Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 21:16
Static task
static1
Behavioral task
behavioral1
Sample
2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe
Resource
win10v2004-20230915-en
General
-
Target
2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe
-
Size
288KB
-
MD5
870454d6dc60474e5c98db3a6551aa52
-
SHA1
5f4cab81e841059908b4a252740dbfec429f1d8c
-
SHA256
2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c
-
SHA512
e3a6397090b3bb82de407b1b43d21c47161097bf4deee407e862f7baf65b319db83aabd5a92be12ffff373d907966f060b5ad2aad5a6c6d2b967e7fef23d0c83
-
SSDEEP
3072:3aqUIlWrtEgY1HVxRwDRwXalOJTpr7f2rz7mImr4Z:Kq5W2l1HVxRwDqKI4/Bmr
Malware Config
Extracted
smokeloader
0024
Extracted
smokeloader
2022
https://utah-saints.com/search.php
https://atlanta-newspaper.com/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2856 netsh.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3008 tasklist.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
pid Process 4432 ipconfig.exe 1616 NETSTAT.EXE 4128 NETSTAT.EXE 4208 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2576 systeminfo.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31062371" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3442254324" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f00000000020000000000106600000001000020000000fdb2ab35a8c988cf9cfeac17b3afc59127ff0fbb673566085d5b25f0b9620c4b000000000e80000000020000200000009fa8adb29676135a720974ab9845c8e67c9237e923bfc679ad915cfa0d28a88c1000000079567b6821ad4a7bb37ea93b5635640540000000d3ba1fb0ebcc87748e4448e19d312850c39b3d127629b07795db675c478e23acbf1b32e943044fb9888fe0fe41079625ece518fb0357da0d3254a7f66e7c3666 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31062371" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\User Preferences iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5086b7cf63f9d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3449600497" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f00000000020000000000106600000001000020000000dcfd7ff88c094103cdf41283cb3d59406889399f8612ebc2a842ceaf5d482298000000000e8000000002000020000000174932c7bd6f4b612c7588a2f2842e14e7f516660fe81817ccb38b773976e617500000000b9026ae2fb1d5123a27bdaafc3b7d49fc8f58ba7f03fd00f2f52d8c27bc0f8e5731774f56247958e18c0ed6405afd988e3264a1ba9bb10fecddf3b7268cb33c3c0ad7402cfc0160d37ff9b4af0b51b640000000a04bbb2898b8e51337b47f1c5c576e0ed1ed67effb78c5bdf0d7b3c3c5d4663eb74914c14ced2d0391c3982e4ec5ceb6675d7a04de581f7e86b757e6a9187f26 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f00000000020000000000106600000001000020000000fd0d0532c205348cdb28ddf853527d9561b821edf0908b1a968c8fa042ac6fea000000000e8000000002000020000000cbe5d8279ad25734579e1f0982790356b87aec91653749387b4ccf3fac5966d6200000006d1066f0f4fbbc46894cb88a9a957dd7ce6c929f7215f8d777526946d089747140000000fdbec1c4164233a9bdb6bfca07500bfa853afab0c3cc7626da149199ca8ec081a70859783cbe36c9354665284e8c309bfc6b1c8b4a95d4b57aa8d145e3b84528 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F8B4CB60-6556-11EE-83FE-DA5D5E1D8AF4} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31062371" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f000000000200000000001066000000010000200000004ae85b54e4871bafbdab88c0505d94c9a2fd275a84f2677bbf6545d7827c1c3f000000000e80000000020000200000004c574be6d9a0ff2fcd6acc36b5c2a968bf87b21d8db5c9afa02e023cc25483c020000000b0bbfb4a823d27279646eafbe75620a0914844261557e724373c8cc136816aec40000000161e8a13fdd157f26b204d4108066335e2bb1495c90dfeed4538d204f7752c54d5cabe7955c69095cf5c5ab6ab8fd7fbc3aaecf5759e69b8ebd76891b407a828 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403478446" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3442254324" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main Process not Found Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 042d5e82d5e7d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b7c5cf63f9d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2952 2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe 2952 2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 748 Process not Found -
Suspicious behavior: MapViewOfSection 25 IoCs
