smokeloader | 77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628

General

Target

77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe
Size

303KB
MD5

4a4b2cd542d544ecdff2413a506a4878
SHA1

f5a43fe3ddec82040a6508afa85626dcbbe0405e
SHA256

77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628
SHA512

456e9b18222bfa378dcb1654dc56da22f75bb81b48563af0fd5db10bc3685c1ac2923bf2660009ea453cf726087477760f8187f67ef54ae95516ebfc71836489

Score

10^/10

smokeloader backdoor evasion suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://ny-city-mall.com/search.php

https://fresh-cars.net/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4880 4728 WerFault.exe explorer.exe

pid	pid_target	process	target process
4880	4728	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3208 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

2052 ipconfig.exe
2276 NETSTAT.EXE
4640 NETSTAT.EXE
4768 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1160 systeminfo.exe

pid	process
3208	tasklist.exe

pid	process
2052	ipconfig.exe
2276	NETSTAT.EXE
4640	NETSTAT.EXE
4768	ipconfig.exe

pid	process
1160	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff0000000000200000000001066000000010000200000000df452882859522b78634ef51cde43d04a5de7ac84e5cb60a86ce6d36abde2d3000000000e8000000002000020000000dc8d20f7a0eb86ca7369a55f124fe7ee97018ab575f37e7f317788c6aa0a126e2000000094aaf8b0f603c4bbc119073fd18360a9e1cc53f1e07148b2a0dd5be6ebd2f07f4000000077de6a86f83f04d6ff5e1a45ace8bd8bf70d0506a9e3aac5224a969eba38646a6cdca37b6eb9d88e51f23423db3dca44a00e2ca34fabbf6f60a5ad40fa7b3cd2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1060109eea6cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2610469032"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960874"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3008029eea6cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2605780226"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960874"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960874"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359885732"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C6DDF740-D8DD-11EC-B274-C6557A73C573} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2605780226"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff0000000000200000000001066000000010000200000001f39ab9b8252783677a4a3ff22c50debfc60494072036cb44d41dd10eefd672a000000000e800000000200002000000044f10bea9843ee578c985a2bb47567381f6ab30a82d229017e876b70da296cb720000000ff5c92fc788edd0abfdac06f74b4b52daf327b113bc96ed9a010d7e41621fc8b4000000060920695876a66bfc04aa193db7d375a9b8ae8031603869f973ad771e66dc94ba261c1d26ea4b10ad2dd4f2be163e0b6f478feaf3915c18e10534cbd274af239	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe

pid	process
4024	77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe
4024	77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1060

pid	process
1060

Suspicious behavior: MapViewOfSection 49 IoCs

Processes:

77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
4024	77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe
1060
1060
1060
1060
1060
1060
1528	explorer.exe
1528	explorer.exe
1060
1060
3152	explorer.exe
3152	explorer.exe
1060
1060
4268	explorer.exe
4268	explorer.exe
1060
1060
3688	explorer.exe
3688	explorer.exe
1060
1060
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
1060
1060
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	460	WMIC.exe
Token: SeSecurityPrivilege	460	WMIC.exe
Token: SeTakeOwnershipPrivilege	460	WMIC.exe
Token: SeLoadDriverPrivilege	460	WMIC.exe
Token: SeSystemProfilePrivilege	460	WMIC.exe
Token: SeSystemtimePrivilege	460	WMIC.exe
Token: SeProfSingleProcessPrivilege	460	WMIC.exe
Token: SeIncBasePriorityPrivilege	460	WMIC.exe
Token: SeCreatePagefilePrivilege	460	WMIC.exe
Token: SeBackupPrivilege	460	WMIC.exe
Token: SeRestorePrivilege	460	WMIC.exe
Token: SeShutdownPrivilege	460	WMIC.exe
Token: SeDebugPrivilege	460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	460	WMIC.exe
Token: SeRemoteShutdownPrivilege	460	WMIC.exe
Token: SeUndockPrivilege	460	WMIC.exe
Token: SeManageVolumePrivilege	460	WMIC.exe
Token: 33	460	WMIC.exe
Token: 34	460	WMIC.exe
Token: 35	460	WMIC.exe
Token: 36	460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	460	WMIC.exe
Token: SeSecurityPrivilege	460	WMIC.exe
Token: SeTakeOwnershipPrivilege	460	WMIC.exe
Token: SeLoadDriverPrivilege	460	WMIC.exe
Token: SeSystemProfilePrivilege	460	WMIC.exe
Token: SeSystemtimePrivilege	460	WMIC.exe
Token: SeProfSingleProcessPrivilege	460	WMIC.exe
Token: SeIncBasePriorityPrivilege	460	WMIC.exe
Token: SeCreatePagefilePrivilege	460	WMIC.exe
Token: SeBackupPrivilege	460	WMIC.exe
Token: SeRestorePrivilege	460	WMIC.exe
Token: SeShutdownPrivilege	460	WMIC.exe
Token: SeDebugPrivilege	460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	460	WMIC.exe
Token: SeRemoteShutdownPrivilege	460	WMIC.exe
Token: SeUndockPrivilege	460	WMIC.exe
Token: SeManageVolumePrivilege	460	WMIC.exe
Token: 33	460	WMIC.exe
Token: 34	460	WMIC.exe
Token: 35	460	WMIC.exe
Token: 36	460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	212	WMIC.exe
Token: SeSecurityPrivilege	212	WMIC.exe
Token: SeTakeOwnershipPrivilege	212	WMIC.exe
Token: SeLoadDriverPrivilege	212	WMIC.exe
Token: SeSystemProfilePrivilege	212	WMIC.exe
Token: SeSystemtimePrivilege	212	WMIC.exe
Token: SeProfSingleProcessPrivilege	212	WMIC.exe
Token: SeIncBasePriorityPrivilege	212	WMIC.exe
Token: SeCreatePagefilePrivilege	212	WMIC.exe
Token: SeBackupPrivilege	212	WMIC.exe
Token: SeRestorePrivilege	212	WMIC.exe
Token: SeShutdownPrivilege	212	WMIC.exe
Token: SeDebugPrivilege	212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	212	WMIC.exe
Token: SeRemoteShutdownPrivilege	212	WMIC.exe
Token: SeUndockPrivilege	212	WMIC.exe
Token: SeManageVolumePrivilege	212	WMIC.exe
Token: 33	212	WMIC.exe
Token: 34	212	WMIC.exe
Token: 35	212	WMIC.exe
Token: 36	212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	212	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2036 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2036 iexplore.exe
2036 iexplore.exe
204 IEXPLORE.EXE
204 IEXPLORE.EXE

pid	process
2036	iexplore.exe

pid	process
2036	iexplore.exe
2036	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1060 wrote to memory of 4672	1060		cmd.exe
PID 1060 wrote to memory of 4672	1060		cmd.exe
PID 4672 wrote to memory of 460	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 460	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 212	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 212	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2020	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2020	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2416	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2416	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 5064	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 5064	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 1088	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 1088	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2604	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2604	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 568	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 568	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2660	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2660	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 1408	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 1408	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2212	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2212	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 3768	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 3768	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 4884	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 4884	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 4808	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 4808	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 2052	4672	cmd.exe	ipconfig.exe
PID 4672 wrote to memory of 2052	4672	cmd.exe	ipconfig.exe
PID 4672 wrote to memory of 4920	4672	cmd.exe	ROUTE.EXE
PID 4672 wrote to memory of 4920	4672	cmd.exe	ROUTE.EXE
PID 4672 wrote to memory of 3496	4672	cmd.exe	netsh.exe
PID 4672 wrote to memory of 3496	4672	cmd.exe	netsh.exe
PID 4672 wrote to memory of 1160	4672	cmd.exe	systeminfo.exe
PID 4672 wrote to memory of 1160	4672	cmd.exe	systeminfo.exe
PID 4672 wrote to memory of 3208	4672	cmd.exe	tasklist.exe
PID 4672 wrote to memory of 3208	4672	cmd.exe	tasklist.exe
PID 4672 wrote to memory of 4156	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 4156	4672	cmd.exe	net.exe
PID 4156 wrote to memory of 3976	4156	net.exe	net1.exe
PID 4156 wrote to memory of 3976	4156	net.exe	net1.exe
PID 4672 wrote to memory of 3460	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 3460	4672	cmd.exe	net.exe
PID 3460 wrote to memory of 3960	3460	net.exe	net1.exe
PID 3460 wrote to memory of 3960	3460	net.exe	net1.exe
PID 4672 wrote to memory of 4288	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 4288	4672	cmd.exe	net.exe
PID 4288 wrote to memory of 4908	4288	net.exe	net1.exe
PID 4288 wrote to memory of 4908	4288	net.exe	net1.exe
PID 4672 wrote to memory of 1680	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 1680	4672	cmd.exe	net.exe
PID 1680 wrote to memory of 1716	1680	net.exe	net1.exe
PID 1680 wrote to memory of 1716	1680	net.exe	net1.exe
PID 4672 wrote to memory of 4740	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 4740	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 4048	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 4048	4672	cmd.exe	net.exe
PID 4048 wrote to memory of 792	4048	net.exe	net1.exe
PID 4048 wrote to memory of 792	4048	net.exe	net1.exe
PID 4672 wrote to memory of 3392	4672	cmd.exe	net.exe
PID 4672 wrote to memory of 3392	4672	cmd.exe	net.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2864

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe
"C:\Users\Admin\AppData\Local\Temp\77c71e8c9a49cda6f2427061865662e939a0aad3eee7429a0faff00005428628.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4024

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:2020

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:2416

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:5064

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:1088

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:2604

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:568

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2660

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:1408

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:2212

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:3768

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:4884

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:4808

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:2052

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:4920

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:3496

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1160

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3208

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:3976

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:3960

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:4908

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:1716

C:\Windows\system32\net.exe
net use
2⤵
PID:4740

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:792

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:3392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:5056

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:8

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2368

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:4640

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:2452

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:4768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3148

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:204

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 900
2⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4728 -ip 4728
1⤵
PID:2580

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1528

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4268

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3688

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
fa526918a211e850a6078fb1d00b2045

SHA1
75bad6b9476e0655e6a2947a682e81df689682f3

SHA256
396b94c667643afa59d155ef4d812da6f4d67dd50cec97194e1ca3a1b3ece3fe

SHA512
27a3e00ba0e478d8a79cbbd134ef7beaff7fde2fc57aecfaf022806af41c2a85183fda3e1abc2dec38d27a7f22960db3549721b8d821ea659a5592b430de1ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
8549d477a830070900e7e718996b5857

SHA1
adbb2ce87ef1ba75763ccb3ac4382dfa7d773be4

SHA256
5efc8b529bb86471c20fb9f7955ce147b3c837e1c06c0ffcc06dda6ca387e75c

SHA512
e97709b22b5c3cb2c56609d7d5d496cf7ac6bed07b3f5dcaddb5e9fcd81fac6253b991558d924ed719e9ee4fc9bb83ba85c0713f88989df87945587e2006d17a

Download Submit
memory/8-169-0x0000000000000000-mapping.dmp

Download
memory/212-137-0x0000000000000000-mapping.dmp

Download
memory/460-136-0x0000000000000000-mapping.dmp

Download
memory/568-143-0x0000000000000000-mapping.dmp

Download
memory/792-165-0x0000000000000000-mapping.dmp

Download
memory/1060-133-0x0000000000830000-0x0000000000846000-memory.dmp

Filesize
88KB

Download
memory/1060-134-0x00000000071F0000-0x00000000071FF000-memory.dmp

Filesize
60KB

Download
memory/1088-175-0x0000000000000000-mapping.dmp

Download
memory/1088-141-0x0000000000000000-mapping.dmp

Download
memory/1160-153-0x0000000000000000-mapping.dmp

Download
memory/1408-145-0x0000000000000000-mapping.dmp

Download
memory/1528-176-0x0000000000000000-mapping.dmp

Download
memory/1680-161-0x0000000000000000-mapping.dmp

Download
memory/1716-162-0x0000000000000000-mapping.dmp

Download
memory/2020-138-0x0000000000000000-mapping.dmp

Download
memory/2052-150-0x0000000000000000-mapping.dmp

Download
memory/2212-146-0x0000000000000000-mapping.dmp

Download
memory/2276-168-0x0000000000000000-mapping.dmp

Download
memory/2368-170-0x0000000000000000-mapping.dmp

Download
memory/2416-139-0x0000000000000000-mapping.dmp

Download
memory/2452-172-0x0000000000000000-mapping.dmp

Download
memory/2604-142-0x0000000000000000-mapping.dmp

Download
memory/2660-144-0x0000000000000000-mapping.dmp

Download
memory/3152-177-0x0000000000000000-mapping.dmp

Download
memory/3208-154-0x0000000000000000-mapping.dmp

Download
memory/3392-166-0x0000000000000000-mapping.dmp

Download
memory/3460-157-0x0000000000000000-mapping.dmp

Download
memory/3496-152-0x0000000000000000-mapping.dmp

Download
memory/3540-180-0x0000000000000000-mapping.dmp

Download
memory/3688-179-0x0000000000000000-mapping.dmp

Download
memory/3768-147-0x0000000000000000-mapping.dmp

Download
memory/3960-158-0x0000000000000000-mapping.dmp

Download
memory/3976-156-0x0000000000000000-mapping.dmp

Download
memory/4024-131-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4024-130-0x0000000000742000-0x0000000000752000-memory.dmp

Filesize
64KB

Download
memory/4024-132-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4048-164-0x0000000000000000-mapping.dmp

Download
memory/4156-155-0x0000000000000000-mapping.dmp

Download
memory/4232-181-0x0000000000000000-mapping.dmp

Download
memory/4268-178-0x0000000000000000-mapping.dmp

Download
memory/4288-159-0x0000000000000000-mapping.dmp

Download
memory/4640-171-0x0000000000000000-mapping.dmp

Download
memory/4672-135-0x0000000000000000-mapping.dmp

Download
memory/4728-174-0x0000000000000000-mapping.dmp

Download
memory/4740-163-0x0000000000000000-mapping.dmp

Download
memory/4768-173-0x0000000000000000-mapping.dmp

Download
memory/4808-149-0x0000000000000000-mapping.dmp

Download
memory/4884-148-0x0000000000000000-mapping.dmp

Download
memory/4908-160-0x0000000000000000-mapping.dmp

Download
memory/4920-151-0x0000000000000000-mapping.dmp

Download
memory/5056-167-0x0000000000000000-mapping.dmp

Download
memory/5064-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads