smokeloader | 8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875

Analysis

max time kernel
152s
max time network
147s
platform
windows10_x64
resource
win10-20220414-en
submitted
21-05-2022 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe
Size

304KB
MD5

3389771eff608690e050c776301d665e
SHA1

01576a97bad2bcac37d82b7841a3b605d696ac1e
SHA256

8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875
SHA512

b6714d49081f0acf659d4ee1648f38b4cab8c0efd4ce9bed459533ad29078bc07f1999daa8731a2bd87182871fe1b31fa2230290b8d083b729fad70522c0ef27

Score

10^/10

smokeloader backdoor collection evasion suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

https://ny-city-mall.com/search.php

https://fresh-cars.net/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

2488

pid	process
2488

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

192 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeNETSTAT.EXENETSTAT.EXE

pid process

504 ipconfig.exe
3376 ipconfig.exe
3868 NETSTAT.EXE
1444 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4068 systeminfo.exe

pid	process
192	tasklist.exe

pid	process
504	ipconfig.exe
3376	ipconfig.exe
3868	NETSTAT.EXE
1444	NETSTAT.EXE

pid	process
4068	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3926483543"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{14B3CF21-D8CC-11EC-B804-6A7F83E02785} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960856"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960856"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3926483543"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960856"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3998358889"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe

pid	process
2264	8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe
2264	8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488
2488

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2488

pid	process
2488

Suspicious behavior: MapViewOfSection 43 IoCs

Processes:

8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2264	8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe
2488
2488
2488
2488
2488
2488
2488
2488
3920	explorer.exe
3920	explorer.exe
2488
2488
2488
2488
1272	explorer.exe
1272	explorer.exe
2840	explorer.exe
2840	explorer.exe
2488
2488
504	explorer.exe
504	explorer.exe
2488
2488
1676	explorer.exe
1676	explorer.exe
2336	explorer.exe
2336	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1124	WMIC.exe
Token: SeSecurityPrivilege	1124	WMIC.exe
Token: SeTakeOwnershipPrivilege	1124	WMIC.exe
Token: SeLoadDriverPrivilege	1124	WMIC.exe
Token: SeSystemProfilePrivilege	1124	WMIC.exe
Token: SeSystemtimePrivilege	1124	WMIC.exe
Token: SeProfSingleProcessPrivilege	1124	WMIC.exe
Token: SeIncBasePriorityPrivilege	1124	WMIC.exe
Token: SeCreatePagefilePrivilege	1124	WMIC.exe
Token: SeBackupPrivilege	1124	WMIC.exe
Token: SeRestorePrivilege	1124	WMIC.exe
Token: SeShutdownPrivilege	1124	WMIC.exe
Token: SeDebugPrivilege	1124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1124	WMIC.exe
Token: SeRemoteShutdownPrivilege	1124	WMIC.exe
Token: SeUndockPrivilege	1124	WMIC.exe
Token: SeManageVolumePrivilege	1124	WMIC.exe
Token: 33	1124	WMIC.exe
Token: 34	1124	WMIC.exe
Token: 35	1124	WMIC.exe
Token: 36	1124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1124	WMIC.exe
Token: SeSecurityPrivilege	1124	WMIC.exe
Token: SeTakeOwnershipPrivilege	1124	WMIC.exe
Token: SeLoadDriverPrivilege	1124	WMIC.exe
Token: SeSystemProfilePrivilege	1124	WMIC.exe
Token: SeSystemtimePrivilege	1124	WMIC.exe
Token: SeProfSingleProcessPrivilege	1124	WMIC.exe
Token: SeIncBasePriorityPrivilege	1124	WMIC.exe
Token: SeCreatePagefilePrivilege	1124	WMIC.exe
Token: SeBackupPrivilege	1124	WMIC.exe
Token: SeRestorePrivilege	1124	WMIC.exe
Token: SeShutdownPrivilege	1124	WMIC.exe
Token: SeDebugPrivilege	1124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1124	WMIC.exe
Token: SeRemoteShutdownPrivilege	1124	WMIC.exe
Token: SeUndockPrivilege	1124	WMIC.exe
Token: SeManageVolumePrivilege	1124	WMIC.exe
Token: 33	1124	WMIC.exe
Token: 34	1124	WMIC.exe
Token: 35	1124	WMIC.exe
Token: 36	1124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe
Token: SeManageVolumePrivilege	3208	WMIC.exe
Token: 33	3208	WMIC.exe
Token: 34	3208	WMIC.exe
Token: 35	3208	WMIC.exe
Token: 36	3208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3220 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3220 iexplore.exe
3220 iexplore.exe
3408 IEXPLORE.EXE
3408 IEXPLORE.EXE

pid	process
3220	iexplore.exe

pid	process
3220	iexplore.exe
3220	iexplore.exe
3408	IEXPLORE.EXE
3408	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2488 wrote to memory of 424	2488		cmd.exe
PID 2488 wrote to memory of 424	2488		cmd.exe
PID 424 wrote to memory of 1124	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 1124	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3208	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3208	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3616	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3616	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 2324	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 2324	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 2292	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 2292	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 2632	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 2632	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3312	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3312	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 2452	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 2452	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3944	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3944	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 1160	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 1160	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 420	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 420	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 660	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 660	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 1352	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 1352	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3192	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3192	424	cmd.exe	WMIC.exe
PID 424 wrote to memory of 3376	424	cmd.exe	ipconfig.exe
PID 424 wrote to memory of 3376	424	cmd.exe	ipconfig.exe
PID 424 wrote to memory of 1280	424	cmd.exe	ROUTE.EXE
PID 424 wrote to memory of 1280	424	cmd.exe	ROUTE.EXE
PID 424 wrote to memory of 2932	424	cmd.exe	netsh.exe
PID 424 wrote to memory of 2932	424	cmd.exe	netsh.exe
PID 424 wrote to memory of 4068	424	cmd.exe	systeminfo.exe
PID 424 wrote to memory of 4068	424	cmd.exe	systeminfo.exe
PID 424 wrote to memory of 192	424	cmd.exe	tasklist.exe
PID 424 wrote to memory of 192	424	cmd.exe	tasklist.exe
PID 424 wrote to memory of 3092	424	cmd.exe	net.exe
PID 424 wrote to memory of 3092	424	cmd.exe	net.exe
PID 3092 wrote to memory of 2068	3092	net.exe	net1.exe
PID 3092 wrote to memory of 2068	3092	net.exe	net1.exe
PID 424 wrote to memory of 2640	424	cmd.exe	net.exe
PID 424 wrote to memory of 2640	424	cmd.exe	net.exe
PID 2640 wrote to memory of 3992	2640	net.exe	net1.exe
PID 2640 wrote to memory of 3992	2640	net.exe	net1.exe
PID 424 wrote to memory of 2116	424	cmd.exe	net.exe
PID 424 wrote to memory of 2116	424	cmd.exe	net.exe
PID 2116 wrote to memory of 1564	2116	net.exe	net1.exe
PID 2116 wrote to memory of 1564	2116	net.exe	net1.exe
PID 424 wrote to memory of 3524	424	cmd.exe	net.exe
PID 424 wrote to memory of 3524	424	cmd.exe	net.exe
PID 3524 wrote to memory of 1676	3524	net.exe	net1.exe
PID 3524 wrote to memory of 1676	3524	net.exe	net1.exe
PID 424 wrote to memory of 3572	424	cmd.exe	net.exe
PID 424 wrote to memory of 3572	424	cmd.exe	net.exe
PID 424 wrote to memory of 2180	424	cmd.exe	net.exe
PID 424 wrote to memory of 2180	424	cmd.exe	net.exe
PID 2180 wrote to memory of 3604	2180	net.exe	net1.exe
PID 2180 wrote to memory of 3604	2180	net.exe	net1.exe
PID 424 wrote to memory of 1920	424	cmd.exe	net.exe
PID 424 wrote to memory of 1920	424	cmd.exe	net.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3488

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3292

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2372

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe
"C:\Users\Admin\AppData\Local\Temp\8e36946a4142852379da8cac26d307248a61568b2d7c047e76b780b23f652875.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2264

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:3616

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:2324

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:2292

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:2632

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3312

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:2452

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:3944

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:1160

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:420

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:660

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:1352

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3192

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:3376

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:1280

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:2932

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:4068

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:192

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:2068

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:3992

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:1564

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:1676

C:\Windows\system32\net.exe
net use
2⤵
PID:3572

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:3604

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:1920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:3872

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:1244

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:3748

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:1444

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:64

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3220 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2280

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:504

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1272

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2336

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fa526918a211e850a6078fb1d00b2045

SHA1
75bad6b9476e0655e6a2947a682e81df689682f3

SHA256
396b94c667643afa59d155ef4d812da6f4d67dd50cec97194e1ca3a1b3ece3fe

SHA512
27a3e00ba0e478d8a79cbbd134ef7beaff7fde2fc57aecfaf022806af41c2a85183fda3e1abc2dec38d27a7f22960db3549721b8d821ea659a5592b430de1ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
529c36f32af17d95dfbc8f63cba39b5a

