Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21-05-2022 15:11
Static task
static1
Behavioral task
behavioral1
Sample
e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe
Resource
win10-20220414-en
General
-
Target
e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe
-
Size
305KB
-
MD5
62e9a0a9002954fc9b9b7f3eb6961cea
-
SHA1
18a360987b4df973d3b5090582bdd03e0ff5cffd
-
SHA256
e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a
-
SHA512
750791e2c3c91df5ae3ad946571e232d810ed22bc83303a625a422c230285e9bdd0c5577623b4dc02bb91790769f59abdb5858bc97ad496773a594f49e66ccf3
Malware Config
Extracted
smokeloader
2020
https://ny-city-mall.com/search.php
https://fresh-cars.net/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
-
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 3068 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 3108 ipconfig.exe 2192 NETSTAT.EXE 1344 NETSTAT.EXE 2544 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36D8B1E6-D929-11EC-B56E-FE3A88AFE425} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bdc589e75a9694984e55894d53738f600000000020000000000106600000001000020000000264a90f0815435c27ef9400ae88171dc05314e9107dbf321d58910ba0f8dbfc0000000000e80000000020000200000007465ac9e3359390a51da1d70e86d9d84753c2d3d784ded7e700c1e1619884f6920000000d3478f201b401993eeb16eba446cb4b9778f753fa7260d876664c00a4ddf7d58400000001568d374a75e70d29a9b3f9d705d41537bc691d61f804bdb474e2d74720b4ecbaddd858580d9931bb8863d6425771093a9a3b9de623a135ca3a10c8a198bf74d iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "359966718" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960950" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359918133" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960950" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bdc589e75a9694984e55894d53738f600000000020000000000106600000001000020000000851650bb7b27bd5c9c0df1181cb9c8a6b7fed1e9298b29ac5bc02aa74cc024d9000000000e800000000200002000000032f08cade7a60b11ba5698123553ab8d4f810635d08cea5ee81f69f0354f6bd520000000cc1a0508e1102d813a7bc642ecd2c59d85477bb40230aa796c7b53e218c8780940000000c936b5b4bc3903f6bf0d85f4b7707633a6557a9f7857ac0042b4aff4d77967a1c7b31814e5f55d371b58d090c9a785b6dca64c7d96a81ccccaa0f96a4f492b99 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "189671185" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8045c80d366dd801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "359934726" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "193422572" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\SOFTWARE\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "189671185" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960950" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e7d80d366dd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exepid process 3488 e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe 3488 e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 3068 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3068 -
Suspicious behavior: MapViewOfSection 43 IoCs
Processes:
e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 3488 e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe 3068 3068 3068 3068 3068 3068 1492 explorer.exe 1492 explorer.exe 3068 3068 2184 explorer.exe 2184 explorer.exe 3068 3068 1004 explorer.exe 1004 explorer.exe 3068 3068 848 explorer.exe 848 explorer.exe 3068 3068 208 explorer.exe 208 explorer.exe 3068 3068 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe 216 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2124 WMIC.exe Token: SeSecurityPrivilege 2124 WMIC.exe Token: SeTakeOwnershipPrivilege 2124 WMIC.exe Token: SeLoadDriverPrivilege 2124 WMIC.exe Token: SeSystemProfilePrivilege 2124 WMIC.exe Token: SeSystemtimePrivilege 2124 WMIC.exe Token: SeProfSingleProcessPrivilege 2124 WMIC.exe Token: SeIncBasePriorityPrivilege 2124 WMIC.exe Token: SeCreatePagefilePrivilege 2124 WMIC.exe Token: SeBackupPrivilege 2124 WMIC.exe Token: SeRestorePrivilege 2124 WMIC.exe Token: SeShutdownPrivilege 2124 WMIC.exe Token: SeDebugPrivilege 2124 WMIC.exe Token: SeSystemEnvironmentPrivilege 2124 WMIC.exe Token: SeRemoteShutdownPrivilege 2124 WMIC.exe Token: SeUndockPrivilege 2124 WMIC.exe Token: SeManageVolumePrivilege 2124 WMIC.exe Token: 33 2124 WMIC.exe Token: 34 2124 WMIC.exe Token: 35 2124 WMIC.exe Token: 36 2124 WMIC.exe Token: SeIncreaseQuotaPrivilege 2124 WMIC.exe Token: SeSecurityPrivilege 2124 WMIC.exe Token: SeTakeOwnershipPrivilege 2124 WMIC.exe Token: SeLoadDriverPrivilege 2124 WMIC.exe Token: SeSystemProfilePrivilege 2124 WMIC.exe Token: SeSystemtimePrivilege 2124 WMIC.exe Token: SeProfSingleProcessPrivilege 2124 WMIC.exe Token: SeIncBasePriorityPrivilege 2124 WMIC.exe Token: SeCreatePagefilePrivilege 2124 WMIC.exe Token: SeBackupPrivilege 2124 WMIC.exe Token: SeRestorePrivilege 2124 WMIC.exe Token: SeShutdownPrivilege 2124 WMIC.exe Token: SeDebugPrivilege 2124 WMIC.exe Token: SeSystemEnvironmentPrivilege 2124 WMIC.exe Token: SeRemoteShutdownPrivilege 2124 WMIC.exe Token: SeUndockPrivilege 2124 WMIC.exe Token: SeManageVolumePrivilege 2124 WMIC.exe Token: 33 2124 WMIC.exe Token: 34 2124 WMIC.exe Token: 35 2124 WMIC.exe Token: 36 2124 WMIC.exe Token: SeIncreaseQuotaPrivilege 3180 WMIC.exe Token: SeSecurityPrivilege 3180 WMIC.exe Token: SeTakeOwnershipPrivilege 3180 WMIC.exe Token: SeLoadDriverPrivilege 3180 WMIC.exe Token: SeSystemProfilePrivilege 3180 WMIC.exe Token: SeSystemtimePrivilege 3180 WMIC.exe Token: SeProfSingleProcessPrivilege 3180 WMIC.exe Token: SeIncBasePriorityPrivilege 3180 WMIC.exe Token: SeCreatePagefilePrivilege 3180 WMIC.exe Token: SeBackupPrivilege 3180 WMIC.exe Token: SeRestorePrivilege 3180 WMIC.exe Token: SeShutdownPrivilege 3180 WMIC.exe Token: SeDebugPrivilege 3180 WMIC.exe Token: SeSystemEnvironmentPrivilege 3180 WMIC.exe Token: SeRemoteShutdownPrivilege 3180 WMIC.exe Token: SeUndockPrivilege 3180 WMIC.exe Token: SeManageVolumePrivilege 3180 WMIC.exe Token: 33 3180 WMIC.exe Token: 34 3180 WMIC.exe Token: 35 3180 WMIC.exe Token: 36 3180 WMIC.exe Token: SeIncreaseQuotaPrivilege 3180 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2664 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2664 iexplore.exe 2664 iexplore.exe 3740 IEXPLORE.EXE 3740 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3068 wrote to memory of 4088 3068 cmd.exe PID 3068 wrote to memory of 4088 3068 cmd.exe PID 4088 wrote to memory of 2124 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 2124 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3180 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3180 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3064 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3064 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 2060 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 2060 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3448 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3448 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 304 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 304 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 2140 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 2140 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 1204 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 1204 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 2728 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 2728 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 2664 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 2664 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3968 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3968 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 1016 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 1016 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3732 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3732 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3144 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3144 4088 cmd.exe WMIC.exe PID 4088 wrote to memory of 3108 4088 cmd.exe ipconfig.exe PID 4088 wrote to memory of 3108 4088 cmd.exe ipconfig.exe PID 4088 wrote to memory of 644 4088 cmd.exe ROUTE.EXE PID 4088 wrote to memory of 644 4088 cmd.exe ROUTE.EXE PID 4088 wrote to memory of 3652 4088 cmd.exe netsh.exe PID 4088 wrote to memory of 3652 4088 cmd.exe netsh.exe PID 4088 wrote to memory of 3504 4088 cmd.exe systeminfo.exe PID 4088 wrote to memory of 3504 4088 cmd.exe systeminfo.exe PID 4088 wrote to memory of 1288 4088 cmd.exe tasklist.exe PID 4088 wrote to memory of 1288 4088 cmd.exe tasklist.exe PID 4088 wrote to memory of 1724 4088 cmd.exe net.exe PID 4088 wrote to memory of 1724 4088 cmd.exe net.exe PID 1724 wrote to memory of 2516 1724 net.exe net1.exe PID 1724 wrote to memory of 2516 1724 net.exe net1.exe PID 4088 wrote to memory of 3744 4088 cmd.exe net.exe PID 4088 wrote to memory of 3744 4088 cmd.exe net.exe PID 3744 wrote to memory of 1476 3744 net.exe net1.exe PID 3744 wrote to memory of 1476 3744 net.exe net1.exe PID 4088 wrote to memory of 2196 4088 cmd.exe net.exe PID 4088 wrote to memory of 2196 4088 cmd.exe net.exe PID 2196 wrote to memory of 900 2196 net.exe net1.exe PID 2196 wrote to memory of 900 2196 net.exe net1.exe PID 4088 wrote to memory of 3156 4088 cmd.exe net.exe PID 4088 wrote to memory of 3156 4088 cmd.exe net.exe PID 3156 wrote to memory of 1252 3156 net.exe net1.exe PID 3156 wrote to memory of 1252 3156 net.exe net1.exe PID 4088 wrote to memory of 300 4088 cmd.exe net.exe PID 4088 wrote to memory of 300 4088 cmd.exe net.exe PID 4088 wrote to memory of 200 4088 cmd.exe net.exe PID 4088 wrote to memory of 200 4088 cmd.exe net.exe PID 200 wrote to memory of 4052 200 net.exe net1.exe PID 200 wrote to memory of 4052 200 net.exe net1.exe PID 4088 wrote to memory of 3768 4088 cmd.exe net.exe PID 4088 wrote to memory of 3768 4088 cmd.exe net.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Users\Admin\AppData\Local\Temp\e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe"C:\Users\Admin\AppData\Local\Temp\e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5bd72dc52da415559c02553bb1e7bd3c3
SHA164e00d8ec1ecb62146f0a2349e9fab7e7cb48ac4
SHA256ac706580ffcb98d6b28184b26f71eaca509846170a3dba74c2a48a646e8c8eed
SHA512e6e90e6c60e0f1419a9c1ce4863f5ef93b03967c8e0a5ebe570e48556ff0bd097acfe43e25e10ec8f2a4377c134d9c1ccf233b89c1bdce0038a04ef869a82139
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD592a919321a268ef811fcec548a37821e
SHA19830c972a5d34413425b4b1adfc275da4f963981
SHA25620601aad8773382e5a338fef785d0dc802ba4eaa8cf43c79a0729e4a64b62549
SHA5120278f51a4bcad07e42a3492c09c0bf45a00fd9c47093a2c98c41431db17038e920c18a376007d8f00b8e965a7e5dd20f84ec3a9c223c8d2777cdf955c17281bb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\2MBC82HJ.cookieFilesize
241B
MD56ef533ff5630f102f17239d045d25e27
SHA1a1140f20ffeabdf3d0b3e01b155f2446cb624bad
SHA2560f69c16ffadb51ffa0a42098a915b4b68783c1fe0af02b4bc6be443fbf9a4e16
SHA51233eb437a8a79c887121aa87a4b62199ec543bf494a1559b4fc0e683f9d2d5d52148b6e992a2c12d7434df351567428d6d981719da0586141b73a7c5f04d5e3bd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\7WTDRGOZ.cookieFilesize
110B
MD5eff191ee57b84e9bb3d0e1de05fabaed
SHA1c8f079dc4b7830518c0cf72ab7bb2ec9886b2179
SHA256bdb62349bbbc93b6f0c54f91351945db2aa3af243c5f63f4395678b97150e254
SHA512ea1892524f9e129812288c013b43e8f6a7ac44bed9b7c1f1a83f3d69f074db7638cdc720d41e4b8b3c3c118ca23d827eceedd39f12d789291d37cf44d4745f2b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JOR8M0T2.cookieFilesize
523B
MD5dd53bec83369791bba0bbea0cd2ae07e
SHA1108e9594ec6a6fd0b4e4151d1276f728f90bc5ed
SHA2565a71d980cf5253b7a51f3545c27c232c87fa5e50ca1d61c71e4fb7dcebe00888
SHA5126a12d635f92eaee19b187fa5be2f59642b459de2821d3fe7f600b8bbdfbee388b5173f841956fd3912a84f4676d4f4488a79f6597f5f796d515657e47418beda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\N7BHT1WF.cookieFilesize
319B
MD54cfac8651901db195dfbe194394af232
SHA1b49d89a56a0ae7294829515b7e9f88f70eac00cf
SHA25650150987754f8d5e747d4467f950c141a6c254408bf7370e2dd0c9fbb9145e4e
SHA512a40859867a2603a52ae2e5f6e8d93d2ebfe3af32c0d4720864d6a28530e7cff9b791ee67b4550ce4069b4e1ffd7952d6f3fc5717f7e2f5a98621c330633869cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O69DU3FJ.cookieFilesize
608B
MD561ce8bdd39aac10d6b85dd5a12a6983f
SHA1582df5cf7d254bfb37fd2f50036e16c6fb78e249
SHA2567ddd114ac4eb92219b613cae7c530325cec5e8f6757f23e77a73e3bd592caf2f
SHA512cd8edd9efebb165660d399304e9982e91ac657a248cc277f1408f314af1ef0072d2c1124d4b23d408f22d98ff40fce48d76ec899c5364f64d732301b64f04f4b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QJA96849.cookieFilesize
440B
MD5edd2e43efd0023b0f3213f94ca5abbb8
SHA11d6ed70b0f7a8a1dd2dda0c25c3b06cb0b669853
SHA256928fc356b67b12a0777e7761e4567d89be5e593ead0fa93efce09949f0c1d74f
SHA5122ea8ef74773a411944308d1468194b6e9bbcad8379ed3e46a46b790c772f0654e9ed7cbd15b43f325ed9ac10b888cfc4e2e18d722848ae805bf637d80b01217c
-
memory/200-154-0x0000000000000000-mapping.dmp
-
memory/208-174-0x0000000000000000-mapping.dmp
-
memory/216-175-0x0000000000000000-mapping.dmp
-
memory/300-153-0x0000000000000000-mapping.dmp
-
memory/304-131-0x0000000000000000-mapping.dmp
-
memory/644-141-0x0000000000000000-mapping.dmp
-
memory/848-173-0x0000000000000000-mapping.dmp
-
memory/900-150-0x0000000000000000-mapping.dmp
-
memory/1004-172-0x0000000000000000-mapping.dmp
-
memory/1016-137-0x0000000000000000-mapping.dmp
-
memory/1204-133-0x0000000000000000-mapping.dmp
-
memory/1204-162-0x0000000000000000-mapping.dmp
-
memory/1252-152-0x0000000000000000-mapping.dmp
-
memory/1288-144-0x0000000000000000-mapping.dmp
-
memory/1344-161-0x0000000000000000-mapping.dmp
-
memory/1476-148-0x0000000000000000-mapping.dmp
-
memory/1492-170-0x0000000000000000-mapping.dmp
-
memory/1724-145-0x0000000000000000-mapping.dmp
-
memory/2060-127-0x0000000000000000-mapping.dmp
-
memory/2124-124-0x0000000000000000-mapping.dmp
-
memory/2140-132-0x0000000000000000-mapping.dmp
-
memory/2144-160-0x0000000000000000-mapping.dmp
-
memory/2184-171-0x0000000000000000-mapping.dmp
-
memory/2192-158-0x0000000000000000-mapping.dmp
-
memory/2196-149-0x0000000000000000-mapping.dmp
-
memory/2516-146-0x0000000000000000-mapping.dmp
-
memory/2544-163-0x0000000000000000-mapping.dmp
-
memory/2612-159-0x0000000000000000-mapping.dmp
-
memory/2664-135-0x0000000000000000-mapping.dmp
-
memory/2684-157-0x0000000000000000-mapping.dmp
-
memory/2728-134-0x0000000000000000-mapping.dmp
-
memory/2976-169-0x0000000000000000-mapping.dmp
-
memory/3064-126-0x0000000000000000-mapping.dmp
-
memory/3064-168-0x0000000000000000-mapping.dmp
-
memory/3068-122-0x00000000028D0000-0x00000000028DF000-memory.dmpFilesize
60KB
-
memory/3068-119-0x0000000000B70000-0x0000000000B86000-memory.dmpFilesize
88KB
-
memory/3108-140-0x0000000000000000-mapping.dmp
-
memory/3144-139-0x0000000000000000-mapping.dmp
-
memory/3156-151-0x0000000000000000-mapping.dmp
-
memory/3180-125-0x0000000000000000-mapping.dmp
-
memory/3448-128-0x0000000000000000-mapping.dmp
-
memory/3488-117-0x0000000000490000-0x000000000053E000-memory.dmpFilesize
696KB
-
memory/3488-118-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/3488-116-0x0000000000721000-0x0000000000731000-memory.dmpFilesize
64KB
-
memory/3504-143-0x0000000000000000-mapping.dmp
-
memory/3652-142-0x0000000000000000-mapping.dmp
-
memory/3732-138-0x0000000000000000-mapping.dmp
-
memory/3744-147-0x0000000000000000-mapping.dmp
-
memory/3768-156-0x0000000000000000-mapping.dmp
-
memory/3796-184-0x0000017622AF0000-0x0000017622AF8000-memory.dmpFilesize
32KB
-
memory/3796-176-0x0000017622D90000-0x0000017622D98000-memory.dmpFilesize
32KB
-
memory/3796-185-0x0000017622F00000-0x0000017622F08000-memory.dmpFilesize
32KB
-
memory/3796-186-0x0000017623000000-0x0000017623008000-memory.dmpFilesize
32KB
-
memory/3796-187-0x0000017622A50000-0x0000017622A58000-memory.dmpFilesize
32KB
-
memory/3796-188-0x00000176230D0000-0x00000176230D8000-memory.dmpFilesize
32KB
-
memory/3968-136-0x0000000000000000-mapping.dmp
-
memory/4052-155-0x0000000000000000-mapping.dmp
-
memory/4088-123-0x0000000000000000-mapping.dmp