smokeloader | adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695

Analysis

max time kernel
300s
max time network
281s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
03/08/2023, 05:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695.exe
Size

321KB
MD5

30ff060017187bb4b3d03a131a07182b
SHA1

4e3d0cace04c9de5041f5c947cacfb2ffc57cfe4
SHA256

adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695
SHA512

23343e03f7c5752effedfb842e71ab7852de3f55267728130e67d0e8cab8f9af97d2abe4a41f0261ce6e9580e1fce1204b677f62a764b64749a856c1768e2103
SSDEEP

3072:7bLJL7l1YVVVlFhjHUMeLGN/pKHojv7URsR9iFITEFDRFMWjkK9:7hh1YVVnnU/C1MOjhv8FDT

Score

10^/10

smokeloader 0020 backdoor evasion trojan

Malware Config

Extracted

Family

smokeloader

Botnet

0020

Extracted

Family

smokeloader

Version

2022

https://nebraska-pizza.com/search.php

https://alaska-ships.com/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4516	netsh.exe

Deletes itself 1 IoCs

pid	Process
3292	Process not Found

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
652	tasklist.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2508	NETSTAT.EXE
2320	ipconfig.exe
32	ipconfig.exe
3492	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2952	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3319867853"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31049159"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31049159"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3319867853"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31049159"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ce19d01ba0487545829bf9ad88e781c5000000000200000000001066000000010000200000000f9cdd66d8d6d15500928157ca881957078704fd7e44ea807fff012d71300ca8000000000e80000000020000200000002e01218cc361e64ccdda6d3bb75d56cf757f47b1ac2f2d3ccaa1de397c1ca782200000006afe7b4bf5d9d37d96248922ec7dd25163430bed7f54505f22bb4c721dfc6302400000005a30d4fe2bb0b489bc24e284cfad28d46b3e5acd9f9495d20b86adc24342c2ea3271dcea76e47d84a1d20dc43a6327b3964a87537523d354a744af0624dc5f0b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31049159"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3320962852"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "394544475"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "394544363"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\SOFTWARE\Microsoft\Internet Explorer\Main	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1517B87-31BA-11EE-B5F0-EA61CE599400} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ce19d01ba0487545829bf9ad88e781c500000000020000000000106600000001000020000000580bf4f5886046a04722c60100f7f9c08999b0144f154382ea050e57105f7445000000000e80000000020000200000009dc757aa98b8bd9e7927e0a7b1346aeb7f552d8dfe7c024eac29d8f2678e6b5020000000125be4733ee53458b2bd6ba274228d154268d80ae3a6432d2bd2cda1fd34e9ba40000000876849d397c5f8464abcabb2905990b01851198ec796c3a182582aadb5268ea6f4b6656612b29be9bfa5549ec8e10fde714722dbc830a3a48ebb3af4b3d2b10c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7037f3cec7c5d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394544306"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3320962852"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6063facec7c5d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695.exe
5096	adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695.exe
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3292	Process not Found

Suspicious behavior: MapViewOfSection 25 IoCs

pid	Process
5096	adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695.exe
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
4876	explorer.exe
4876	explorer.exe
3292	Process not Found
3292	Process not Found
4132	explorer.exe
4132	explorer.exe
3292	Process not Found
3292	Process not Found
752	explorer.exe
752	explorer.exe
3292	Process not Found
3292	Process not Found
4104	explorer.exe
4104	explorer.exe
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5000	WMIC.exe
Token: SeSecurityPrivilege	5000	WMIC.exe
Token: SeTakeOwnershipPrivilege	5000	WMIC.exe
Token: SeLoadDriverPrivilege	5000	WMIC.exe
Token: SeSystemProfilePrivilege	5000	WMIC.exe
Token: SeSystemtimePrivilege	5000	WMIC.exe
Token: SeProfSingleProcessPrivilege	5000	WMIC.exe
Token: SeIncBasePriorityPrivilege	5000	WMIC.exe
Token: SeCreatePagefilePrivilege	5000	WMIC.exe
Token: SeBackupPrivilege	5000	WMIC.exe
Token: SeRestorePrivilege	5000	WMIC.exe
Token: SeShutdownPrivilege	5000	WMIC.exe
Token: SeDebugPrivilege	5000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5000	WMIC.exe
Token: SeRemoteShutdownPrivilege	5000	WMIC.exe
Token: SeUndockPrivilege	5000	WMIC.exe
Token: SeManageVolumePrivilege	5000	WMIC.exe
Token: 33	5000	WMIC.exe
Token: 34	5000	WMIC.exe
Token: 35	5000	WMIC.exe
Token: 36	5000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5000	WMIC.exe
Token: SeSecurityPrivilege	5000	WMIC.exe
Token: SeTakeOwnershipPrivilege	5000	WMIC.exe
Token: SeLoadDriverPrivilege	5000	WMIC.exe
Token: SeSystemProfilePrivilege	5000	WMIC.exe
Token: SeSystemtimePrivilege	5000	WMIC.exe
Token: SeProfSingleProcessPrivilege	5000	WMIC.exe
Token: SeIncBasePriorityPrivilege	5000	WMIC.exe
Token: SeCreatePagefilePrivilege	5000	WMIC.exe
Token: SeBackupPrivilege	5000	WMIC.exe
Token: SeRestorePrivilege	5000	WMIC.exe
Token: SeShutdownPrivilege	5000	WMIC.exe
Token: SeDebugPrivilege	5000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5000	WMIC.exe
Token: SeRemoteShutdownPrivilege	5000	WMIC.exe
Token: SeUndockPrivilege	5000	WMIC.exe
Token: SeManageVolumePrivilege	5000	WMIC.exe
Token: 33	5000	WMIC.exe
Token: 34	5000	WMIC.exe
Token: 35	5000	WMIC.exe
Token: 36	5000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2576	WMIC.exe
Token: SeSecurityPrivilege	2576	WMIC.exe
Token: SeTakeOwnershipPrivilege	2576	WMIC.exe
Token: SeLoadDriverPrivilege	2576	WMIC.exe
Token: SeSystemProfilePrivilege	2576	WMIC.exe
Token: SeSystemtimePrivilege	2576	WMIC.exe
Token: SeProfSingleProcessPrivilege	2576	WMIC.exe
Token: SeIncBasePriorityPrivilege	2576	WMIC.exe
Token: SeCreatePagefilePrivilege	2576	WMIC.exe
Token: SeBackupPrivilege	2576	WMIC.exe
Token: SeRestorePrivilege	2576	WMIC.exe
Token: SeShutdownPrivilege	2576	WMIC.exe
Token: SeDebugPrivilege	2576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2576	WMIC.exe
Token: SeRemoteShutdownPrivilege	2576	WMIC.exe
Token: SeUndockPrivilege	2576	WMIC.exe
Token: SeManageVolumePrivilege	2576	WMIC.exe
Token: 33	2576	WMIC.exe
Token: 34	2576	WMIC.exe
Token: 35	2576	WMIC.exe
Token: 36	2576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2576	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1016	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1016	iexplore.exe
1016	iexplore.exe
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2252	3292	Process not Found	71
PID 3292 wrote to memory of 2252	3292	Process not Found	71
PID 2252 wrote to memory of 5000	2252	cmd.exe	73
PID 2252 wrote to memory of 5000	2252	cmd.exe	73
PID 2252 wrote to memory of 2576	2252	cmd.exe	74
PID 2252 wrote to memory of 2576	2252	cmd.exe	74
PID 2252 wrote to memory of 3796	2252	cmd.exe	75
PID 2252 wrote to memory of 3796	2252	cmd.exe	75
PID 2252 wrote to memory of 2332	2252	cmd.exe	76
PID 2252 wrote to memory of 2332	2252	cmd.exe	76
PID 2252 wrote to memory of 4824	2252	cmd.exe	77
PID 2252 wrote to memory of 4824	2252	cmd.exe	77
PID 2252 wrote to memory of 4556	2252	cmd.exe	80
PID 2252 wrote to memory of 4556	2252	cmd.exe	80
PID 2252 wrote to memory of 2652	2252	cmd.exe	81
PID 2252 wrote to memory of 2652	2252	cmd.exe	81
PID 2252 wrote to memory of 4976	2252	cmd.exe	82
PID 2252 wrote to memory of 4976	2252	cmd.exe	82
PID 2252 wrote to memory of 4836	2252	cmd.exe	83
PID 2252 wrote to memory of 4836	2252	cmd.exe	83
PID 2252 wrote to memory of 3652	2252	cmd.exe	84
PID 2252 wrote to memory of 3652	2252	cmd.exe	84
PID 2252 wrote to memory of 4304	2252	cmd.exe	85
PID 2252 wrote to memory of 4304	2252	cmd.exe	85
PID 2252 wrote to memory of 4932	2252	cmd.exe	86
PID 2252 wrote to memory of 4932	2252	cmd.exe	86
PID 2252 wrote to memory of 2016	2252	cmd.exe	87
PID 2252 wrote to memory of 2016	2252	cmd.exe	87
PID 2252 wrote to memory of 1740	2252	cmd.exe	88
PID 2252 wrote to memory of 1740	2252	cmd.exe	88
PID 2252 wrote to memory of 32	2252	cmd.exe	89
PID 2252 wrote to memory of 32	2252	cmd.exe	89
PID 2252 wrote to memory of 4616	2252	cmd.exe	90
PID 2252 wrote to memory of 4616	2252	cmd.exe	90
PID 2252 wrote to memory of 4516	2252	cmd.exe	91
PID 2252 wrote to memory of 4516	2252	cmd.exe	91
PID 2252 wrote to memory of 2952	2252	cmd.exe	92
PID 2252 wrote to memory of 2952	2252	cmd.exe	92
PID 2252 wrote to memory of 652	2252	cmd.exe	94
PID 2252 wrote to memory of 652	2252	cmd.exe	94
PID 2252 wrote to memory of 1012	2252	cmd.exe	95
PID 2252 wrote to memory of 1012	2252	cmd.exe	95
PID 1012 wrote to memory of 4600	1012	net.exe	96
PID 1012 wrote to memory of 4600	1012	net.exe	96
PID 2252 wrote to memory of 2140	2252	cmd.exe	97
PID 2252 wrote to memory of 2140	2252	cmd.exe	97
PID 2140 wrote to memory of 236	2140	net.exe	98
PID 2140 wrote to memory of 236	2140	net.exe	98
PID 2252 wrote to memory of 3456	2252	cmd.exe	99
PID 2252 wrote to memory of 3456	2252	cmd.exe	99
PID 3456 wrote to memory of 2216	3456	net.exe	100
PID 3456 wrote to memory of 2216	3456	net.exe	100
PID 2252 wrote to memory of 4980	2252	cmd.exe	101
PID 2252 wrote to memory of 4980	2252	cmd.exe	101
PID 4980 wrote to memory of 3464	4980	net.exe	102
PID 4980 wrote to memory of 3464	4980	net.exe	102
PID 2252 wrote to memory of 4240	2252	cmd.exe	103
PID 2252 wrote to memory of 4240	2252	cmd.exe	103
PID 2252 wrote to memory of 2176	2252	cmd.exe	104
PID 2252 wrote to memory of 2176	2252	cmd.exe	104
PID 2176 wrote to memory of 5012	2176	net.exe	105
PID 2176 wrote to memory of 5012	2176	net.exe	105
PID 2252 wrote to memory of 1396	2252	cmd.exe	106
PID 2252 wrote to memory of 1396	2252	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695.exe
"C:\Users\Admin\AppData\Local\Temp\adbe7a6a87ed8acc591a850031d9dfd8f70399a5bee4d749ebd68d120d195695.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5096

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
  2⤵
  PID:3796
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
  2⤵
  PID:2332
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
  2⤵
  PID:4824
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
  2⤵
  PID:4556
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
  2⤵
  PID:2652
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
  2⤵
  PID:4976
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
  2⤵
  PID:4836
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
  2⤵
  PID:3652
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
  2⤵
  PID:4304
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
  2⤵
  PID:4932
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
  2⤵
  PID:2016
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
  2⤵
  PID:1740
- C:\Windows\system32\ipconfig.exe
  ipconfig /displaydns
  2⤵
  - Gathers network information
  PID:32
- C:\Windows\system32\ROUTE.EXE
  route print
  2⤵
  PID:4616
- C:\Windows\system32\netsh.exe
  netsh firewall show state
  2⤵
  - Modifies Windows Firewall
  PID:4516
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2952
- C:\Windows\system32\tasklist.exe
  tasklist /v
  2⤵
  - Enumerates processes with tasklist
  PID:652
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:4600
- C:\Windows\system32\net.exe
  net share
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share
    3⤵
    PID:236
- C:\Windows\system32\net.exe
  net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:2216
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:3464
- C:\Windows\system32\net.exe
  net use
  2⤵
  PID:4240
- C:\Windows\system32\net.exe
  net group
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group
    3⤵
    PID:5012
- C:\Windows\system32\net.exe
  net localgroup
  2⤵
  PID:1396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup
    3⤵
    PID:424
- C:\Windows\system32\NETSTAT.EXE
  netstat -r
  2⤵
  - Gathers network information
  PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
    3⤵
    PID:632
  - - C:\Windows\system32\ROUTE.EXE
      C:\Windows\system32\route.exe print
      4⤵
      PID:996
- C:\Windows\system32\NETSTAT.EXE
  netstat -nao
  2⤵
  - Gathers network information
  PID:2508
- C:\Windows\system32\schtasks.exe
  schtasks /query
  2⤵
  PID:2544
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:2320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1016
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2452

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1580

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2904

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4876

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4132

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:752

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4628

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
6b5f38d2860debf21b5bd969669d864a

SHA1
63b82fbada2ac0c1fe421db939687b3e15143c92

SHA256
9974b3ced043323550037e294cbaa56c8bc865586c5c811a9397a94a9bb2f5ac

SHA512
e18cc742219983947cb72f0aa96277c43f2dd798e88d9a83dbc3ad5525867e34702827b4c61ad9a532dfe5d29ec271c95df68b1c6081379e08ceb025600fb434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d452962e69954397b88f3789c9fee3a4

SHA1
8f4199f207d8e3a3330252fe7bc7aa2a19887cfc

SHA256
9d2b9e8c9e29845fff8c82a01158b31bc3be4fef50a5508185f6998227e57f47

SHA512
95d3e94876a8e2986cf3b0a472d8622562afd32004a25d53bb2089b922e5c83750332928ed254f0720e366c22df278f186dcdb4c4e8ff29b2970b1712b7e5356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF20C.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
memory/220-204-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/220-195-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/220-194-0x0000000000FE0000-0x0000000000FED000-memory.dmp

Filesize
52KB

Download
memory/220-196-0x0000000000FE0000-0x0000000000FED000-memory.dmp

Filesize
52KB

Download
memory/752-200-0x0000000000840000-0x0000000000845000-memory.dmp

Filesize
20KB

Download
memory/752-185-0x0000000000840000-0x0000000000845000-memory.dmp

Filesize
20KB

Download
memory/752-186-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/752-201-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/1580-162-0x0000000000520000-0x0000000000595000-memory.dmp

Filesize
468KB

Download
memory/1580-164-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/1580-180-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/2904-179-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2904-178-0x00000000004C0000-0x00000000004C7000-memory.dmp

Filesize
28KB

Download
memory/2904-177-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/3292-137-0x0000000000CD0000-0x0000000000CDF000-memory.dmp

Filesize
60KB

Download
memory/3292-133-0x0000000000CD0000-0x0000000000CDF000-memory.dmp

Filesize
60KB

Download
memory/3292-121-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download
memory/4104-188-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/4104-202-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

Filesize
24KB

Download
memory/4104-203-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/4104-187-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

Filesize
24KB

Download
memory/4104-189-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/4132-184-0x0000000000110000-0x000000000011F000-memory.dmp

Filesize
60KB

Download
memory/4132-197-0x0000000000110000-0x000000000011F000-memory.dmp

Filesize
60KB

Download
memory/4132-183-0x0000000000120000-0x0000000000129000-memory.dmp

Filesize
36KB

Download
memory/4628-190-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/4628-191-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/4628-192-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/4876-182-0x0000000000640000-0x000000000064B000-memory.dmp

Filesize
44KB

Download
memory/4876-193-0x0000000000640000-0x000000000064B000-memory.dmp

Filesize
44KB

Download
memory/4876-181-0x0000000000650000-0x0000000000657000-memory.dmp

Filesize
28KB

Download
memory/5096-118-0x00000000024E0000-0x00000000025E0000-memory.dmp

Filesize
1024KB

Download
memory/5096-125-0x0000000002360000-0x0000000002369000-memory.dmp

Filesize
36KB

Download
memory/5096-122-0x0000000000400000-0x00000000022F7000-memory.dmp

Filesize
31.0MB

Download
memory/5096-120-0x0000000000400000-0x00000000022F7000-memory.dmp

Filesize
31.0MB

Download
memory/5096-119-0x0000000002360000-0x0000000002369000-memory.dmp

Filesize
36KB

Download