SHA1
8c909e949c118eaf73e39b1011739858ef866799

SHA256
a83b50b96ff271ce210b8c2acdeed1470353c07e64d9c27eabf301ac3029e076

SHA512
8e899089dda3b7025a794e4a7fdf40f80a4974cebc6c86dbf0fdc50a2d1886b18cd5800495ac1387c3d541d6b4f7674ed8696767e88cb0b113e695ac7937a5b6

Download Submit
memory/64-196-0x0000000000000000-mapping.dmp

Download
memory/192-178-0x0000000000000000-mapping.dmp

Download
memory/420-170-0x0000000000000000-mapping.dmp

Download
memory/424-157-0x0000000000000000-mapping.dmp

Download
memory/504-279-0x0000000000000000-mapping.dmp

Download
memory/504-197-0x0000000000000000-mapping.dmp

Download
memory/660-171-0x0000000000000000-mapping.dmp

Download
memory/1124-158-0x0000000000000000-mapping.dmp

Download
memory/1160-169-0x0000000000000000-mapping.dmp

Download
memory/1244-193-0x0000000000000000-mapping.dmp

Download
memory/1272-320-0x0000000000000000-mapping.dmp

Download
memory/1280-175-0x0000000000000000-mapping.dmp

Download
memory/1300-215-0x0000000000000000-mapping.dmp

Download
memory/1352-172-0x0000000000000000-mapping.dmp

Download
memory/1444-195-0x0000000000000000-mapping.dmp

Download
memory/1564-184-0x0000000000000000-mapping.dmp

Download
memory/1676-186-0x0000000000000000-mapping.dmp

Download
memory/1676-433-0x0000000000000000-mapping.dmp

Download
memory/1920-190-0x0000000000000000-mapping.dmp

Download
memory/2068-180-0x0000000000000000-mapping.dmp

Download
memory/2116-183-0x0000000000000000-mapping.dmp

Download
memory/2180-188-0x0000000000000000-mapping.dmp

Download
memory/2264-146-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-132-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-143-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-144-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-145-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-117-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-147-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-148-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-149-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-150-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-151-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-152-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-118-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-119-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-141-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-138-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/2264-120-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-121-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-122-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-142-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-123-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-124-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-125-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-126-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-140-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2264-139-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-137-0x00000000006A1000-0x00000000006B1000-memory.dmp

Filesize
64KB

Download
memory/2264-136-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-127-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-128-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-135-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-129-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-130-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-134-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-131-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2264-133-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-219-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-202-0x0000000000000000-mapping.dmp

Download
memory/2280-218-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-217-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-216-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-214-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-213-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-235-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-224-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-232-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-233-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-230-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-228-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-226-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-222-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-212-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-221-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-220-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-203-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-204-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-205-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-206-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-207-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-208-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-209-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-210-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2280-211-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-162-0x0000000000000000-mapping.dmp

Download
memory/2324-161-0x0000000000000000-mapping.dmp

Download
memory/2336-370-0x0000000000000000-mapping.dmp

Download
memory/2452-167-0x0000000000000000-mapping.dmp

Download
memory/2488-156-0x0000000000720000-0x000000000072F000-memory.dmp

Filesize
60KB

Download
memory/2488-153-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/2632-165-0x0000000000000000-mapping.dmp

Download
memory/2640-181-0x0000000000000000-mapping.dmp

Download
memory/2840-231-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-229-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-225-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-223-0x0000000000000000-mapping.dmp

Download
memory/2840-227-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-234-0x0000000077DC0000-0x0000000077F4E000-memory.dmp

Filesize
1.6MB

Download
memory/2932-176-0x0000000000000000-mapping.dmp

Download
memory/3092-179-0x0000000000000000-mapping.dmp

Download
memory/3192-173-0x0000000000000000-mapping.dmp

Download
memory/3208-159-0x0000000000000000-mapping.dmp

Download
memory/3312-166-0x0000000000000000-mapping.dmp

Download
memory/3376-174-0x0000000000000000-mapping.dmp

Download
memory/3524-185-0x0000000000000000-mapping.dmp

Download
memory/3572-187-0x0000000000000000-mapping.dmp

Download
memory/3604-189-0x0000000000000000-mapping.dmp

Download
memory/3616-160-0x0000000000000000-mapping.dmp

Download
memory/3748-194-0x0000000000000000-mapping.dmp

Download
memory/3868-192-0x0000000000000000-mapping.dmp

Download
memory/3872-191-0x0000000000000000-mapping.dmp

Download
memory/3920-248-0x0000000000000000-mapping.dmp

Download
memory/3944-168-0x0000000000000000-mapping.dmp

Download
memory/3992-182-0x0000000000000000-mapping.dmp

Download
memory/4068-177-0x0000000000000000-mapping.dmp

Download