Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 14:11
Behavioral task
behavioral1
Sample
a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
Resource
win10v2004-20220812-en
General
-
Target
a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
-
Size
427KB
-
MD5
a10a571e2ede354e506dbc197124cf00
-
SHA1
f906f361516ccac006b8e54ccb4bbb8fbba38a26
-
SHA256
a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
-
SHA512
5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342
-
SSDEEP
12288:6rE8cPDVurpbwA4VcjBNo4r1ex6tAmhZwwKo:bhurpbwALx1EaAmDwno
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\jre\\smartlogon.exe" a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe -
Executes dropped EXE 2 IoCs
pid Process 1504 smartlogon.exe 336 smartlogon.exe -
resource yara_rule behavioral1/memory/1232-56-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/1232-58-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/1368-59-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral1/memory/1232-60-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/1232-62-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/1232-63-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/files/0x000a000000012324-64.dat upx behavioral1/files/0x000a000000012324-65.dat upx behavioral1/files/0x000a000000012324-67.dat upx behavioral1/memory/1232-68-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/1504-71-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral1/files/0x000a000000012324-72.dat upx behavioral1/files/0x000a000000012324-73.dat upx behavioral1/memory/1504-78-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral1/files/0x000a000000012324-76.dat upx behavioral1/memory/336-80-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/336-81-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/336-82-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/336-83-0x0000000000400000-0x00000000004C5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate smartlogon.exe -
Loads dropped DLL 3 IoCs
pid Process 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 1504 smartlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SmartLogOn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jre\\smartlogon.exe" a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1368 set thread context of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1504 set thread context of 336 1504 smartlogon.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smartlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smartlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier smartlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier smartlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier smartlogon.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeSecurityPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeTakeOwnershipPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeLoadDriverPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeSystemProfilePrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeSystemtimePrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeProfSingleProcessPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeIncBasePriorityPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeCreatePagefilePrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeBackupPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeRestorePrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeShutdownPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeDebugPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeSystemEnvironmentPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeChangeNotifyPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeRemoteShutdownPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeUndockPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeManageVolumePrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeImpersonatePrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeCreateGlobalPrivilege 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: 33 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: 34 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: 35 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeIncreaseQuotaPrivilege 336 smartlogon.exe Token: SeSecurityPrivilege 336 smartlogon.exe Token: SeTakeOwnershipPrivilege 336 smartlogon.exe Token: SeLoadDriverPrivilege 336 smartlogon.exe Token: SeSystemProfilePrivilege 336 smartlogon.exe Token: SeSystemtimePrivilege 336 smartlogon.exe Token: SeProfSingleProcessPrivilege 336 smartlogon.exe Token: SeIncBasePriorityPrivilege 336 smartlogon.exe Token: SeCreatePagefilePrivilege 336 smartlogon.exe Token: SeBackupPrivilege 336 smartlogon.exe Token: SeRestorePrivilege 336 smartlogon.exe Token: SeShutdownPrivilege 336 smartlogon.exe Token: SeDebugPrivilege 336 smartlogon.exe Token: SeSystemEnvironmentPrivilege 336 smartlogon.exe Token: SeChangeNotifyPrivilege 336 smartlogon.exe Token: SeRemoteShutdownPrivilege 336 smartlogon.exe Token: SeUndockPrivilege 336 smartlogon.exe Token: SeManageVolumePrivilege 336 smartlogon.exe Token: SeImpersonatePrivilege 336 smartlogon.exe Token: SeCreateGlobalPrivilege 336 smartlogon.exe Token: 33 336 smartlogon.exe Token: 34 336 smartlogon.exe Token: 35 336 smartlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 1504 smartlogon.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1368 wrote to memory of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1368 wrote to memory of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1368 wrote to memory of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1368 wrote to memory of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1368 wrote to memory of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1368 wrote to memory of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1368 wrote to memory of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1368 wrote to memory of 1232 1368 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 27 PID 1232 wrote to memory of 1504 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 28 PID 1232 wrote to memory of 1504 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 28 PID 1232 wrote to memory of 1504 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 28 PID 1232 wrote to memory of 1504 1232 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 28 PID 1504 wrote to memory of 336 1504 smartlogon.exe 29 PID 1504 wrote to memory of 336 1504 smartlogon.exe 29 PID 1504 wrote to memory of 336 1504 smartlogon.exe 29 PID 1504 wrote to memory of 336 1504 smartlogon.exe 29 PID 1504 wrote to memory of 336 1504 smartlogon.exe 29 PID 1504 wrote to memory of 336 1504 smartlogon.exe 29 PID 1504 wrote to memory of 336 1504 smartlogon.exe 29 PID 1504 wrote to memory of 336 1504 smartlogon.exe 29 PID 1504 wrote to memory of 336 1504 smartlogon.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe"C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exeC:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe"C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exeC:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
427KB
MD5a10a571e2ede354e506dbc197124cf00
SHA1f906f361516ccac006b8e54ccb4bbb8fbba38a26
SHA256a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
SHA5125a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342
-
Filesize
427KB
MD5a10a571e2ede354e506dbc197124cf00
SHA1f906f361516ccac006b8e54ccb4bbb8fbba38a26
SHA256a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
SHA5125a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342
-
Filesize
427KB
MD5a10a571e2ede354e506dbc197124cf00
SHA1f906f361516ccac006b8e54ccb4bbb8fbba38a26
SHA256a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
SHA5125a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342
-
Filesize
427KB
MD5a10a571e2ede354e506dbc197124cf00
SHA1f906f361516ccac006b8e54ccb4bbb8fbba38a26
SHA256a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
SHA5125a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342
-
Filesize
427KB
MD5a10a571e2ede354e506dbc197124cf00
SHA1f906f361516ccac006b8e54ccb4bbb8fbba38a26
SHA256a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
SHA5125a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342
-
Filesize
427KB
MD5a10a571e2ede354e506dbc197124cf00
SHA1f906f361516ccac006b8e54ccb4bbb8fbba38a26
SHA256a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
SHA5125a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342