General
Target

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

Filesize

305KB

Completed

21-05-2022 18:03

Task

behavioral1

Score
10/10
MD5

eb9b532b8edac23726c27b76bf330e03

SHA1

a7aa6b9e089fd4f6845d84c7569e55eb3971c5e1

SHA256

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd

SHA256

0a721e387100f446bee4987f50ec6ca71312a239136f68912c8a677ea0530e2b9c008980bbe5402d3ed17df22a0dbfd0e833440c243b49745224669fbede050e

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://ny-city-mall.com/search.php

https://fresh-cars.net/search.php

rc4.i32
rc4.i32
Signatures 16

Filter: none

Defense Evasion
Discovery
Execution
Persistence
  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    9964232WerFault.exeexplorer.exe
  • Checks SCSI registry key(s)
    c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSIc90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
    Key queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSIc90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
    Key enumerated\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSIc90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
  • Enumerates processes with tasklist
    tasklist.exe

    TTPs

    Process Discovery

    Reported IOCs

    pidprocess
    3092tasklist.exe
  • Gathers network information
    ipconfig.exeipconfig.exeNETSTAT.EXENETSTAT.EXE

    Description

    Uses commandline utility to view network configuration.

    TTPs

    System Information DiscoveryCommand-Line Interface

    Reported IOCs

    pidprocess
    744ipconfig.exe
    1892ipconfig.exe
    4648NETSTAT.EXE
    1236NETSTAT.EXE
  • Gathers system information
    systeminfo.exe

    Description

    Runs systeminfo.exe.

    TTPs

    System Information Discovery

    Reported IOCs

    pidprocess
    2312systeminfo.exe
  • Modifies Internet Explorer settings
    iexplore.exeIEXPLORE.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0FE003C4-D930-11EC-AD90-FA9902833152} = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3829245710"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManagerIEXPLORE.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3833775964"IEXPLORE.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\TabbedBrowsingiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405b45e63c6dd801iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d14ee63c6dd801iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3829245710"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960956"IEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce100000000020000000000106600000001000020000000714ae7807ba8f850eb4bd8bf21f6bd458b01cb4a26b3152bbae0b11fa682da53000000000e80000000020000200000006a4b31e0361983ef64efcc84c21dcd4ee9536b4df6ad5ce54fdb017e13fb162d200000000f70b3374ef799d0ec43fdf8b1bb958dd7f890e8f0ea897c6cf954c91e29177240000000422d2a0daa50bd4b6795fa58e1d2a503bc7f899c9c12e30e75223b3f3e2839c2ea8d4f3697e126c11a41cf4a0b24b1cce878fbbd29dbee958367cda28f464489iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNamesiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManageriexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960956"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce100000000020000000000106600000001000020000000eebdadc93fc2e2b81075e50b731b226494e47ad2a9ab1a638e27963cd0256a9f000000000e80000000020000200000005c41b5ecf2a6869cecd3299aebaa9339b5dffd877b0716e539a1627124686359200000004c187528f7d3d49e4a79b7f79206d29c144701cae68d6d3225085fbb6199288540000000f49b21eee5bd182c03481105b7878aac838c6bd3f1e06c7355e5b3a6879fbd3d93e2876bdf8e92658bd2b30d7c0dbc6e20349c26dcf39ec16cf8936863a025deiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359921073"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main
    Set value (int)\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960956"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses
    c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

    Reported IOCs

    pidprocess
    4192c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
    4192c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
    2092
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    2092
  • Suspicious behavior: MapViewOfSection
    c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

    Reported IOCs

    pidprocess
    4192c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
    2092
    2092
    2092
    2092
    2092
    2092
    3960explorer.exe
    3960explorer.exe
    2092
    2092
    1044explorer.exe
    1044explorer.exe
    2092
    2092
    1872explorer.exe
    1872explorer.exe
    2092
    2092
    2944explorer.exe
    2944explorer.exe
    2092
    2092
    4636explorer.exe
    4636explorer.exe
    4636explorer.exe
    4636explorer.exe
    2092
    2092
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
    2396explorer.exe
  • Suspicious use of AdjustPrivilegeToken
    WMIC.exeWMIC.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege4152WMIC.exe
    Token: SeSecurityPrivilege4152WMIC.exe
    Token: SeTakeOwnershipPrivilege4152WMIC.exe
    Token: SeLoadDriverPrivilege4152WMIC.exe
    Token: SeSystemProfilePrivilege4152WMIC.exe
    Token: SeSystemtimePrivilege4152WMIC.exe
    Token: SeProfSingleProcessPrivilege4152WMIC.exe
    Token: SeIncBasePriorityPrivilege4152WMIC.exe
    Token: SeCreatePagefilePrivilege4152WMIC.exe
    Token: SeBackupPrivilege4152WMIC.exe
    Token: SeRestorePrivilege4152WMIC.exe
    Token: SeShutdownPrivilege4152WMIC.exe
    Token: SeDebugPrivilege4152WMIC.exe
    Token: SeSystemEnvironmentPrivilege4152WMIC.exe
    Token: SeRemoteShutdownPrivilege4152WMIC.exe
    Token: SeUndockPrivilege4152WMIC.exe
    Token: SeManageVolumePrivilege4152WMIC.exe
    Token: 334152WMIC.exe
    Token: 344152WMIC.exe
    Token: 354152WMIC.exe
    Token: 364152WMIC.exe
    Token: SeIncreaseQuotaPrivilege4152WMIC.exe
    Token: SeSecurityPrivilege4152WMIC.exe
    Token: SeTakeOwnershipPrivilege4152WMIC.exe
    Token: SeLoadDriverPrivilege4152WMIC.exe
    Token: SeSystemProfilePrivilege4152WMIC.exe
    Token: SeSystemtimePrivilege4152WMIC.exe
    Token: SeProfSingleProcessPrivilege4152WMIC.exe
    Token: SeIncBasePriorityPrivilege4152WMIC.exe
    Token: SeCreatePagefilePrivilege4152WMIC.exe
    Token: SeBackupPrivilege4152WMIC.exe
    Token: SeRestorePrivilege4152WMIC.exe
    Token: SeShutdownPrivilege4152WMIC.exe
    Token: SeDebugPrivilege4152WMIC.exe
    Token: SeSystemEnvironmentPrivilege4152WMIC.exe
    Token: SeRemoteShutdownPrivilege4152WMIC.exe
    Token: SeUndockPrivilege4152WMIC.exe
    Token: SeManageVolumePrivilege4152WMIC.exe
    Token: 334152WMIC.exe
    Token: 344152WMIC.exe
    Token: 354152WMIC.exe
    Token: 364152WMIC.exe
    Token: SeIncreaseQuotaPrivilege256WMIC.exe
    Token: SeSecurityPrivilege256WMIC.exe
    Token: SeTakeOwnershipPrivilege256WMIC.exe
    Token: SeLoadDriverPrivilege256WMIC.exe
    Token: SeSystemProfilePrivilege256WMIC.exe
    Token: SeSystemtimePrivilege256WMIC.exe
    Token: SeProfSingleProcessPrivilege256WMIC.exe
    Token: SeIncBasePriorityPrivilege256WMIC.exe
    Token: SeCreatePagefilePrivilege256WMIC.exe
    Token: SeBackupPrivilege256WMIC.exe
    Token: SeRestorePrivilege256WMIC.exe
    Token: SeShutdownPrivilege256WMIC.exe
    Token: SeDebugPrivilege256WMIC.exe
    Token: SeSystemEnvironmentPrivilege256WMIC.exe
    Token: SeRemoteShutdownPrivilege256WMIC.exe
    Token: SeUndockPrivilege256WMIC.exe
    Token: SeManageVolumePrivilege256WMIC.exe
    Token: 33256WMIC.exe
    Token: 34256WMIC.exe
    Token: 35256WMIC.exe
    Token: 36256WMIC.exe
    Token: SeIncreaseQuotaPrivilege256WMIC.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exe

    Reported IOCs

    pidprocess
    400iexplore.exe
  • Suspicious use of SetWindowsHookEx
    iexplore.exeIEXPLORE.EXE

    Reported IOCs

    pidprocess
    400iexplore.exe
    400iexplore.exe
    2624IEXPLORE.EXE
    2624IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    cmd.exenet.exenet.exenet.exenet.exenet.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2092 wrote to memory of 47842092cmd.exe
    PID 2092 wrote to memory of 47842092cmd.exe
    PID 4784 wrote to memory of 41524784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 41524784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 2564784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 2564784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 5364784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 5364784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 45884784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 45884784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 39604784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 39604784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 11684784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 11684784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 39884784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 39884784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 34404784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 34404784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 49764784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 49764784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 8324784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 8324784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 33804784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 33804784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 40604784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 40604784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 43484784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 43484784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 40284784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 40284784cmd.exeWMIC.exe
    PID 4784 wrote to memory of 18924784cmd.exeipconfig.exe
    PID 4784 wrote to memory of 18924784cmd.exeipconfig.exe
    PID 4784 wrote to memory of 35724784cmd.exeROUTE.EXE
    PID 4784 wrote to memory of 35724784cmd.exeROUTE.EXE
    PID 4784 wrote to memory of 11524784cmd.exenetsh.exe
    PID 4784 wrote to memory of 11524784cmd.exenetsh.exe
    PID 4784 wrote to memory of 23124784cmd.exesysteminfo.exe
    PID 4784 wrote to memory of 23124784cmd.exesysteminfo.exe
    PID 4784 wrote to memory of 30924784cmd.exetasklist.exe
    PID 4784 wrote to memory of 30924784cmd.exetasklist.exe
    PID 4784 wrote to memory of 45564784cmd.exenet.exe
    PID 4784 wrote to memory of 45564784cmd.exenet.exe
    PID 4556 wrote to memory of 34804556net.exenet1.exe
    PID 4556 wrote to memory of 34804556net.exenet1.exe
    PID 4784 wrote to memory of 27084784cmd.exenet.exe
    PID 4784 wrote to memory of 27084784cmd.exenet.exe
    PID 2708 wrote to memory of 49322708net.exenet1.exe
    PID 2708 wrote to memory of 49322708net.exenet1.exe
    PID 4784 wrote to memory of 51164784cmd.exenet.exe
    PID 4784 wrote to memory of 51164784cmd.exenet.exe
    PID 5116 wrote to memory of 43165116net.exenet1.exe
    PID 5116 wrote to memory of 43165116net.exenet1.exe
    PID 4784 wrote to memory of 28164784cmd.exenet.exe
    PID 4784 wrote to memory of 28164784cmd.exenet.exe
    PID 2816 wrote to memory of 31082816net.exenet1.exe
    PID 2816 wrote to memory of 31082816net.exenet1.exe
    PID 4784 wrote to memory of 40804784cmd.exenet.exe
    PID 4784 wrote to memory of 40804784cmd.exenet.exe
    PID 4784 wrote to memory of 33644784cmd.exenet.exe
    PID 4784 wrote to memory of 33644784cmd.exenet.exe
    PID 3364 wrote to memory of 45643364net.exenet1.exe
    PID 3364 wrote to memory of 45643364net.exenet1.exe
    PID 4784 wrote to memory of 46764784cmd.exenet.exe
    PID 4784 wrote to memory of 46764784cmd.exenet.exe
Processes 64
  • C:\Windows\system32\sihost.exe
    sihost.exe
    PID:2272
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    PID:4204
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    PID:3804
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    PID:3612
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    PID:3460
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    PID:3396
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    PID:3292
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
    PID:3084
  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    PID:2444
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    PID:2288
  • C:\Users\Admin\AppData\Local\Temp\c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
    "C:\Users\Admin\AppData\Local\Temp\c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe"
    Checks SCSI registry key(s)
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: MapViewOfSection
    PID:4192
  • C:\Windows\system32\cmd.exe
    cmd
    Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
      Suspicious use of AdjustPrivilegeToken
      PID:4152
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
      Suspicious use of AdjustPrivilegeToken
      PID:256
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
      PID:536
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
      PID:4588
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
      PID:3960
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
      PID:1168
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
      PID:3988
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
      PID:3440
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
      PID:4976
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
      PID:832
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
      PID:3380
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
      PID:4060
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
      PID:4348
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
      PID:4028
    • C:\Windows\system32\ipconfig.exe
      ipconfig /displaydns
      Gathers network information
      PID:1892
    • C:\Windows\system32\ROUTE.EXE
      route print
      PID:3572
    • C:\Windows\system32\netsh.exe
      netsh firewall show state
      PID:1152
    • C:\Windows\system32\systeminfo.exe
      systeminfo
      Gathers system information
      PID:2312
    • C:\Windows\system32\tasklist.exe
      tasklist /v
      Enumerates processes with tasklist
      PID:3092
    • C:\Windows\system32\net.exe
      net accounts /domain
      Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 accounts /domain
        PID:3480
    • C:\Windows\system32\net.exe
      net share
      Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 share
        PID:4932
    • C:\Windows\system32\net.exe
      net user
      Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 user
        PID:4316
    • C:\Windows\system32\net.exe
      net user /domain
      Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 user /domain
        PID:3108
    • C:\Windows\system32\net.exe
      net use
      PID:4080
    • C:\Windows\system32\net.exe
      net group
      Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 group
        PID:4564
    • C:\Windows\system32\net.exe
      net localgroup
      PID:4676
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 localgroup
        PID:3844
    • C:\Windows\system32\NETSTAT.EXE
      netstat -r
      Gathers network information
      PID:4648
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
        PID:380
        • C:\Windows\system32\ROUTE.EXE
          C:\Windows\system32\route.exe print
          PID:1012
    • C:\Windows\system32\NETSTAT.EXE
      netstat -nao
      Gathers network information
      PID:1236
    • C:\Windows\system32\schtasks.exe
      schtasks /query
      PID:4812
    • C:\Windows\system32\ipconfig.exe
      ipconfig /all
      Gathers network information
      PID:744
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    PID:4000
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    PID:4076
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    PID:400
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:17410 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2624
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    PID:4232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 872
      Program crash
      PID:996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4232 -ip 4232
    PID:2780
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    PID:4388
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    Suspicious behavior: MapViewOfSection
    PID:3960
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    Suspicious behavior: MapViewOfSection
    PID:1044
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    Suspicious behavior: MapViewOfSection
    PID:1872
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    Suspicious behavior: MapViewOfSection
    PID:2944
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    Suspicious behavior: MapViewOfSection
    PID:4636
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    Suspicious behavior: MapViewOfSection
    PID:2396
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                    MD5

                    bd72dc52da415559c02553bb1e7bd3c3

                    SHA1

                    64e00d8ec1ecb62146f0a2349e9fab7e7cb48ac4

                    SHA256

                    ac706580ffcb98d6b28184b26f71eaca509846170a3dba74c2a48a646e8c8eed

                    SHA512

                    e6e90e6c60e0f1419a9c1ce4863f5ef93b03967c8e0a5ebe570e48556ff0bd097acfe43e25e10ec8f2a4377c134d9c1ccf233b89c1bdce0038a04ef869a82139

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                    MD5

                    790c27a2aa8786b37315becccba4b7fa

                    SHA1

                    612235d0bc228c66b1934db05fd3b0ae847a8fab

                    SHA256

                    fd718f5c44b747134c088831aa36cbec5a91e84b907850b4a96335ebd84863a4

                    SHA512

                    77889866b84ae75310e8af91a76c95f1313d273496ded939f0bdc436fa094bff2f47024bbe8bc7db92885e2ef552fc9a72c59031cac4ce7b5ac49fad264eb8ad

                  • memory/256-137-0x0000000000000000-mapping.dmp

                  • memory/380-169-0x0000000000000000-mapping.dmp

                  • memory/536-138-0x0000000000000000-mapping.dmp

                  • memory/744-173-0x0000000000000000-mapping.dmp

                  • memory/832-145-0x0000000000000000-mapping.dmp

                  • memory/1012-170-0x0000000000000000-mapping.dmp

                  • memory/1044-177-0x0000000000000000-mapping.dmp

                  • memory/1152-152-0x0000000000000000-mapping.dmp

                  • memory/1168-141-0x0000000000000000-mapping.dmp

                  • memory/1236-171-0x0000000000000000-mapping.dmp

                  • memory/1872-178-0x0000000000000000-mapping.dmp

                  • memory/1892-150-0x0000000000000000-mapping.dmp

                  • memory/2092-134-0x00000000078F0000-0x00000000078FF000-memory.dmp

                  • memory/2092-133-0x0000000000780000-0x0000000000796000-memory.dmp

                  • memory/2312-153-0x0000000000000000-mapping.dmp

                  • memory/2396-181-0x0000000000000000-mapping.dmp

                  • memory/2708-157-0x0000000000000000-mapping.dmp

                  • memory/2816-161-0x0000000000000000-mapping.dmp

                  • memory/2944-179-0x0000000000000000-mapping.dmp

                  • memory/3092-154-0x0000000000000000-mapping.dmp

                  • memory/3108-162-0x0000000000000000-mapping.dmp

                  • memory/3364-164-0x0000000000000000-mapping.dmp

                  • memory/3380-146-0x0000000000000000-mapping.dmp

                  • memory/3440-143-0x0000000000000000-mapping.dmp

                  • memory/3480-156-0x0000000000000000-mapping.dmp

                  • memory/3572-151-0x0000000000000000-mapping.dmp

                  • memory/3844-167-0x0000000000000000-mapping.dmp

                  • memory/3960-176-0x0000000000000000-mapping.dmp

                  • memory/3960-140-0x0000000000000000-mapping.dmp

                  • memory/3988-142-0x0000000000000000-mapping.dmp

                  • memory/4028-149-0x0000000000000000-mapping.dmp

                  • memory/4060-147-0x0000000000000000-mapping.dmp

                  • memory/4080-163-0x0000000000000000-mapping.dmp

                  • memory/4152-136-0x0000000000000000-mapping.dmp

                  • memory/4192-131-0x00000000001F0000-0x00000000001F9000-memory.dmp

                  • memory/4192-132-0x0000000000400000-0x000000000048D000-memory.dmp

                  • memory/4192-130-0x0000000000622000-0x0000000000632000-memory.dmp

                  • memory/4232-174-0x0000000000000000-mapping.dmp

                  • memory/4316-160-0x0000000000000000-mapping.dmp

                  • memory/4348-148-0x0000000000000000-mapping.dmp

                  • memory/4388-175-0x0000000000000000-mapping.dmp

                  • memory/4556-155-0x0000000000000000-mapping.dmp

                  • memory/4564-165-0x0000000000000000-mapping.dmp

                  • memory/4588-139-0x0000000000000000-mapping.dmp

                  • memory/4636-180-0x0000000000000000-mapping.dmp

                  • memory/4648-168-0x0000000000000000-mapping.dmp

                  • memory/4676-166-0x0000000000000000-mapping.dmp

                  • memory/4784-135-0x0000000000000000-mapping.dmp

                  • memory/4812-172-0x0000000000000000-mapping.dmp

                  • memory/4932-158-0x0000000000000000-mapping.dmp

                  • memory/4976-144-0x0000000000000000-mapping.dmp

                  • memory/5116-159-0x0000000000000000-mapping.dmp