smokeloader | c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd

General

Target

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
Size

305KB
MD5

eb9b532b8edac23726c27b76bf330e03
SHA1

a7aa6b9e089fd4f6845d84c7569e55eb3971c5e1
SHA256

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd
SHA512

0a721e387100f446bee4987f50ec6ca71312a239136f68912c8a677ea0530e2b9c008980bbe5402d3ed17df22a0dbfd0e833440c243b49745224669fbede050e

Score

10^/10

smokeloader backdoor evasion trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://ny-city-mall.com/search.php

https://fresh-cars.net/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

996 4232 WerFault.exe explorer.exe

pid	pid_target	process	target process
996	4232	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3092 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeNETSTAT.EXENETSTAT.EXE

pid process

744 ipconfig.exe
1892 ipconfig.exe
4648 NETSTAT.EXE
1236 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2312 systeminfo.exe

pid	process
3092	tasklist.exe

pid	process
744	ipconfig.exe
1892	ipconfig.exe
4648	NETSTAT.EXE
1236	NETSTAT.EXE

pid	process
2312	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0FE003C4-D930-11EC-AD90-FA9902833152} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3829245710"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3833775964"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405b45e63c6dd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d14ee63c6dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3829245710"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960956"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce100000000020000000000106600000001000020000000714ae7807ba8f850eb4bd8bf21f6bd458b01cb4a26b3152bbae0b11fa682da53000000000e80000000020000200000006a4b31e0361983ef64efcc84c21dcd4ee9536b4df6ad5ce54fdb017e13fb162d200000000f70b3374ef799d0ec43fdf8b1bb958dd7f890e8f0ea897c6cf954c91e29177240000000422d2a0daa50bd4b6795fa58e1d2a503bc7f899c9c12e30e75223b3f3e2839c2ea8d4f3697e126c11a41cf4a0b24b1cce878fbbd29dbee958367cda28f464489	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960956"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce100000000020000000000106600000001000020000000eebdadc93fc2e2b81075e50b731b226494e47ad2a9ab1a638e27963cd0256a9f000000000e80000000020000200000005c41b5ecf2a6869cecd3299aebaa9339b5dffd877b0716e539a1627124686359200000004c187528f7d3d49e4a79b7f79206d29c144701cae68d6d3225085fbb6199288540000000f49b21eee5bd182c03481105b7878aac838c6bd3f1e06c7355e5b3a6879fbd3d93e2876bdf8e92658bd2b30d7c0dbc6e20349c26dcf39ec16cf8936863a025de	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359921073"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960956"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe

pid	process
4192	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
4192	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092
2092

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2092

pid	process
2092

Suspicious behavior: MapViewOfSection 51 IoCs

Processes:

c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
4192	c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
2092
2092
2092
2092
2092
2092
3960	explorer.exe
3960	explorer.exe
2092
2092
1044	explorer.exe
1044	explorer.exe
2092
2092
1872	explorer.exe
1872	explorer.exe
2092
2092
2944	explorer.exe
2944	explorer.exe
2092
2092
4636	explorer.exe
4636	explorer.exe
4636	explorer.exe
4636	explorer.exe
2092
2092
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe
2396	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4152	WMIC.exe
Token: SeSecurityPrivilege	4152	WMIC.exe
Token: SeTakeOwnershipPrivilege	4152	WMIC.exe
Token: SeLoadDriverPrivilege	4152	WMIC.exe
Token: SeSystemProfilePrivilege	4152	WMIC.exe
Token: SeSystemtimePrivilege	4152	WMIC.exe
Token: SeProfSingleProcessPrivilege	4152	WMIC.exe
Token: SeIncBasePriorityPrivilege	4152	WMIC.exe
Token: SeCreatePagefilePrivilege	4152	WMIC.exe
Token: SeBackupPrivilege	4152	WMIC.exe
Token: SeRestorePrivilege	4152	WMIC.exe
Token: SeShutdownPrivilege	4152	WMIC.exe
Token: SeDebugPrivilege	4152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4152	WMIC.exe
Token: SeRemoteShutdownPrivilege	4152	WMIC.exe
Token: SeUndockPrivilege	4152	WMIC.exe
Token: SeManageVolumePrivilege	4152	WMIC.exe
Token: 33	4152	WMIC.exe
Token: 34	4152	WMIC.exe
Token: 35	4152	WMIC.exe
Token: 36	4152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4152	WMIC.exe
Token: SeSecurityPrivilege	4152	WMIC.exe
Token: SeTakeOwnershipPrivilege	4152	WMIC.exe
Token: SeLoadDriverPrivilege	4152	WMIC.exe
Token: SeSystemProfilePrivilege	4152	WMIC.exe
Token: SeSystemtimePrivilege	4152	WMIC.exe
Token: SeProfSingleProcessPrivilege	4152	WMIC.exe
Token: SeIncBasePriorityPrivilege	4152	WMIC.exe
Token: SeCreatePagefilePrivilege	4152	WMIC.exe
Token: SeBackupPrivilege	4152	WMIC.exe
Token: SeRestorePrivilege	4152	WMIC.exe
Token: SeShutdownPrivilege	4152	WMIC.exe
Token: SeDebugPrivilege	4152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4152	WMIC.exe
Token: SeRemoteShutdownPrivilege	4152	WMIC.exe
Token: SeUndockPrivilege	4152	WMIC.exe
Token: SeManageVolumePrivilege	4152	WMIC.exe
Token: 33	4152	WMIC.exe
Token: 34	4152	WMIC.exe
Token: 35	4152	WMIC.exe
Token: 36	4152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	256	WMIC.exe
Token: SeSecurityPrivilege	256	WMIC.exe
Token: SeTakeOwnershipPrivilege	256	WMIC.exe
Token: SeLoadDriverPrivilege	256	WMIC.exe
Token: SeSystemProfilePrivilege	256	WMIC.exe
Token: SeSystemtimePrivilege	256	WMIC.exe
Token: SeProfSingleProcessPrivilege	256	WMIC.exe
Token: SeIncBasePriorityPrivilege	256	WMIC.exe
Token: SeCreatePagefilePrivilege	256	WMIC.exe
Token: SeBackupPrivilege	256	WMIC.exe
Token: SeRestorePrivilege	256	WMIC.exe
Token: SeShutdownPrivilege	256	WMIC.exe
Token: SeDebugPrivilege	256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	256	WMIC.exe
Token: SeRemoteShutdownPrivilege	256	WMIC.exe
Token: SeUndockPrivilege	256	WMIC.exe
Token: SeManageVolumePrivilege	256	WMIC.exe
Token: 33	256	WMIC.exe
Token: 34	256	WMIC.exe
Token: 35	256	WMIC.exe
Token: 36	256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	256	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

400 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

400 iexplore.exe
400 iexplore.exe
2624 IEXPLORE.EXE
2624 IEXPLORE.EXE

pid	process
400	iexplore.exe

pid	process
400	iexplore.exe
400	iexplore.exe
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2092 wrote to memory of 4784	2092		cmd.exe
PID 2092 wrote to memory of 4784	2092		cmd.exe
PID 4784 wrote to memory of 4152	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4152	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 256	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 256	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 536	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 536	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4588	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4588	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3960	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3960	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 1168	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 1168	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3988	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3988	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3440	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3440	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4976	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4976	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 832	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 832	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3380	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 3380	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4060	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4060	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4348	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4348	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4028	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 4028	4784	cmd.exe	WMIC.exe
PID 4784 wrote to memory of 1892	4784	cmd.exe	ipconfig.exe
PID 4784 wrote to memory of 1892	4784	cmd.exe	ipconfig.exe
PID 4784 wrote to memory of 3572	4784	cmd.exe	ROUTE.EXE
PID 4784 wrote to memory of 3572	4784	cmd.exe	ROUTE.EXE
PID 4784 wrote to memory of 1152	4784	cmd.exe	netsh.exe
PID 4784 wrote to memory of 1152	4784	cmd.exe	netsh.exe
PID 4784 wrote to memory of 2312	4784	cmd.exe	systeminfo.exe
PID 4784 wrote to memory of 2312	4784	cmd.exe	systeminfo.exe
PID 4784 wrote to memory of 3092	4784	cmd.exe	tasklist.exe
PID 4784 wrote to memory of 3092	4784	cmd.exe	tasklist.exe
PID 4784 wrote to memory of 4556	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 4556	4784	cmd.exe	net.exe
PID 4556 wrote to memory of 3480	4556	net.exe	net1.exe
PID 4556 wrote to memory of 3480	4556	net.exe	net1.exe
PID 4784 wrote to memory of 2708	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 2708	4784	cmd.exe	net.exe
PID 2708 wrote to memory of 4932	2708	net.exe	net1.exe
PID 2708 wrote to memory of 4932	2708	net.exe	net1.exe
PID 4784 wrote to memory of 5116	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 5116	4784	cmd.exe	net.exe
PID 5116 wrote to memory of 4316	5116	net.exe	net1.exe
PID 5116 wrote to memory of 4316	5116	net.exe	net1.exe
PID 4784 wrote to memory of 2816	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 2816	4784	cmd.exe	net.exe
PID 2816 wrote to memory of 3108	2816	net.exe	net1.exe
PID 2816 wrote to memory of 3108	2816	net.exe	net1.exe
PID 4784 wrote to memory of 4080	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 4080	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 3364	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 3364	4784	cmd.exe	net.exe
PID 3364 wrote to memory of 4564	3364	net.exe	net1.exe
PID 3364 wrote to memory of 4564	3364	net.exe	net1.exe
PID 4784 wrote to memory of 4676	4784	cmd.exe	net.exe
PID 4784 wrote to memory of 4676	4784	cmd.exe	net.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2272

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3084

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe
"C:\Users\Admin\AppData\Local\Temp\c90f94b9d9cb151bd554e33378ef639551d874a00611ccbdbbef8639407e4dbd.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4192

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:256

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:536

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:4588

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:3960

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:1168

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3988

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3440

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:4976

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:832

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3380

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:4060

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:4348

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:4028

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:1892

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3572

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:1152

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:2312

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3092

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:3480

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:4932

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:4316

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:3108

C:\Windows\system32\net.exe
net use
2⤵
PID:4080

C:\Windows\system32\net.exe
net group
2⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:4564

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:4676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:3844

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:380

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:1012

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:1236

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:4812

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4000

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:400

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 872
2⤵
- Program crash
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4232 -ip 4232
1⤵
PID:2780

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3960

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1044

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1872

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4636

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
bd72dc52da415559c02553bb1e7bd3c3

SHA1
64e00d8ec1ecb62146f0a2349e9fab7e7cb48ac4

SHA256
ac706580ffcb98d6b28184b26f71eaca509846170a3dba74c2a48a646e8c8eed

SHA512
e6e90e6c60e0f1419a9c1ce4863f5ef93b03967c8e0a5ebe570e48556ff0bd097acfe43e25e10ec8f2a4377c134d9c1ccf233b89c1bdce0038a04ef869a82139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
790c27a2aa8786b37315becccba4b7fa

SHA1
612235d0bc228c66b1934db05fd3b0ae847a8fab

SHA256
fd718f5c44b747134c088831aa36cbec5a91e84b907850b4a96335ebd84863a4

SHA512
77889866b84ae75310e8af91a76c95f1313d273496ded939f0bdc436fa094bff2f47024bbe8bc7db92885e2ef552fc9a72c59031cac4ce7b5ac49fad264eb8ad

Download Submit
memory/256-137-0x0000000000000000-mapping.dmp

Download
memory/380-169-0x0000000000000000-mapping.dmp

Download
memory/536-138-0x0000000000000000-mapping.dmp

Download
memory/744-173-0x0000000000000000-mapping.dmp

Download
memory/832-145-0x0000000000000000-mapping.dmp

Download
memory/1012-170-0x0000000000000000-mapping.dmp

Download
memory/1044-177-0x0000000000000000-mapping.dmp

Download
memory/1152-152-0x0000000000000000-mapping.dmp

Download
memory/1168-141-0x0000000000000000-mapping.dmp

Download
memory/1236-171-0x0000000000000000-mapping.dmp

Download
memory/1872-178-0x0000000000000000-mapping.dmp

Download
memory/1892-150-0x0000000000000000-mapping.dmp

Download
memory/2092-134-0x00000000078F0000-0x00000000078FF000-memory.dmp

Filesize
60KB

Download
memory/2092-133-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/2312-153-0x0000000000000000-mapping.dmp

Download
memory/2396-181-0x0000000000000000-mapping.dmp

Download
memory/2708-157-0x0000000000000000-mapping.dmp

Download
memory/2816-161-0x0000000000000000-mapping.dmp

Download
memory/2944-179-0x0000000000000000-mapping.dmp

Download
memory/3092-154-0x0000000000000000-mapping.dmp

Download
memory/3108-162-0x0000000000000000-mapping.dmp

Download
memory/3364-164-0x0000000000000000-mapping.dmp

Download
memory/3380-146-0x0000000000000000-mapping.dmp

Download
memory/3440-143-0x0000000000000000-mapping.dmp

Download
memory/3480-156-0x0000000000000000-mapping.dmp

Download
memory/3572-151-0x0000000000000000-mapping.dmp

Download
memory/3844-167-0x0000000000000000-mapping.dmp

Download
memory/3960-176-0x0000000000000000-mapping.dmp

Download
memory/3960-140-0x0000000000000000-mapping.dmp

Download
memory/3988-142-0x0000000000000000-mapping.dmp

Download
memory/4028-149-0x0000000000000000-mapping.dmp

Download
memory/4060-147-0x0000000000000000-mapping.dmp

Download
memory/4080-163-0x0000000000000000-mapping.dmp

Download
memory/4152-136-0x0000000000000000-mapping.dmp

Download
memory/4192-132-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4192-130-0x0000000000622000-0x0000000000632000-memory.dmp

Filesize
64KB

Download
memory/4192-131-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4232-174-0x0000000000000000-mapping.dmp

Download
memory/4316-160-0x0000000000000000-mapping.dmp

Download
memory/4348-148-0x0000000000000000-mapping.dmp

Download
memory/4388-175-0x0000000000000000-mapping.dmp

Download
memory/4556-155-0x0000000000000000-mapping.dmp

Download
memory/4564-165-0x0000000000000000-mapping.dmp

Download
memory/4588-139-0x0000000000000000-mapping.dmp

Download
memory/4636-180-0x0000000000000000-mapping.dmp

Download
memory/4648-168-0x0000000000000000-mapping.dmp

Download
memory/4676-166-0x0000000000000000-mapping.dmp

Download
memory/4784-135-0x0000000000000000-mapping.dmp

Download
memory/4812-172-0x0000000000000000-mapping.dmp

Download
memory/4932-158-0x0000000000000000-mapping.dmp

Download
memory/4976-144-0x0000000000000000-mapping.dmp

Download
memory/5116-159-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads