege	4044	WMIC.exe
Token: SeTakeOwnershipPrivilege	4044	WMIC.exe
Token: SeLoadDriverPrivilege	4044	WMIC.exe
Token: SeSystemProfilePrivilege	4044	WMIC.exe
Token: SeSystemtimePrivilege	4044	WMIC.exe
Token: SeProfSingleProcessPrivilege	4044	WMIC.exe
Token: SeIncBasePriorityPrivilege	4044	WMIC.exe
Token: SeCreatePagefilePrivilege	4044	WMIC.exe
Token: SeBackupPrivilege	4044	WMIC.exe
Token: SeRestorePrivilege	4044	WMIC.exe
Token: SeShutdownPrivilege	4044	WMIC.exe
Token: SeDebugPrivilege	4044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4044	WMIC.exe
Token: SeRemoteShutdownPrivilege	4044	WMIC.exe
Token: SeUndockPrivilege	4044	WMIC.exe
Token: SeManageVolumePrivilege	4044	WMIC.exe
Token: 33	4044	WMIC.exe
Token: 34	4044	WMIC.exe
Token: 35	4044	WMIC.exe
Token: 36	4044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe
Token: SeSecurityPrivilege	4160	WMIC.exe
Token: SeTakeOwnershipPrivilege	4160	WMIC.exe
Token: SeLoadDriverPrivilege	4160	WMIC.exe
Token: SeSystemProfilePrivilege	4160	WMIC.exe
Token: SeSystemtimePrivilege	4160	WMIC.exe
Token: SeProfSingleProcessPrivilege	4160	WMIC.exe
Token: SeIncBasePriorityPrivilege	4160	WMIC.exe
Token: SeCreatePagefilePrivilege	4160	WMIC.exe
Token: SeBackupPrivilege	4160	WMIC.exe
Token: SeRestorePrivilege	4160	WMIC.exe
Token: SeShutdownPrivilege	4160	WMIC.exe
Token: SeDebugPrivilege	4160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4160	WMIC.exe
Token: SeRemoteShutdownPrivilege	4160	WMIC.exe
Token: SeUndockPrivilege	4160	WMIC.exe
Token: SeManageVolumePrivilege	4160	WMIC.exe
Token: 33	4160	WMIC.exe
Token: 34	4160	WMIC.exe
Token: 35	4160	WMIC.exe
Token: 36	4160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1184 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

10D2.exeiexplore.exeIEXPLORE.EXE

pid process

3448 10D2.exe
1184 iexplore.exe
1184 iexplore.exe
1668 IEXPLORE.EXE
1668 IEXPLORE.EXE

pid	process
1184	iexplore.exe

pid	process
3448	10D2.exe
1184	iexplore.exe
1184	iexplore.exe
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3032 wrote to memory of 3008	3032		F47F.exe
PID 3032 wrote to memory of 3008	3032		F47F.exe
PID 3032 wrote to memory of 3008	3032		F47F.exe
PID 3032 wrote to memory of 3448	3032		10D2.exe
PID 3032 wrote to memory of 3448	3032		10D2.exe
PID 3032 wrote to memory of 2396	3032		cmd.exe
PID 3032 wrote to memory of 2396	3032		cmd.exe
PID 2396 wrote to memory of 4044	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4044	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4160	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4160	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 2036	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 2036	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 2352	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 2352	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 3252	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 3252	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4668	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4668	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 3324	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 3324	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 3424	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 3424	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4456	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4456	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 1160	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 1160	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4440	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4440	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4524	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 4524	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 2344	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 2344	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 3524	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 3524	2396	cmd.exe	WMIC.exe
PID 2396 wrote to memory of 3828	2396	cmd.exe	ipconfig.exe
PID 2396 wrote to memory of 3828	2396	cmd.exe	ipconfig.exe
PID 2396 wrote to memory of 3292	2396	cmd.exe	ROUTE.EXE
PID 2396 wrote to memory of 3292	2396	cmd.exe	ROUTE.EXE
PID 2396 wrote to memory of 4464	2396	cmd.exe	netsh.exe
PID 2396 wrote to memory of 4464	2396	cmd.exe	netsh.exe
PID 2396 wrote to memory of 3504	2396	cmd.exe	systeminfo.exe
PID 2396 wrote to memory of 3504	2396	cmd.exe	systeminfo.exe
PID 2396 wrote to memory of 2084	2396	cmd.exe	tasklist.exe
PID 2396 wrote to memory of 2084	2396	cmd.exe	tasklist.exe
PID 2396 wrote to memory of 1072	2396	cmd.exe	net.exe
PID 2396 wrote to memory of 1072	2396	cmd.exe	net.exe
PID 1072 wrote to memory of 1112	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1112	1072	net.exe	net1.exe
PID 2396 wrote to memory of 1664	2396	cmd.exe	net.exe
PID 2396 wrote to memory of 1664	2396	cmd.exe	net.exe
PID 1664 wrote to memory of 1380	1664	net.exe	net1.exe
PID 1664 wrote to memory of 1380	1664	net.exe	net1.exe
PID 2396 wrote to memory of 1776	2396	cmd.exe	net.exe
PID 2396 wrote to memory of 1776	2396	cmd.exe	net.exe
PID 1776 wrote to memory of 3256	1776	net.exe	net1.exe
PID 1776 wrote to memory of 3256	1776	net.exe	net1.exe
PID 2396 wrote to memory of 920	2396	cmd.exe	net.exe
PID 2396 wrote to memory of 920	2396	cmd.exe	net.exe
PID 920 wrote to memory of 3872	920	net.exe	net1.exe
PID 920 wrote to memory of 3872	920	net.exe	net1.exe
PID 2396 wrote to memory of 4532	2396	cmd.exe	net.exe
PID 2396 wrote to memory of 4532	2396	cmd.exe	net.exe
PID 2396 wrote to memory of 3576	2396	cmd.exe	net.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2660

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2288

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
"C:\Users\Admin\AppData\Local\Temp\81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2720

C:\Users\Admin\AppData\Local\Temp\F47F.exe
C:\Users\Admin\AppData\Local\Temp\F47F.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3008

C:\Users\Admin\AppData\Local\Temp\10D2.exe
C:\Users\Admin\AppData\Local\Temp\10D2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:2036

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:2352

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:3252

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:4668

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3324

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3424

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:4456

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:1160

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:4440

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:4524

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:2344

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3524

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:3828

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3292

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:4464

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:3504

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:2084

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:1112

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:1380

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:3256

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:3872

C:\Windows\system32\net.exe
net use
2⤵
PID:4532

C:\Windows\system32\net.exe
net group
2⤵
PID:3576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:4908

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:2016

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:2760

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:1360

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:4500

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:1408

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:1076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4376

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:4764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 872
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3936 -ip 3936
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4020

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:544

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3468

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3424

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3488

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10D2.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
C:\Users\Admin\AppData\Local\Temp\10D2.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
C:\Users\Admin\AppData\Local\Temp\F47F.exe

MD5
600e51e9521a447f34ea0a85d618ac4e

SHA1
d175a1d4d5c6c2e35678f22e26fbfec060a16eba

SHA256
b1bb0782a6e063ed1973914bb35f6c23153a8d6e4f6c3ea57f7e5a54f047f04d

SHA512
abf7753daaf7e31677a3718c17e70bcad0dc3b77bf0cfe2307925153f5e1b11969fd55858f083ea1bafef497cf8838e61c1fa4b7aeb0cb29f778d38647e3cf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\F47F.exe

MD5
600e51e9521a447f34ea0a85d618ac4e

SHA1
d175a1d4d5c6c2e35678f22e26fbfec060a16eba

SHA256
b1bb0782a6e063ed1973914bb35f6c23153a8d6e4f6c3ea57f7e5a54f047f04d

SHA512
abf7753daaf7e31677a3718c17e70bcad0dc3b77bf0cfe2307925153f5e1b11969fd55858f083ea1bafef497cf8838e61c1fa4b7aeb0cb29f778d38647e3cf00

Download Submit
memory/228-150-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/544-152-0x0000000000E70000-0x0000000000E7B000-memory.dmp

Filesize
44KB

Download
memory/544-151-0x0000000000E80000-0x0000000000E87000-memory.dmp

Filesize
28KB

Download
memory/1244-161-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1244-162-0x00000000031B0000-0x00000000031BB000-memory.dmp

Filesize
44KB

Download
memory/1300-154-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/1300-153-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/2268-166-0x0000021F45E70000-0x0000021F45E7D000-memory.dmp

Filesize
52KB

Download
memory/2268-165-0x0000021F45E80000-0x0000021F45E81000-memory.dmp

Filesize
4KB

Download
memory/2288-167-0x000002163C1F0000-0x000002163C1FD000-memory.dmp

Filesize
52KB

Download
memory/2412-168-0x00000202E6770000-0x00000202E677D000-memory.dmp

Filesize
52KB

Download
memory/2660-169-0x0000013118B00000-0x0000013118B0D000-memory.dmp

Filesize
52KB

Download
memory/2720-130-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/2720-132-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2720-131-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/3008-139-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3008-138-0x0000000002B90000-0x0000000002B99000-memory.dmp

Filesize
36KB

Download
memory/3008-137-0x0000000002BF9000-0x0000000002C0A000-memory.dmp

Filesize
68KB

Download
memory/3008-136-0x0000000002BF9000-0x0000000002C0A000-memory.dmp

Filesize
68KB

Download
memory/3032-140-0x0000000008520000-0x0000000008536000-memory.dmp

Filesize
88KB

Download
memory/3032-133-0x0000000000F90000-0x0000000000FA6000-memory.dmp

Filesize
88KB

Download
memory/3032-144-0x0000000008510000-0x000000000851F000-memory.dmp

Filesize
60KB

Download
memory/3424-157-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/3424-158-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/3448-143-0x000002ADC8B00000-0x000002ADC8B0B000-memory.dmp

Filesize
44KB

Download
memory/3468-155-0x00000000004E0000-0x00000000004E5000-memory.dmp

Filesize
20KB

Download
memory/3468-156-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/3488-160-0x0000000000810000-0x000000000081B000-memory.dmp

Filesize
44KB

Download
memory/3488-159-0x0000000000820000-0x0000000000826000-memory.dmp

Filesize
24KB

Download
memory/3904-163-0x0000000000D70000-0x0000000000D77000-memory.dmp

Filesize
28KB

Download
memory/3904-164-0x0000000000D60000-0x0000000000D6D000-memory.dmp

Filesize
52KB

Download
memory/3936-149-0x0000000000350000-0x00000000003BB000-memory.dmp

Filesize
428KB

Download
memory/3936-148-0x0000000000600000-0x0000000000675000-memory.dmp

Filesize
468KB

Download
memory/4764-147-0x0000021103560000-0x0000021103564000-memory.dmp

Filesize
16KB

Download
memory/4764-145-0x0000021100F60000-0x0000021100F70000-memory.dmp

Filesize
64KB

Download
memory/4764-146-0x0000021101180000-0x0000021101190000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads