smokeloader | cb703ad4579e744a3771e39b08134fff77c5cd172e8b0e11be941b7ccb2199f2

Analysis

max time kernel
300s
max time network
280s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
03-08-2023 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb703ad4579e744a3771e39b08134fff77c5cd172e8b0e11be941b7ccb2199f2.exe
Size

288KB
MD5

93975a8b4e591ef7b093c0918b3529a4
SHA1

1ee111b47e541435b139f728ec4626f544c257eb
SHA256

cb703ad4579e744a3771e39b08134fff77c5cd172e8b0e11be941b7ccb2199f2
SHA512

3728a80724acf0bd3e4f767abf8d4c6dc9386fc932381a74678c640b62f3bd71f864f7c4d0aa77dd203aa5badbf1a1a4f0fb8990a343200c052e9262ba7e193a
SSDEEP

3072:wN9NiWI5ZubuTLBJ0j+uyTcMuvwew0ulOGZ+BchFA0XKk+1HqVEWj:sz+5ZubKLBJ0jsTFuPw0eOqUCFAP1H

Score

10^/10

smokeloader 0020 backdoor evasion trojan

Malware Config

Extracted

Family

smokeloader

Botnet

0020

Extracted

Family

smokeloader

Version

2022

https://nebraska-pizza.com/search.php

https://alaska-ships.com/search.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4340	netsh.exe

Deletes itself 1 IoCs

pid	Process
3268	Process not Found

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4356	tasklist.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4464	ipconfig.exe
5112	ipconfig.exe
1212	NETSTAT.EXE
2408	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4592	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31049176"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2036969472"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31049176"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e5329902f41eb4cb41c87cb1666014100000000020000000000106600000001000020000000521540f40d2f918b6e9395176059ca752cbbc7ea67cd69ed579c19317c1c7292000000000e800000000200002000000090b3495eb59dc0a43d914373daf53e4b3b7d6802d06d592875b5ed82f2e1de9920000000344bf54a37ac45696a93a298f09112652c0a3f9faf74950e00c8ef284726c462400000001cb4913c01b6f34c300935dfac715d37c82564b7871310973208ab3cfe08ced7519c470f25e56496cd8a6948793216018e1fa787c9993d3eb316f3a6b59f3367	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394545725"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\SOFTWARE\Microsoft\Internet Explorer\Main	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31049176"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "394545782"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31049176"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0fa1282d8c5d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4E5E978-31CB-11EE-8BCC-622EADC70FCB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e5329902f41eb4cb41c87cb1666014100000000020000000000106600000001000020000000f32dd48b3d0023a177f8a5ff7b78ca0fa241a3d7130b68ea371b66df94c1671c000000000e80000000020000200000001524393c50e831ef9a6cccf1c3134f6dd26e96024e29c2bf22bd6308dbaa29de20000000ab8fac7b9c7f607e5774d1573ea5eb2840b2b9e79a54f39b5a65b1c764e955ee40000000cda693d81c43a87c0ed14f95b9177e4d9adcec33ae130f1edb4a030c469b957518fa6924e9828e828d8e1811094f888b87eb7e252af476b4551015e736c85283	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2037594468"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "394545894"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2036969472"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2037594468"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ff1982d8c5d901	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3284	cb703ad4579e744a3771e39b08134fff77c5cd172e8b0e11be941b7ccb2199f2.exe
3284	cb703ad4579e744a3771e39b08134fff77c5cd172e8b0e11be941b7ccb2199f2.exe
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3268	Process not Found

Suspicious behavior: MapViewOfSection 25 IoCs

pid	Process
3284	cb703ad4579e744a3771e39b08134fff77c5cd172e8b0e11be941b7ccb2199f2.exe
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found
1356	explorer.exe
1356	explorer.exe
3268	Process not Found
3268	Process not Found
1020	explorer.exe
1020	explorer.exe
3268	Process not Found
3268	Process not Found
404	explorer.exe
404	explorer.exe
3268	Process not Found
3268	Process not Found
4380	explorer.exe
4380	explorer.exe
3268	Process not Found
3268	Process not Found
3268	Process not Found
3268	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3860	WMIC.exe
Token: SeSecurityPrivilege	3860	WMIC.exe
Token: SeTakeOwnershipPrivilege	3860	WMIC.exe
Token: SeLoadDriverPrivilege	3860	WMIC.exe
Token: SeSystemProfilePrivilege	3860	WMIC.exe
Token: SeSystemtimePrivilege	3860	WMIC.exe
Token: SeProfSingleProcessPrivilege	3860	WMIC.exe
Token: SeIncBasePriorityPrivilege	3860	WMIC.exe
Token: SeCreatePagefilePrivilege	3860	WMIC.exe
Token: SeBackupPrivilege	3860	WMIC.exe
Token: SeRestorePrivilege	3860	WMIC.exe
Token: SeShutdownPrivilege	3860	WMIC.exe
Token: SeDebugPrivilege	3860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3860	WMIC.exe
Token: SeRemoteShutdownPrivilege	3860	WMIC.exe
Token: SeUndockPrivilege	3860	WMIC.exe
Token: SeManageVolumePrivilege	3860	WMIC.exe
Token: 33	3860	WMIC.exe
Token: 34	3860	WMIC.exe
Token: 35	3860	WMIC.exe
Token: 36	3860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3860	WMIC.exe
Token: SeSecurityPrivilege	3860	WMIC.exe
Token: SeTakeOwnershipPrivilege	3860	WMIC.exe
Token: SeLoadDriverPrivilege	3860	WMIC.exe
Token: SeSystemProfilePrivilege	3860	WMIC.exe
Token: SeSystemtimePrivilege	3860	WMIC.exe
Token: SeProfSingleProcessPrivilege	3860	WMIC.exe
Token: SeIncBasePriorityPrivilege	3860	WMIC.exe
Token: SeCreatePagefilePrivilege	3860	WMIC.exe
Token: SeBackupPrivilege	3860	WMIC.exe
Token: SeRestorePrivilege	3860	WMIC.exe
Token: SeShutdownPrivilege	3860	WMIC.exe
Token: SeDebugPrivilege	3860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3860	WMIC.exe
Token: SeRemoteShutdownPrivilege	3860	WMIC.exe
Token: SeUndockPrivilege	3860	WMIC.exe
Token: SeManageVolumePrivilege	3860	WMIC.exe
Token: 33	3860	WMIC.exe
Token: 34	3860	WMIC.exe
Token: 35	3860	WMIC.exe
Token: 36	3860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3612	WMIC.exe
Token: SeSecurityPrivilege	3612	WMIC.exe
Token: SeTakeOwnershipPrivilege	3612	WMIC.exe
Token: SeLoadDriverPrivilege	3612	WMIC.exe
Token: SeSystemProfilePrivilege	3612	WMIC.exe
Token: SeSystemtimePrivilege	3612	WMIC.exe
Token: SeProfSingleProcessPrivilege	3612	WMIC.exe
Token: SeIncBasePriorityPrivilege	3612	WMIC.exe
Token: SeCreatePagefilePrivilege	3612	WMIC.exe
Token: SeBackupPrivilege	3612	WMIC.exe
Token: SeRestorePrivilege	3612	WMIC.exe
Token: SeShutdownPrivilege	3612	WMIC.exe
Token: SeDebugPrivilege	3612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3612	WMIC.exe
Token: SeRemoteShutdownPrivilege	3612	WMIC.exe
Token: SeUndockPrivilege	3612	WMIC.exe
Token: SeManageVolumePrivilege	3612	WMIC.exe
Token: 33	3612	WMIC.exe
Token: 34	3612	WMIC.exe
Token: 35	3612	WMIC.exe
Token: 36	3612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3612	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4228	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4228	iexplore.exe
4228	iexplore.exe
4552	IEXPLORE.EXE
4552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 316	3268	Process not Found	72
PID 3268 wrote to memory of 316	3268	Process not Found	72
PID 316 wrote to memory of 3860	316	cmd.exe	74
PID 316 wrote to memory of 3860	316	cmd.exe	74
PID 316 wrote to memory of 3612	316	cmd.exe	75
PID 316 wrote to memory of 3612	316	cmd.exe	75
PID 316 wrote to memory of 1752	316	cmd.exe	76
PID 316 wrote to memory of 1752	316	cmd.exe	76
PID 316 wrote to memory of 4580	316	cmd.exe	77
PID 316 wrote to memory of 4580	316	cmd.exe	77
PID 316 wrote to memory of 1008	316	cmd.exe	78
PID 316 wrote to memory of 1008	316	cmd.exe	78
PID 316 wrote to memory of 4840	316	cmd.exe	81
PID 316 wrote to memory of 4840	316	cmd.exe	81
PID 316 wrote to memory of 3416	316	cmd.exe	82
PID 316 wrote to memory of 3416	316	cmd.exe	82
PID 316 wrote to memory of 2920	316	cmd.exe	83
PID 316 wrote to memory of 2920	316	cmd.exe	83
PID 316 wrote to memory of 2084	316	cmd.exe	84
PID 316 wrote to memory of 2084	316	cmd.exe	84
PID 316 wrote to memory of 2076	316	cmd.exe	85
PID 316 wrote to memory of 2076	316	cmd.exe	85
PID 316 wrote to memory of 4576	316	cmd.exe	86
PID 316 wrote to memory of 4576	316	cmd.exe	86
PID 316 wrote to memory of 3992	316	cmd.exe	87
PID 316 wrote to memory of 3992	316	cmd.exe	87
PID 316 wrote to memory of 3564	316	cmd.exe	88
PID 316 wrote to memory of 3564	316	cmd.exe	88
PID 316 wrote to memory of 2980	316	cmd.exe	89
PID 316 wrote to memory of 2980	316	cmd.exe	89
PID 316 wrote to memory of 5112	316	cmd.exe	90
PID 316 wrote to memory of 5112	316	cmd.exe	90
PID 316 wrote to memory of 600	316	cmd.exe	91
PID 316 wrote to memory of 600	316	cmd.exe	91
PID 316 wrote to memory of 4340	316	cmd.exe	92
PID 316 wrote to memory of 4340	316	cmd.exe	92
PID 316 wrote to memory of 4592	316	cmd.exe	93
PID 316 wrote to memory of 4592	316	cmd.exe	93
PID 316 wrote to memory of 4356	316	cmd.exe	95
PID 316 wrote to memory of 4356	316	cmd.exe	95
PID 316 wrote to memory of 2984	316	cmd.exe	96
PID 316 wrote to memory of 2984	316	cmd.exe	96
PID 2984 wrote to memory of 2668	2984	net.exe	97
PID 2984 wrote to memory of 2668	2984	net.exe	97
PID 316 wrote to memory of 4880	316	cmd.exe	98
PID 316 wrote to memory of 4880	316	cmd.exe	98
PID 4880 wrote to memory of 820	4880	net.exe	99
PID 4880 wrote to memory of 820	4880	net.exe	99
PID 316 wrote to memory of 2340	316	cmd.exe	100
PID 316 wrote to memory of 2340	316	cmd.exe	100
PID 2340 wrote to memory of 1220	2340	net.exe	101
PID 2340 wrote to memory of 1220	2340	net.exe	101
PID 316 wrote to memory of 3252	316	cmd.exe	102
PID 316 wrote to memory of 3252	316	cmd.exe	102
PID 3252 wrote to memory of 2892	3252	net.exe	103
PID 3252 wrote to memory of 2892	3252	net.exe	103
PID 316 wrote to memory of 4344	316	cmd.exe	104
PID 316 wrote to memory of 4344	316	cmd.exe	104
PID 316 wrote to memory of 4192	316	cmd.exe	105
PID 316 wrote to memory of 4192	316	cmd.exe	105
PID 4192 wrote to memory of 1320	4192	net.exe	106
PID 4192 wrote to memory of 1320	4192	net.exe	106
PID 316 wrote to memory of 4184	316	cmd.exe	107
PID 316 wrote to memory of 4184	316	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\cb703ad4579e744a3771e39b08134fff77c5cd172e8b0e11be941b7ccb2199f2.exe
"C:\Users\Admin\AppData\Local\Temp\cb703ad4579e744a3771e39b08134fff77c5cd172e8b0e11be941b7ccb2199f2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3284

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
  2⤵
  PID:1752
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
  2⤵
  PID:4580
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
  2⤵
  PID:1008
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
  2⤵
  PID:4840
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
  2⤵
  PID:3416
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
  2⤵
  PID:2920
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
  2⤵
  PID:2084
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
  2⤵
  PID:2076
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
  2⤵
  PID:4576
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
  2⤵
  PID:3992
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
  2⤵
  PID:3564
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
  2⤵
  PID:2980
- C:\Windows\system32\ipconfig.exe
  ipconfig /displaydns
  2⤵
  - Gathers network information
  PID:5112
- C:\Windows\system32\ROUTE.EXE
  route print
  2⤵
  PID:600
- C:\Windows\system32\netsh.exe
  netsh firewall show state
  2⤵
  - Modifies Windows Firewall
  PID:4340
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4592
- C:\Windows\system32\tasklist.exe
  tasklist /v
  2⤵
  - Enumerates processes with tasklist
  PID:4356
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:2668
- C:\Windows\system32\net.exe
  net share
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share
    3⤵
    PID:820
- C:\Windows\system32\net.exe
  net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:1220
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:2892
- C:\Windows\system32\net.exe
  net use
  2⤵
  PID:4344
- C:\Windows\system32\net.exe
  net group
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group
    3⤵
    PID:1320
- C:\Windows\system32\net.exe
  net localgroup
  2⤵
  PID:4184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup
    3⤵
    PID:3308
- C:\Windows\system32\NETSTAT.EXE
  netstat -r
  2⤵
  - Gathers network information
  PID:1212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
    3⤵
    PID:652
  - - C:\Windows\system32\ROUTE.EXE
      C:\Windows\system32\route.exe print
      4⤵
      PID:3732
- C:\Windows\system32\NETSTAT.EXE
  netstat -nao
  2⤵
  - Gathers network information
  PID:2408
- C:\Windows\system32\schtasks.exe
  schtasks /query
  2⤵
  PID:2428
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:4464

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4228
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4228 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4552

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3064

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1356

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1020

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:404

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4736

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
6b5f38d2860debf21b5bd969669d864a

SHA1
63b82fbada2ac0c1fe421db939687b3e15143c92

SHA256
9974b3ced043323550037e294cbaa56c8bc865586c5c811a9397a94a9bb2f5ac

SHA512
e18cc742219983947cb72f0aa96277c43f2dd798e88d9a83dbc3ad5525867e34702827b4c61ad9a532dfe5d29ec271c95df68b1c6081379e08ceb025600fb434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
da4d550ef82de26daaec06916bf48a15

SHA1
d3b8622e29e368e864354d8e1ec8a2fa2c71c204

SHA256
f7e815d685998585cfdb39e311e6342cf110fe7757e01e93be0f89b5de1b0f34

SHA512
d2aa13d3935050401c3e00eca90b75347f957eafb588ee36564690f38e6feb081a9c1a91cfa141a2f75067a7bf5fc4bb937d0d1893b716f2e811d2ac5c37d596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDF3F.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
memory/404-203-0x00000000032F0000-0x00000000032F9000-memory.dmp

Filesize
36KB

Download
memory/404-189-0x0000000003300000-0x0000000003305000-memory.dmp

Filesize
20KB

Download
memory/404-188-0x00000000032F0000-0x00000000032F9000-memory.dmp

Filesize
36KB

Download
memory/1020-202-0x0000000000DC0000-0x0000000000DCF000-memory.dmp

Filesize
60KB

Download
memory/1020-201-0x0000000000DD0000-0x0000000000DD9000-memory.dmp

Filesize
36KB

Download
memory/1020-186-0x0000000000DD0000-0x0000000000DD9000-memory.dmp

Filesize
36KB

Download
memory/1020-187-0x0000000000DC0000-0x0000000000DCF000-memory.dmp

Filesize
60KB

Download
memory/1356-183-0x0000000003300000-0x0000000003307000-memory.dmp

Filesize
28KB

Download
memory/1356-184-0x00000000032F0000-0x00000000032FB000-memory.dmp

Filesize
44KB

Download
memory/1356-195-0x0000000003300000-0x0000000003307000-memory.dmp

Filesize
28KB

Download
memory/1356-185-0x00000000032F0000-0x00000000032FB000-memory.dmp

Filesize
44KB

Download
memory/2528-178-0x0000000000D40000-0x0000000000D47000-memory.dmp

Filesize
28KB

Download
memory/2528-180-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/2528-181-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/3064-163-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3064-165-0x0000000000190000-0x00000000001FB000-memory.dmp

Filesize
428KB

Download
memory/3064-182-0x0000000000190000-0x00000000001FB000-memory.dmp

Filesize
428KB

Download
memory/3268-120-0x0000000000870000-0x0000000000886000-memory.dmp

Filesize
88KB

Download
memory/3268-134-0x0000000002760000-0x000000000276F000-memory.dmp

Filesize
60KB

Download
memory/3268-138-0x0000000002760000-0x000000000276F000-memory.dmp

Filesize
60KB

Download
memory/3284-117-0x00000000024A0000-0x00000000024B5000-memory.dmp

Filesize
84KB

Download
memory/3284-121-0x0000000000400000-0x0000000002437000-memory.dmp

Filesize
32.2MB

Download
memory/3284-118-0x00000000024C0000-0x00000000024C9000-memory.dmp

Filesize
36KB

Download
memory/3284-119-0x0000000000400000-0x0000000002437000-memory.dmp

Filesize
32.2MB

Download
memory/3284-125-0x00000000024C0000-0x00000000024C9000-memory.dmp

Filesize
36KB

Download
memory/3284-126-0x00000000024A0000-0x00000000024B5000-memory.dmp

Filesize
84KB

Download
memory/3736-197-0x0000000000550000-0x0000000000557000-memory.dmp

Filesize
28KB

Download
memory/3736-198-0x0000000000540000-0x000000000054D000-memory.dmp

Filesize
52KB

Download
memory/3736-205-0x0000000000540000-0x000000000054D000-memory.dmp

Filesize
52KB

Download
memory/4380-192-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/4380-191-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/4380-190-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/4380-204-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/4736-194-0x00000000003B0000-0x00000000003BB000-memory.dmp

Filesize
44KB

Download
memory/4736-196-0x00000000003B0000-0x00000000003BB000-memory.dmp

Filesize
44KB

Download
memory/4736-193-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download