pid Process 2952 2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found 4692 explorer.exe 4692 explorer.exe 748 Process not Found 748 Process not Found 4380 explorer.exe 4380 explorer.exe 748 Process not Found 748 Process not Found 1220 explorer.exe 1220 explorer.exe 748 Process not Found 748 Process not Found 3268 explorer.exe 3268 explorer.exe 748 Process not Found 748 Process not Found 748 Process not Found 748 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1508 WMIC.exe Token: SeSecurityPrivilege 1508 WMIC.exe Token: SeTakeOwnershipPrivilege 1508 WMIC.exe Token: SeLoadDriverPrivilege 1508 WMIC.exe Token: SeSystemProfilePrivilege 1508 WMIC.exe Token: SeSystemtimePrivilege 1508 WMIC.exe Token: SeProfSingleProcessPrivilege 1508 WMIC.exe Token: SeIncBasePriorityPrivilege 1508 WMIC.exe Token: SeCreatePagefilePrivilege 1508 WMIC.exe Token: SeBackupPrivilege 1508 WMIC.exe Token: SeRestorePrivilege 1508 WMIC.exe Token: SeShutdownPrivilege 1508 WMIC.exe Token: SeDebugPrivilege 1508 WMIC.exe Token: SeSystemEnvironmentPrivilege 1508 WMIC.exe Token: SeRemoteShutdownPrivilege 1508 WMIC.exe Token: SeUndockPrivilege 1508 WMIC.exe Token: SeManageVolumePrivilege 1508 WMIC.exe Token: 33 1508 WMIC.exe Token: 34 1508 WMIC.exe Token: 35 1508 WMIC.exe Token: 36 1508 WMIC.exe Token: SeIncreaseQuotaPrivilege 1508 WMIC.exe Token: SeSecurityPrivilege 1508 WMIC.exe Token: SeTakeOwnershipPrivilege 1508 WMIC.exe Token: SeLoadDriverPrivilege 1508 WMIC.exe Token: SeSystemProfilePrivilege 1508 WMIC.exe Token: SeSystemtimePrivilege 1508 WMIC.exe Token: SeProfSingleProcessPrivilege 1508 WMIC.exe Token: SeIncBasePriorityPrivilege 1508 WMIC.exe Token: SeCreatePagefilePrivilege 1508 WMIC.exe Token: SeBackupPrivilege 1508 WMIC.exe Token: SeRestorePrivilege 1508 WMIC.exe Token: SeShutdownPrivilege 1508 WMIC.exe Token: SeDebugPrivilege 1508 WMIC.exe Token: SeSystemEnvironmentPrivilege 1508 WMIC.exe Token: SeRemoteShutdownPrivilege 1508 WMIC.exe Token: SeUndockPrivilege 1508 WMIC.exe Token: SeManageVolumePrivilege 1508 WMIC.exe Token: 33 1508 WMIC.exe Token: 34 1508 WMIC.exe Token: 35 1508 WMIC.exe Token: 36 1508 WMIC.exe Token: SeIncreaseQuotaPrivilege 3904 WMIC.exe Token: SeSecurityPrivilege 3904 WMIC.exe Token: SeTakeOwnershipPrivilege 3904 WMIC.exe Token: SeLoadDriverPrivilege 3904 WMIC.exe Token: SeSystemProfilePrivilege 3904 WMIC.exe Token: SeSystemtimePrivilege 3904 WMIC.exe Token: SeProfSingleProcessPrivilege 3904 WMIC.exe Token: SeIncBasePriorityPrivilege 3904 WMIC.exe Token: SeCreatePagefilePrivilege 3904 WMIC.exe Token: SeBackupPrivilege 3904 WMIC.exe Token: SeRestorePrivilege 3904 WMIC.exe Token: SeShutdownPrivilege 3904 WMIC.exe Token: SeDebugPrivilege 3904 WMIC.exe Token: SeSystemEnvironmentPrivilege 3904 WMIC.exe Token: SeRemoteShutdownPrivilege 3904 WMIC.exe Token: SeUndockPrivilege 3904 WMIC.exe Token: SeManageVolumePrivilege 3904 WMIC.exe Token: 33 3904 WMIC.exe Token: 34 3904 WMIC.exe Token: 35 3904 WMIC.exe Token: 36 3904 WMIC.exe Token: SeIncreaseQuotaPrivilege 3904 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 384 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 384 iexplore.exe 384 iexplore.exe 1804 IEXPLORE.EXE 1804 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 748 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 1916 748 Process not Found 96 PID 748 wrote to memory of 1916 748 Process not Found 96 PID 1916 wrote to memory of 1508 1916 cmd.exe 98 PID 1916 wrote to memory of 1508 1916 cmd.exe 98 PID 1916 wrote to memory of 3904 1916 cmd.exe 99 PID 1916 wrote to memory of 3904 1916 cmd.exe 99 PID 1916 wrote to memory of 3120 1916 cmd.exe 100 PID 1916 wrote to memory of 3120 1916 cmd.exe 100 PID 1916 wrote to memory of 4448 1916 cmd.exe 101 PID 1916 wrote to memory of 4448 1916 cmd.exe 101 PID 1916 wrote to memory of 384 1916 cmd.exe 102 PID 1916 wrote to memory of 384 1916 cmd.exe 102 PID 1916 wrote to memory of 2000 1916 cmd.exe 106 PID 1916 wrote to memory of 2000 1916 cmd.exe 106 PID 1916 wrote to memory of 4580 1916 cmd.exe 107 PID 1916 wrote to memory of 4580 1916 cmd.exe 107 PID 1916 wrote to memory of 3740 1916 cmd.exe 108 PID 1916 wrote to memory of 3740 1916 cmd.exe 108 PID 1916 wrote to memory of 3940 1916 cmd.exe 109 PID 1916 wrote to memory of 3940 1916 cmd.exe 109 PID 1916 wrote to memory of 1652 1916 cmd.exe 110 PID 1916 wrote to memory of 1652 1916 cmd.exe 110 PID 1916 wrote to memory of 4912 1916 cmd.exe 111 PID 1916 wrote to memory of 4912 1916 cmd.exe 111 PID 1916 wrote to memory of 900 1916 cmd.exe 112 PID 1916 wrote to memory of 900 1916 cmd.exe 112 PID 1916 wrote to memory of 4856 1916 cmd.exe 114 PID 1916 wrote to memory of 4856 1916 cmd.exe 114 PID 1916 wrote to memory of 1328 1916 cmd.exe 115 PID 1916 wrote to memory of 1328 1916 cmd.exe 115 PID 1916 wrote to memory of 4432 1916 cmd.exe 116 PID 1916 wrote to memory of 4432 1916 cmd.exe 116 PID 1916 wrote to memory of 1320 1916 cmd.exe 117 PID 1916 wrote to memory of 1320 1916 cmd.exe 117 PID 1916 wrote to memory of 2856 1916 cmd.exe 118 PID 1916 wrote to memory of 2856 1916 cmd.exe 118 PID 1916 wrote to memory of 2576 1916 cmd.exe 119 PID 1916 wrote to memory of 2576 1916 cmd.exe 119 PID 1916 wrote to memory of 3008 1916 cmd.exe 122 PID 1916 wrote to memory of 3008 1916 cmd.exe 122 PID 1916 wrote to memory of 3252 1916 cmd.exe 123 PID 1916 wrote to memory of 3252 1916 cmd.exe 123 PID 3252 wrote to memory of 2252 3252 net.exe 124 PID 3252 wrote to memory of 2252 3252 net.exe 124 PID 1916 wrote to memory of 856 1916 cmd.exe 125 PID 1916 wrote to memory of 856 1916 cmd.exe 125 PID 856 wrote to memory of 3784 856 net.exe 126 PID 856 wrote to memory of 3784 856 net.exe 126 PID 1916 wrote to memory of 1716 1916 cmd.exe 127 PID 1916 wrote to memory of 1716 1916 cmd.exe 127 PID 1716 wrote to memory of 4476 1716 net.exe 128 PID 1716 wrote to memory of 4476 1716 net.exe 128 PID 1916 wrote to memory of 3380 1916 cmd.exe 129 PID 1916 wrote to memory of 3380 1916 cmd.exe 129 PID 3380 wrote to memory of 2400 3380 net.exe 130 PID 3380 wrote to memory of 2400 3380 net.exe 130 PID 1916 wrote to memory of 5040 1916 cmd.exe 131 PID 1916 wrote to memory of 5040 1916 cmd.exe 131 PID 1916 wrote to memory of 3040 1916 cmd.exe 132 PID 1916 wrote to memory of 3040 1916 cmd.exe 132 PID 3040 wrote to memory of 2028 3040 net.exe 133 PID 3040 wrote to memory of 2028 3040 net.exe 133 PID 1916 wrote to memory of 2504 1916 cmd.exe 134 PID 1916 wrote to memory of 2504 1916 cmd.exe 134 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe"C:\Users\Admin\AppData\Local\Temp\2daaf257e213312ec2433b1a5f5ec1e0f47a88bc7a4f4f2ed86b06a84cd48a5c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2952
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵PID:3120
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵PID:4448
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵PID:384
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵PID:2000
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵PID:4580
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵PID:3740
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵PID:3940
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵PID:1652
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵PID:4912
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵PID:900
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵PID:4856
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵PID:1328
-
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
PID:4432
-
-
C:\Windows\system32\ROUTE.EXEroute print2⤵PID:1320
-
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
- Modifies Windows Firewall
PID:2856
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:2576
-
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
PID:3008
-
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵PID:2252
-
-
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵PID:3784
-
-
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵PID:4476
-
-
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵PID:2400
-
-
-
C:\Windows\system32\net.exenet use2⤵PID:5040
-
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵PID:2028
-
-
-
C:\Windows\system32\net.exenet localgroup2⤵PID:2504
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵PID:1820
-
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
PID:1616 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵PID:2136
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵PID:1628
-
-
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
PID:4128
-
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵PID:3888
-
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:4208
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:1144
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:2184
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:384 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:384 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4504
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4332
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:4692
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:4380
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1220
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:3268
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1688
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee