Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2023, 11:04
Static task
static1
Behavioral task
behavioral1
Sample
5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe
Resource
win10v2004-20230915-en
General
-
Target
5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe
-
Size
288KB
-
MD5
44cad3753db6dfdf68a61dda7583fb24
-
SHA1
cc6b309afa20c1aa47ad040b5948c3bb223c3d2c
-
SHA256
5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac
-
SHA512
08eaa46f565f42e4c9eee4bca45af4de39ee3e92c3312fd954c60fa4fd0b4bd3f52ccfccbbf5e291f669837701bab24220ebf651aedfec7f95745a6c16004436
-
SSDEEP
3072:DcSin8xWnDYovrV6FNlACYYJt/2VkPEyWtIxEpwzQjS4/a9:riuWc+rV6/+CYyeuPENTpA
Malware Config
Extracted
smokeloader
0024
Extracted
smokeloader
2022
https://utah-saints.com/search.php
https://atlanta-newspaper.com/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 112 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 4688 vwhdfww -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3976 tasklist.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
pid Process 3760 ipconfig.exe 4848 NETSTAT.EXE 3608 NETSTAT.EXE 1476 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4532 systeminfo.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef500000000020000000000106600000001000020000000133c09480e5f89ddd0863fb05fab0d5bdc9e12f01c414f9daeeaee721bac381d000000000e8000000002000020000000408f085803e679dd307c2c073756b8632717fb5a82fb4c2e6007719cbec9597c20000000df1bfddfe1127f6624f9f570030a929aa7066a2f687e0f247c4b981f25d54e7240000000a62c6f300f9884ec2f13a5781a4b880a040344aefc4b8e7bf5d5db256f000f90dc6ed9aebfb73130c4dc1a83a17e2d8d06df8ae80f3ef12a04341c131e7ca6d8 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2273527116" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2273682268" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401525908" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31062487" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2273527116" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2273682268" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DBF78E7B-5394-11EE-9784-424EF1D7CB82} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31062487" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31062487" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d72dbb839895304dbc3a7dbf8a262ef5000000000200000000001066000000010000200000002eb37191c42b2a356a432f3a0aef0cc5d3a9a21d9f222410c8715d2e1beda417000000000e8000000002000020000000e44c77a3cb70264e62969db4e460e15198c14f7414b0fa8ea118cf5e7c645dd320000000c5a6663e71459ffa84aef9f5c620b25a4c16f3e1315c0bad78b11136c487c9aa400000006b81329393b2480383fc9acd7db0c0536e617bb168b74c68cd8869b1429bff65490dcf3a8a9f41a26c1ff6af381d5429ad72823c70637b96e45dc1d86a87b0c6 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31062487" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09773b6a1e7d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90aa86b6a1e7d901 iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 432 5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe 432 5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3144 Process not Found -
Suspicious behavior: MapViewOfSection 25 IoCs
pid Process 432 5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 1844 explorer.exe 1844 explorer.exe 3144 Process not Found 3144 Process not Found 3544 explorer.exe 3544 explorer.exe 3144 Process not Found 3144 Process not Found 1560 explorer.exe 1560 explorer.exe 3144 Process not Found 3144 Process not Found 3840 explorer.exe 3840 explorer.exe 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeIncreaseQuotaPrivilege 2692 WMIC.exe Token: SeSecurityPrivilege 2692 WMIC.exe Token: SeTakeOwnershipPrivilege 2692 WMIC.exe Token: SeLoadDriverPrivilege 2692 WMIC.exe Token: SeSystemProfilePrivilege 2692 WMIC.exe Token: SeSystemtimePrivilege 2692 WMIC.exe Token: SeProfSingleProcessPrivilege 2692 WMIC.exe Token: SeIncBasePriorityPrivilege 2692 WMIC.exe Token: SeCreatePagefilePrivilege 2692 WMIC.exe Token: SeBackupPrivilege 2692 WMIC.exe Token: SeRestorePrivilege 2692 WMIC.exe Token: SeShutdownPrivilege 2692 WMIC.exe Token: SeDebugPrivilege 2692 WMIC.exe Token: SeSystemEnvironmentPrivilege 2692 WMIC.exe Token: SeRemoteShutdownPrivilege 2692 WMIC.exe Token: SeUndockPrivilege 2692 WMIC.exe Token: SeManageVolumePrivilege 2692 WMIC.exe Token: 33 2692 WMIC.exe Token: 34 2692 WMIC.exe Token: 35 2692 WMIC.exe Token: 36 2692 WMIC.exe Token: SeIncreaseQuotaPrivilege 2692 WMIC.exe Token: SeSecurityPrivilege 2692 WMIC.exe Token: SeTakeOwnershipPrivilege 2692 WMIC.exe Token: SeLoadDriverPrivilege 2692 WMIC.exe Token: SeSystemProfilePrivilege 2692 WMIC.exe Token: SeSystemtimePrivilege 2692 WMIC.exe Token: SeProfSingleProcessPrivilege 2692 WMIC.exe Token: SeIncBasePriorityPrivilege 2692 WMIC.exe Token: SeCreatePagefilePrivilege 2692 WMIC.exe Token: SeBackupPrivilege 2692 WMIC.exe Token: SeRestorePrivilege 2692 WMIC.exe Token: SeShutdownPrivilege 2692 WMIC.exe Token: SeDebugPrivilege 2692 WMIC.exe Token: SeSystemEnvironmentPrivilege 2692 WMIC.exe Token: SeRemoteShutdownPrivilege 2692 WMIC.exe Token: SeUndockPrivilege 2692 WMIC.exe Token: SeManageVolumePrivilege 2692 WMIC.exe Token: 33 2692 WMIC.exe Token: 34 2692 WMIC.exe Token: 35 2692 WMIC.exe Token: 36 2692 WMIC.exe Token: SeIncreaseQuotaPrivilege 1056 WMIC.exe Token: SeSecurityPrivilege 1056 WMIC.exe Token: SeTakeOwnershipPrivilege 1056 WMIC.exe Token: SeLoadDriverPrivilege 1056 WMIC.exe Token: SeSystemProfilePrivilege 1056 WMIC.exe Token: SeSystemtimePrivilege 1056 WMIC.exe Token: SeProfSingleProcessPrivilege 1056 WMIC.exe Token: SeIncBasePriorityPrivilege 1056 WMIC.exe Token: SeCreatePagefilePrivilege 1056 WMIC.exe Token: SeBackupPrivilege 1056 WMIC.exe Token: SeRestorePrivilege 1056 WMIC.exe Token: SeShutdownPrivilege 1056 WMIC.exe Token: SeDebugPrivilege 1056 WMIC.exe Token: SeSystemEnvironmentPrivilege 1056 WMIC.exe Token: SeRemoteShutdownPrivilege 1056 WMIC.exe Token: SeUndockPrivilege 1056 WMIC.exe Token: SeManageVolumePrivilege 1056 WMIC.exe Token: 33 1056 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4128 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4128 iexplore.exe 4128 iexplore.exe 976 IEXPLORE.EXE 976 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3144 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3144 wrote to memory of 5028 3144 Process not Found 98 PID 3144 wrote to memory of 5028 3144 Process not Found 98 PID 5028 wrote to memory of 2692 5028 cmd.exe 100 PID 5028 wrote to memory of 2692 5028 cmd.exe 100 PID 5028 wrote to memory of 1056 5028 cmd.exe 101 PID 5028 wrote to memory of 1056 5028 cmd.exe 101 PID 5028 wrote to memory of 1008 5028 cmd.exe 102 PID 5028 wrote to memory of 1008 5028 cmd.exe 102 PID 5028 wrote to memory of 4908 5028 cmd.exe 103 PID 5028 wrote to memory of 4908 5028 cmd.exe 103 PID 5028 wrote to memory of 4672 5028 cmd.exe 104 PID 5028 wrote to memory of 4672 5028 cmd.exe 104 PID 5028 wrote to memory of 4168 5028 cmd.exe 107 PID 5028 wrote to memory of 4168 5028 cmd.exe 107 PID 5028 wrote to memory of 1832 5028 cmd.exe 108 PID 5028 wrote to memory of 1832 5028 cmd.exe 108 PID 5028 wrote to memory of 1472 5028 cmd.exe 109 PID 5028 wrote to memory of 1472 5028 cmd.exe 109 PID 5028 wrote to memory of 1636 5028 cmd.exe 110 PID 5028 wrote to memory of 1636 5028 cmd.exe 110 PID 5028 wrote to memory of 3356 5028 cmd.exe 111 PID 5028 wrote to memory of 3356 5028 cmd.exe 111 PID 5028 wrote to memory of 796 5028 cmd.exe 112 PID 5028 wrote to memory of 796 5028 cmd.exe 112 PID 5028 wrote to memory of 4492 5028 cmd.exe 113 PID 5028 wrote to memory of 4492 5028 cmd.exe 113 PID 5028 wrote to memory of 1332 5028 cmd.exe 114 PID 5028 wrote to memory of 1332 5028 cmd.exe 114 PID 5028 wrote to memory of 4612 5028 cmd.exe 115 PID 5028 wrote to memory of 4612 5028 cmd.exe 115 PID 5028 wrote to memory of 3760 5028 cmd.exe 116 PID 5028 wrote to memory of 3760 5028 cmd.exe 116 PID 5028 wrote to memory of 1844 5028 cmd.exe 117 PID 5028 wrote to memory of 1844 5028 cmd.exe 117 PID 5028 wrote to memory of 112 5028 cmd.exe 118 PID 5028 wrote to memory of 112 5028 cmd.exe 118 PID 5028 wrote to memory of 4532 5028 cmd.exe 119 PID 5028 wrote to memory of 4532 5028 cmd.exe 119 PID 5028 wrote to memory of 3976 5028 cmd.exe 122 PID 5028 wrote to memory of 3976 5028 cmd.exe 122 PID 5028 wrote to memory of 4944 5028 cmd.exe 123 PID 5028 wrote to memory of 4944 5028 cmd.exe 123 PID 4944 wrote to memory of 4844 4944 net.exe 124 PID 4944 wrote to memory of 4844 4944 net.exe 124 PID 5028 wrote to memory of 2692 5028 cmd.exe 125 PID 5028 wrote to memory of 2692 5028 cmd.exe 125 PID 2692 wrote to memory of 264 2692 net.exe 126 PID 2692 wrote to memory of 264 2692 net.exe 126 PID 5028 wrote to memory of 1056 5028 cmd.exe 127 PID 5028 wrote to memory of 1056 5028 cmd.exe 127 PID 1056 wrote to memory of 3240 1056 net.exe 128 PID 1056 wrote to memory of 3240 1056 net.exe 128 PID 5028 wrote to memory of 5036 5028 cmd.exe 129 PID 5028 wrote to memory of 5036 5028 cmd.exe 129 PID 5036 wrote to memory of 4504 5036 net.exe 130 PID 5036 wrote to memory of 4504 5036 net.exe 130 PID 5028 wrote to memory of 4908 5028 cmd.exe 131 PID 5028 wrote to memory of 4908 5028 cmd.exe 131 PID 5028 wrote to memory of 2092 5028 cmd.exe 132 PID 5028 wrote to memory of 2092 5028 cmd.exe 132 PID 2092 wrote to memory of 4884 2092 net.exe 133 PID 2092 wrote to memory of 4884 2092 net.exe 133 PID 5028 wrote to memory of 4560 5028 cmd.exe 134 PID 5028 wrote to memory of 4560 5028 cmd.exe 134 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe"C:\Users\Admin\AppData\Local\Temp\5086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:432
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵PID:1008
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵PID:4908
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵PID:4672
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵PID:4168
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵PID:1832
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵PID:1472
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵PID:1636
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵PID:3356
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵PID:796
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵PID:4492
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵PID:1332
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵PID:4612
-
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
PID:3760
-
-
C:\Windows\system32\ROUTE.EXEroute print2⤵PID:1844
-
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
- Modifies Windows Firewall
PID:112
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:4532
-
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
PID:3976
-
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵PID:4844
-
-
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵PID:264
-
-
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵PID:3240
-
-
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵PID:4504
-
-
-
C:\Windows\system32\net.exenet use2⤵PID:4908
-
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵PID:4884
-
-
-
C:\Windows\system32\net.exenet localgroup2⤵PID:4560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵PID:3228
-
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
PID:4848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵PID:2896
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵PID:4652
-
-
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
PID:3608
-
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵PID:244
-
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:1476
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:3604
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:3324
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4128 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4128 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:976
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:636
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2608
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1844
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:3544
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1560
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:3840
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4508
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2052
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:3492
-
C:\Users\Admin\AppData\Roaming\vwhdfwwC:\Users\Admin\AppData\Roaming\vwhdfww1⤵
- Executes dropped EXE
PID:4688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD5f6b23e6e40ee93c0b23be23d8e97eee6
SHA17e2c621e982de2feea923dce40642e3a12951fd0
SHA256fe3ee935e793217eb2f48575920d24c59aaaa852db70445897ce844155fd9494
SHA51294096682733ea16b9800fa492120c29e6c2502cea7f6e7996ea00a345ac3accfde8a613b39734c6ba9890820bb7f63a79e16a049c8232b19fb2ed6be6f75705d
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
288KB
MD544cad3753db6dfdf68a61dda7583fb24
SHA1cc6b309afa20c1aa47ad040b5948c3bb223c3d2c
SHA2565086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac
SHA51208eaa46f565f42e4c9eee4bca45af4de39ee3e92c3312fd954c60fa4fd0b4bd3f52ccfccbbf5e291f669837701bab24220ebf651aedfec7f95745a6c16004436
-
Filesize
288KB
MD544cad3753db6dfdf68a61dda7583fb24
SHA1cc6b309afa20c1aa47ad040b5948c3bb223c3d2c
SHA2565086dde757947a8b62ce0a7b39fe01dbdaceaf90edb1ea5589833a79b82471ac
SHA51208eaa46f565f42e4c9eee4bca45af4de39ee3e92c3312fd954c60fa4fd0b4bd3f52ccfccbbf5e291f669837701bab24220ebf651aedfec7f95745a6c16004436