Analysis
-
max time kernel
153s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 14:11
Behavioral task
behavioral1
Sample
a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
Resource
win10v2004-20220812-en
General
-
Target
a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
-
Size
427KB
-
MD5
a10a571e2ede354e506dbc197124cf00
-
SHA1
f906f361516ccac006b8e54ccb4bbb8fbba38a26
-
SHA256
a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
-
SHA512
5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342
-
SSDEEP
12288:6rE8cPDVurpbwA4VcjBNo4r1ex6tAmhZwwKo:bhurpbwALx1EaAmDwno
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\jre\\smartlogon.exe" a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe -
Executes dropped EXE 2 IoCs
pid Process 4044 smartlogon.exe 4808 smartlogon.exe -
resource yara_rule behavioral2/memory/4916-134-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral2/memory/4868-136-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/4868-137-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/4916-138-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral2/memory/4868-139-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/4868-140-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/4868-141-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/files/0x000300000001e64b-144.dat upx behavioral2/files/0x000300000001e64b-143.dat upx behavioral2/memory/4868-147-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/4044-148-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral2/files/0x000300000001e64b-151.dat upx behavioral2/memory/4808-154-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/4044-153-0x0000000000400000-0x000000000052B000-memory.dmp upx behavioral2/memory/4808-155-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/4808-157-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/4808-156-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/4808-158-0x0000000000400000-0x00000000004C5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate smartlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmartLogOn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jre\\smartlogon.exe" a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4916 set thread context of 4868 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 82 PID 4044 set thread context of 4808 4044 smartlogon.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smartlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smartlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier smartlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier smartlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier smartlogon.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeSecurityPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeTakeOwnershipPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeLoadDriverPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeSystemProfilePrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeSystemtimePrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeProfSingleProcessPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeIncBasePriorityPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeCreatePagefilePrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeBackupPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeRestorePrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeShutdownPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeDebugPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeSystemEnvironmentPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeChangeNotifyPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeRemoteShutdownPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeUndockPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeManageVolumePrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeImpersonatePrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeCreateGlobalPrivilege 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: 33 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: 34 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: 35 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: 36 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe Token: SeIncreaseQuotaPrivilege 4808 smartlogon.exe Token: SeSecurityPrivilege 4808 smartlogon.exe Token: SeTakeOwnershipPrivilege 4808 smartlogon.exe Token: SeLoadDriverPrivilege 4808 smartlogon.exe Token: SeSystemProfilePrivilege 4808 smartlogon.exe Token: SeSystemtimePrivilege 4808 smartlogon.exe Token: SeProfSingleProcessPrivilege 4808 smartlogon.exe Token: SeIncBasePriorityPrivilege 4808 smartlogon.exe Token: SeCreatePagefilePrivilege 4808 smartlogon.exe Token: SeBackupPrivilege 4808 smartlogon.exe Token: SeRestorePrivilege 4808 smartlogon.exe Token: SeShutdownPrivilege 4808 smartlogon.exe Token: SeDebugPrivilege 4808 smartlogon.exe Token: SeSystemEnvironmentPrivilege 4808 smartlogon.exe Token: SeChangeNotifyPrivilege 4808 smartlogon.exe Token: SeRemoteShutdownPrivilege 4808 smartlogon.exe Token: SeUndockPrivilege 4808 smartlogon.exe Token: SeManageVolumePrivilege 4808 smartlogon.exe Token: SeImpersonatePrivilege 4808 smartlogon.exe Token: SeCreateGlobalPrivilege 4808 smartlogon.exe Token: 33 4808 smartlogon.exe Token: 34 4808 smartlogon.exe Token: 35 4808 smartlogon.exe Token: 36 4808 smartlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 4044 smartlogon.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4868 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 82 PID 4916 wrote to memory of 4868 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 82 PID 4916 wrote to memory of 4868 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 82 PID 4916 wrote to memory of 4868 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 82 PID 4916 wrote to memory of 4868 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 82 PID 4916 wrote to memory of 4868 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 82 PID 4916 wrote to memory of 4868 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 82 PID 4916 wrote to memory of 4868 4916 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 82 PID 4868 wrote to memory of 4044 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 85 PID 4868 wrote to memory of 4044 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 85 PID 4868 wrote to memory of 4044 4868 a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe 85 PID 4044 wrote to memory of 4808 4044 smartlogon.exe 86 PID 4044 wrote to memory of 4808 4044 smartlogon.exe 86 PID 4044 wrote to memory of 4808 4044 smartlogon.exe 86 PID 4044 wrote to memory of 4808 4044 smartlogon.exe 86 PID 4044 wrote to memory of 4808 4044 smartlogon.exe 86 PID 4044 wrote to memory of 4808 4044 smartlogon.exe 86 PID 4044 wrote to memory of 4808 4044 smartlogon.exe 86 PID 4044 wrote to memory of 4808 4044 smartlogon.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe"C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exeC:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe"C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exeC:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
427KB
MD5a10a571e2ede354e506dbc197124cf00
SHA1f906f361516ccac006b8e54ccb4bbb8fbba38a26
SHA256a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
SHA5125a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342
-
Filesize
427KB
MD5a10a571e2ede354e506dbc197124cf00
SHA1f906f361516ccac006b8e54ccb4bbb8fbba38a26
SHA256a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
SHA5125a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342
-
Filesize
427KB
MD5a10a571e2ede354e506dbc197124cf00
SHA1f906f361516ccac006b8e54ccb4bbb8fbba38a26
SHA256a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece
SHA5125a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342