smokeloader | 256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135

General

Target

256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe
Size

304KB
MD5

cfbe64a303fb6e0000c7859bfb13a1a2
SHA1

a6b85217a3bd9ef76f1235a9ab92384b96b7fede
SHA256

256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135
SHA512

c411656d43d9b709db77c153da224e2930d26200dc081082d0a4beb0be23b6e63c9e747ec3d650cd670f72c08d79ba40d49c9091344e305a01657916109284b1

Score

10^/10

smokeloader backdoor collection evasion suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://ny-city-mall.com/search.php

https://fresh-cars.net/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

2748

pid	process
2748

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4292 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

3364 ipconfig.exe
1776 NETSTAT.EXE
32 NETSTAT.EXE
4424 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3652 systeminfo.exe

pid	process
4292	tasklist.exe

pid	process
3364	ipconfig.exe
1776	NETSTAT.EXE
32	NETSTAT.EXE
4424	ipconfig.exe

pid	process
3652	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4186778361"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b609fc3c6dd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960956"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bdc589e75a9694984e55894d53738f600000000020000000000106600000001000020000000f3cf19c5523ee2667e1449fbf6519843d7df82d6b1a8e33c51436db213da3554000000000e80000000020000200000008958aaf29a444ed6eddad985fefac7860535a3bab7d4cd293f34464396c305c9200000007dd1ce1e921a1fb9dc0ae4bed2e88d17d1e1dfa87ccd705acce6d684bc79ae484000000049081b7b09e9de5c0d90d4ca107af71234070e90e773450f184f0d66b06b4c3b7e8510ba6896d49f7b1a219581a88e7f0a05641251bf637434853ef6a9de8b56	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4191155063"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bdc589e75a9694984e55894d53738f60000000002000000000010660000000100002000000091c44043f1d53d0989373439da8f0725d32351c78135bd1df9471b042a449581000000000e800000000200002000000053013b9065b62b92d87fa21f80e3ad16a748d44cae0d83efa5baaebcbf5ca4fa2000000013b61d3b70ddd8a3eaa86787c74b208548900b1e9ff4adb10396e0cb7edd907340000000da780c4297e76f77fadd29c17902ad2892b822b9c85f7e3277817e6092ca1b70eb4c2bcdea77e0110899c24fbd1f312ff25969b7656559761825934b9bba479a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902c13fc3c6dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{25155355-D930-11EC-B56E-EA4089AFA54B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960956"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359921109"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "359969695"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "359937703"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4186778361"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960956"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe

pid	process
2572	256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe
2572	256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2748

pid	process
2748

Suspicious behavior: MapViewOfSection 43 IoCs

Processes:

256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2572	256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe
2748
2748
2748
2748
2748
2748
4344	explorer.exe
4344	explorer.exe
2748
2748
4584	explorer.exe
4584	explorer.exe
2748
2748
4600	explorer.exe
4600	explorer.exe
2748
2748
4596	explorer.exe
4596	explorer.exe
2748
2748
4884	explorer.exe
4884	explorer.exe
2748
2748
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe
5104	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4268	WMIC.exe
Token: SeSecurityPrivilege	4268	WMIC.exe
Token: SeTakeOwnershipPrivilege	4268	WMIC.exe
Token: SeLoadDriverPrivilege	4268	WMIC.exe
Token: SeSystemProfilePrivilege	4268	WMIC.exe
Token: SeSystemtimePrivilege	4268	WMIC.exe
Token: SeProfSingleProcessPrivilege	4268	WMIC.exe
Token: SeIncBasePriorityPrivilege	4268	WMIC.exe
Token: SeCreatePagefilePrivilege	4268	WMIC.exe
Token: SeBackupPrivilege	4268	WMIC.exe
Token: SeRestorePrivilege	4268	WMIC.exe
Token: SeShutdownPrivilege	4268	WMIC.exe
Token: SeDebugPrivilege	4268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4268	WMIC.exe
Token: SeRemoteShutdownPrivilege	4268	WMIC.exe
Token: SeUndockPrivilege	4268	WMIC.exe
Token: SeManageVolumePrivilege	4268	WMIC.exe
Token: 33	4268	WMIC.exe
Token: 34	4268	WMIC.exe
Token: 35	4268	WMIC.exe
Token: 36	4268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4268	WMIC.exe
Token: SeSecurityPrivilege	4268	WMIC.exe
Token: SeTakeOwnershipPrivilege	4268	WMIC.exe
Token: SeLoadDriverPrivilege	4268	WMIC.exe
Token: SeSystemProfilePrivilege	4268	WMIC.exe
Token: SeSystemtimePrivilege	4268	WMIC.exe
Token: SeProfSingleProcessPrivilege	4268	WMIC.exe
Token: SeIncBasePriorityPrivilege	4268	WMIC.exe
Token: SeCreatePagefilePrivilege	4268	WMIC.exe
Token: SeBackupPrivilege	4268	WMIC.exe
Token: SeRestorePrivilege	4268	WMIC.exe
Token: SeShutdownPrivilege	4268	WMIC.exe
Token: SeDebugPrivilege	4268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4268	WMIC.exe
Token: SeRemoteShutdownPrivilege	4268	WMIC.exe
Token: SeUndockPrivilege	4268	WMIC.exe
Token: SeManageVolumePrivilege	4268	WMIC.exe
Token: 33	4268	WMIC.exe
Token: 34	4268	WMIC.exe
Token: 35	4268	WMIC.exe
Token: 36	4268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2192	WMIC.exe
Token: SeSecurityPrivilege	2192	WMIC.exe
Token: SeTakeOwnershipPrivilege	2192	WMIC.exe
Token: SeLoadDriverPrivilege	2192	WMIC.exe
Token: SeSystemProfilePrivilege	2192	WMIC.exe
Token: SeSystemtimePrivilege	2192	WMIC.exe
Token: SeProfSingleProcessPrivilege	2192	WMIC.exe
Token: SeIncBasePriorityPrivilege	2192	WMIC.exe
Token: SeCreatePagefilePrivilege	2192	WMIC.exe
Token: SeBackupPrivilege	2192	WMIC.exe
Token: SeRestorePrivilege	2192	WMIC.exe
Token: SeShutdownPrivilege	2192	WMIC.exe
Token: SeDebugPrivilege	2192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2192	WMIC.exe
Token: SeRemoteShutdownPrivilege	2192	WMIC.exe
Token: SeUndockPrivilege	2192	WMIC.exe
Token: SeManageVolumePrivilege	2192	WMIC.exe
Token: 33	2192	WMIC.exe
Token: 34	2192	WMIC.exe
Token: 35	2192	WMIC.exe
Token: 36	2192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2192	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1368 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1368 iexplore.exe
1368 iexplore.exe
4476 IEXPLORE.EXE
4476 IEXPLORE.EXE

pid	process
1368	iexplore.exe

pid	process
1368	iexplore.exe
1368	iexplore.exe
4476	IEXPLORE.EXE
4476	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2748 wrote to memory of 2184	2748		cmd.exe
PID 2748 wrote to memory of 2184	2748		cmd.exe
PID 2184 wrote to memory of 4268	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4268	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 2192	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 2192	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4592	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4592	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4624	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4624	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4960	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4960	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3116	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3116	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3484	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3484	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4816	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4816	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3548	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3548	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3356	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3356	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4680	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 4680	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3952	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3952	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3856	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3856	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3160	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3160	2184	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 3364	2184	cmd.exe	ipconfig.exe
PID 2184 wrote to memory of 3364	2184	cmd.exe	ipconfig.exe
PID 2184 wrote to memory of 3212	2184	cmd.exe	ROUTE.EXE
PID 2184 wrote to memory of 3212	2184	cmd.exe	ROUTE.EXE
PID 2184 wrote to memory of 4240	2184	cmd.exe	netsh.exe
PID 2184 wrote to memory of 4240	2184	cmd.exe	netsh.exe
PID 2184 wrote to memory of 3652	2184	cmd.exe	systeminfo.exe
PID 2184 wrote to memory of 3652	2184	cmd.exe	systeminfo.exe
PID 2184 wrote to memory of 4292	2184	cmd.exe	tasklist.exe
PID 2184 wrote to memory of 4292	2184	cmd.exe	tasklist.exe
PID 2184 wrote to memory of 4228	2184	cmd.exe	net.exe
PID 2184 wrote to memory of 4228	2184	cmd.exe	net.exe
PID 4228 wrote to memory of 568	4228	net.exe	net1.exe
PID 4228 wrote to memory of 568	4228	net.exe	net1.exe
PID 2184 wrote to memory of 4444	2184	cmd.exe	net.exe
PID 2184 wrote to memory of 4444	2184	cmd.exe	net.exe
PID 4444 wrote to memory of 3148	4444	net.exe	net1.exe
PID 4444 wrote to memory of 3148	4444	net.exe	net1.exe
PID 2184 wrote to memory of 4100	2184	cmd.exe	net.exe
PID 2184 wrote to memory of 4100	2184	cmd.exe	net.exe
PID 4100 wrote to memory of 356	4100	net.exe	net1.exe
PID 4100 wrote to memory of 356	4100	net.exe	net1.exe
PID 2184 wrote to memory of 828	2184	cmd.exe	net.exe
PID 2184 wrote to memory of 828	2184	cmd.exe	net.exe
PID 828 wrote to memory of 1076	828	net.exe	net1.exe
PID 828 wrote to memory of 1076	828	net.exe	net1.exe
PID 2184 wrote to memory of 1256	2184	cmd.exe	net.exe
PID 2184 wrote to memory of 1256	2184	cmd.exe	net.exe
PID 2184 wrote to memory of 656	2184	cmd.exe	net.exe
PID 2184 wrote to memory of 656	2184	cmd.exe	net.exe
PID 656 wrote to memory of 572	656	net.exe	net1.exe
PID 656 wrote to memory of 572	656	net.exe	net1.exe
PID 2184 wrote to memory of 1400	2184	cmd.exe	net.exe
PID 2184 wrote to memory of 1400	2184	cmd.exe	net.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2340

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2436

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3288

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe
"C:\Users\Admin\AppData\Local\Temp\256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2572

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:4592

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:4624

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:4960

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3116

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3484

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:4816

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:3548

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:3356

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:4680

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:3952

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3856

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3160

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:3364

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3212

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:4240

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:3652

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:4292

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:568

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:3148

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:356

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:1076

C:\Windows\system32\net.exe
net use
2⤵
PID:1256

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:572

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:1400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:1648

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:4480

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:3012

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:32

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:216

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:4424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1368 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4860

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4712

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4344

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4584

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4600

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4596

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4884

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
bd72dc52da415559c02553bb1e7bd3c3

SHA1
64e00d8ec1ecb62146f0a2349e9fab7e7cb48ac4

SHA256
ac706580ffcb98d6b28184b26f71eaca509846170a3dba74c2a48a646e8c8eed

SHA512
e6e90e6c60e0f1419a9c1ce4863f5ef93b03967c8e0a5ebe570e48556ff0bd097acfe43e25e10ec8f2a4377c134d9c1ccf233b89c1bdce0038a04ef869a82139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
6eca49e638024fb399b2ff90333fb81b

SHA1
e5a88690005ee48f3a23023d4a7821f46fcf5c0f

SHA256
5fd46722996d09a0ed31f01872b63c025002283a2eacbe9551f380eccfcdbf0f

SHA512
e9d64ccf77c1658fc88dd9ba7f1fca83fb6a880eedfd2c1c67397f46e516498b92841398a2c4f24d6d51586006c3fd1268c98c9dca73318664dcc6f56665a8a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\48A9VI8E.cookie
Filesize
608B

MD5
beb7944fd658a79fc8f242f2c765c129

SHA1
6f96aaafde0fe1250d53020169dafde7592ca550

SHA256
26fc0e99accd2cd5fa14af0159ef3c27bbb57e649b7d21c96ebb545139809f7c

SHA512
c872f713d2dff2a63e1f4b34590ea595ad7582815d23ae643ce23ad4d9d9713312990cdc2dde37cd2c9b6f883c04075d49c5794c2fe1874d1871fe8daaaec3e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8514LLDN.cookie
Filesize
523B

MD5
dbf5170dde1c00c9f31dbdcc5504834c

SHA1
a1506e2f8f0cc9771cfd6f5823349f38b55dff21

SHA256
6d7204f2d9444fb709609029e754efbbe24be42d3636571722437395f86850dc

SHA512
d3b5577cdf7a7098422dec13db2144e3022018ff9cbaf7d7edc4b32428c424d3a51ee13d2932b03cef4f6a2e6b7ac100fe7e7a27873fdf4b4d4c4c4845d291d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\92RCJ8G4.cookie
Filesize
319B

MD5
da7261b6a8986d1837161a2f9d67f718

SHA1
4c549c4cd42da8d3d37fd4c9fadd646b16c20ab9

SHA256
56c8a5076b391cea416b763b90e50169b5b66bb3d8fbbbbe1815660095570cce

SHA512
41dc8c606cf4df3c1a88559052c60ea0b2e52dca69f02470c271868e96507bb6ebd9ce7b2e231e415eb69045de8deae3f9b07a851f9b23fabffa731524992d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\NTBS4IG7.cookie
Filesize
241B

MD5
abb27a7bb685e3bca3b980183ff91e2a

SHA1
c4d9d9530cece3715d1e427f057bfc50119f8365

SHA256
ad0776b153ea0a2e200c50f189b4606d57082d40818b8638176888aa6088e5d7

SHA512
7ef90cecc49ebb2582ce7edb02f1e4b6ca76c80d2b9eb1158f06f42a80033be3d6a503012b98a3316188cab7c9c0d3a5aaa22c03fd8bf89dd42e26b081fe9d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\S9WB1PPG.cookie
Filesize
440B

MD5
81b9e0c72f1227e30d4d722e51ccc07d

SHA1
8c710c82fdef9c2131a6c5cc41b214c19c18b3b9

SHA256
8784516b1820807e0c4ea6e2d9abb57188c82fbac3260322c5867ef072316371

SHA512
9df4a927987d689d180fd4761ab1b9e74be0a8943c3e954a09f8e0824cbcbc0d0776c001e755d3134dd58119d56db245fe54baa35bc8be6ef74eecf41531b745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YH5WAS08.cookie
Filesize
110B

MD5
ddc1f982c487765fe14c9f4fe79d7829

SHA1
c34b2fab4e648b5a8277e80ac05399014b4e6e4a

SHA256
6d229b29621f18a64860718634f3525ecec1de49f0adec00874963b7b9e1d249

SHA512
886197193a078d709461413489ead76659fa3444dfc1943b17d49c45415dbd4cd08695bb104fa458bbc77c5450a46dea5aeeb9bf9b225742252cd10851590bf7

Download Submit
memory/32-164-0x0000000000000000-mapping.dmp

Download
memory/216-165-0x0000000000000000-mapping.dmp

Download
memory/356-153-0x0000000000000000-mapping.dmp

Download
memory/568-149-0x0000000000000000-mapping.dmp

Download
memory/572-158-0x0000000000000000-mapping.dmp

Download
memory/656-157-0x0000000000000000-mapping.dmp

Download
memory/828-154-0x0000000000000000-mapping.dmp

Download
memory/1076-155-0x0000000000000000-mapping.dmp

Download
memory/1256-156-0x0000000000000000-mapping.dmp

Download
memory/1400-159-0x0000000000000000-mapping.dmp

Download
memory/1648-160-0x0000000000000000-mapping.dmp

Download
memory/1776-161-0x0000000000000000-mapping.dmp

Download
memory/2184-126-0x0000000000000000-mapping.dmp

Download
memory/2192-128-0x0000000000000000-mapping.dmp

Download
memory/2572-119-0x00000000006F1000-0x0000000000701000-memory.dmp

Filesize
64KB

Download
memory/2572-120-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2572-121-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2748-122-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/2748-125-0x00000000026D0000-0x00000000026DF000-memory.dmp

Filesize
60KB

Download
memory/3012-163-0x0000000000000000-mapping.dmp

Download
memory/3116-134-0x0000000000000000-mapping.dmp

Download
memory/3148-151-0x0000000000000000-mapping.dmp

Download
memory/3160-142-0x0000000000000000-mapping.dmp

Download
memory/3212-144-0x0000000000000000-mapping.dmp

Download
memory/3356-138-0x0000000000000000-mapping.dmp

Download
memory/3364-143-0x0000000000000000-mapping.dmp

Download
memory/3484-135-0x0000000000000000-mapping.dmp

Download
memory/3548-137-0x0000000000000000-mapping.dmp

Download
memory/3652-146-0x0000000000000000-mapping.dmp

Download
memory/3828-191-0x000002A4397F0000-0x000002A4397F8000-memory.dmp

Filesize
32KB

Download
memory/3828-188-0x000002A439670000-0x000002A439678000-memory.dmp

Filesize
32KB

Download
memory/3828-187-0x000002A4395D0000-0x000002A4395D8000-memory.dmp

Filesize
32KB

Download
memory/3828-179-0x000002A439400000-0x000002A439408000-memory.dmp

Filesize
32KB

Download
memory/3828-190-0x000002A439740000-0x000002A439748000-memory.dmp

Filesize
32KB

Download
memory/3828-189-0x000002A439160000-0x000002A439168000-memory.dmp

Filesize
32KB

Download
memory/3856-141-0x0000000000000000-mapping.dmp

Download
memory/3952-140-0x0000000000000000-mapping.dmp

Download
memory/4100-152-0x0000000000000000-mapping.dmp

Download
memory/4228-148-0x0000000000000000-mapping.dmp

Download
memory/4240-145-0x0000000000000000-mapping.dmp

Download
memory/4268-127-0x0000000000000000-mapping.dmp

Download
memory/4292-147-0x0000000000000000-mapping.dmp

Download
memory/4344-173-0x0000000000000000-mapping.dmp

Download
memory/4424-166-0x0000000000000000-mapping.dmp

Download
memory/4444-150-0x0000000000000000-mapping.dmp

Download
memory/4480-162-0x0000000000000000-mapping.dmp

Download
memory/4584-174-0x0000000000000000-mapping.dmp

Download
memory/4592-129-0x0000000000000000-mapping.dmp

Download
memory/4596-176-0x0000000000000000-mapping.dmp

Download
memory/4600-175-0x0000000000000000-mapping.dmp

Download
memory/4624-130-0x0000000000000000-mapping.dmp

Download
memory/4680-139-0x0000000000000000-mapping.dmp

Download
memory/4712-172-0x0000000000000000-mapping.dmp

Download
memory/4816-136-0x0000000000000000-mapping.dmp

Download
memory/4860-171-0x0000000000000000-mapping.dmp

Download
memory/4884-177-0x0000000000000000-mapping.dmp

Download
memory/4960-131-0x0000000000000000-mapping.dmp

Download
memory/5104-178-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads