Overview

overview

8

Static

static

0944b840d9...26.exe

windows7-x64

8

0944b840d9...26.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    199s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0944b840d912d4b4fda445da6f74636611e8ed9d5321e324134d308d1ee7f426.exe

  • Size

    4.9MB

  • MD5

    b499a81aae65b47e914e6fa9b834d765

  • SHA1

    d5b62b3188af55602abc3ea1d474983f955296b9

  • SHA256

    0944b840d912d4b4fda445da6f74636611e8ed9d5321e324134d308d1ee7f426

  • SHA512

    07979308c7d8de4ae2c2367b310dbedacce06e70310d8ca1cfbdb20dac994a5e5acc34d1510050b5e55405e8e064d3af0bef3b0577e2e362901182daa6416b6a

  • SSDEEP

    98304:StcOWxKVAzdVnIy9sAGUBVvo3/9ooBGJqa6Fy81rsY9UfvQA5:SkIVkVI2sIVwP+oBGZwyI9a5

Score
8/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0944b840d912d4b4fda445da6f74636611e8ed9d5321e324134d308d1ee7f426.exe
    "C:\Users\Admin\AppData\Local\Temp\0944b840d912d4b4fda445da6f74636611e8ed9d5321e324134d308d1ee7f426.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\SmartAssembly..exe
      "C:\Users\Admin\AppData\Local\Temp\SmartAssembly..exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 404
        3⤵
          PID:748
      • C:\Users\Admin\AppData\Local\Temp\SmartAssembly.exe
        "C:\Users\Admin\AppData\Local\Temp\SmartAssembly.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:432
        • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\redgate.installerwizard.ui.exe
          "C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\redgate.installerwizard.ui.exe" RG_I="SmartAssembly 6.8.0"
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:916
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1976

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SmartAssembly..exe
      Filesize

      5.4MB

      MD5

      a79542a482fa06184be385cff4d4917b

      SHA1

      befef726d5d8ae7f28450c931497ef00d91b90fc

      SHA256

      ac7bcc47e17fbbde98d12dc59eaf1a19aa3067f90bb73d673ac9ab46fd4a168d

      SHA512

      cdd4bd5def071b13a20793a21a6520a0eab7385bc16498a600049cfc29d67892b0cd4cd05b276be6560ba4beafbd26f39eb6f447836c5125ce5039dbb60565fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SmartAssembly..exe
      Filesize

      5.4MB

      MD5

      a79542a482fa06184be385cff4d4917b

      SHA1

      befef726d5d8ae7f28450c931497ef00d91b90fc

      SHA256

      ac7bcc47e17fbbde98d12dc59eaf1a19aa3067f90bb73d673ac9ab46fd4a168d

      SHA512

      cdd4bd5def071b13a20793a21a6520a0eab7385bc16498a600049cfc29d67892b0cd4cd05b276be6560ba4beafbd26f39eb6f447836c5125ce5039dbb60565fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SmartAssembly.exe
      Filesize

      4.5MB

      MD5

      6eb901407ff50f5ede56ac4f90480f4f

      SHA1

      021138198c75c8282ed4b97ffa1a201fc48c35eb

      SHA256

      38d7dbd2fd38df509174c3d1b205304313c12d206a7b0dc4635ef56916ecf812

      SHA512

      3e4480a4b2aa77df5f734c1f7ef3aaaf1a6ef72f695fcab083e004a45125d9650aec92836fdf86ee4b235cdb8abcd2b2c7a2ab6fceb984de71d05cd27c884494

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SmartAssembly.exe
      Filesize

      4.5MB

      MD5

      6eb901407ff50f5ede56ac4f90480f4f

      SHA1

      021138198c75c8282ed4b97ffa1a201fc48c35eb

      SHA256

      38d7dbd2fd38df509174c3d1b205304313c12d206a7b0dc4635ef56916ecf812

      SHA512

      3e4480a4b2aa77df5f734c1f7ef3aaaf1a6ef72f695fcab083e004a45125d9650aec92836fdf86ee4b235cdb8abcd2b2c7a2ab6fceb984de71d05cd27c884494

      Download Submit

    • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\ProjectItems.xml
      Filesize

      293B

      MD5

      d3abf5657d06a1443f6546d330a09be7

      SHA1

      df32637f03cd960747a9f4583b00e62d1e4ce6ee

      SHA256

      44ab3b3a28b0abf61769a6cf2a22383fd7c8d62581b81b6e22e484a5400b13e7

      SHA512

      07fd1195a0cec05fec818767fd7a83d48114a4f9fd2ec126a8fa4e9a0e23582e510a161ca1cc2b17997d0011ef49d121a1a8847cecce13828ed78947cd3427c1

      Download Submit

    • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\RedGate.CompressEngine.dll
      Filesize

      74KB

      MD5

      88145c497cda801562bd7926108008e3

      SHA1

      dda1551ef33932b90dd8b416c07e701901bb4c5b

      SHA256

      9559a967ee5b0c3e4fe15b04071ecb83c467456b05d1c176ae20888a463ec2bc

      SHA512

      47f64f342069ee3f481104da43e59e99a01bb2d3d0430ae7fb3df8a158529ed39e29108bbde24e2d71600c4b7b3bc01a9b48d384866d2fdaa9413ebe9c45d1ee

      Download Submit

    • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\RedGate.InstallerWizard.Engine.dll
      Filesize

      238KB

      MD5

      e878200d4724a1532ef47246159ef74a

      SHA1

      454d26bc90290b1944dbbc9b2b97a70051dbda87

      SHA256

      70690b0a31da227e62e7578e7d691e3a8815eb1779107f9b7958e297c1e3d583

      SHA512

      ec88c7513b23ef0c6906655c110880a95c9283cf1387218d80f68366a8a7124dbe6c75233af9acc7f23b7b62f3ec8bba5189bf49bd08134148cf62593688aacd

      Download Submit

    • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\SQLToolBeltInstaller.project
      Filesize

      428KB

      MD5

      b0cdd7b74b48c1f60f71d652526ab137

      SHA1

      ec211c45973350d6b99897df8df6f09e144db998

      SHA256

      b27647a99836364278bbb3aa1ed52452b006cfd726e4661d8de3370fbac0728e

      SHA512

      3244e87e21cb461f295a8f040599534f8a7411a319679165303e9a3de972bc2d0413b7dd99ad9187398740f2121409f10d7995231e900c44a60a5f2682b88f3f

      Download Submit

    • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\empty.msi
      Filesize

      9KB

      MD5

      2ab205e6e7f17b3d0888aeb3589d8fe2

      SHA1

      fa0e787ce24967ad382abc64f3989757d7718d13

      SHA256

      03cdb087506fa560ce8213abf66e8f4b486c96ddbf2a02b6c8ef29bea491b276

      SHA512

      d6b609f6b9aaa9721146d26f45306de17b03d4eb766a32886a355d4bcd1649175c84dac0220f84272a80de32bb47abd757878722187969bcfaccc6166704bebc

      Download Submit

    • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\install.bin
      Filesize

      2.8MB

      MD5

      05f5fd3ae0a2d6f3862b99f0b4109890

      SHA1

      ad6546aed162a9025ef0f1beb0c6e8ece6c3e17f

      SHA256

      48128e0dc72f70414c930f4f8ea7a538f0c3057176fd852a1c7461a1a8b9e98f

      SHA512

      be989d89694091cccf849fab25c247314c2fc780533b942123476a3b8f235b8bdbb024da730c6f9d6209e1b04f721b7088c6229733023d6a7a46c0e440fbe8c9

      Download Submit

    • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\redgate.installerwizard.ui.exe
      Filesize

      222KB

      MD5

      d570313bfb2be30b4890d2856b2cefaa

      SHA1

      e87f7c4699eaebc56366dc112d8256a70e47f86c

      SHA256

      5262ec5ef454233725e71134fa513b4cd183a6340cea6e0d0b97f1b0fb90d2fb

      SHA512

      1acc284a97de87f28ea4e5e4a60ec03f62130e4955b9cdf7558252d501eff830fb943d4453118244402e482fd25aea245f363a10df6f3085d3b1463f42c59597

      Download Submit

    • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\redgate.installerwizard.ui.exe
      Filesize

      222KB

      MD5

      d570313bfb2be30b4890d2856b2cefaa

      SHA1

      e87f7c4699eaebc56366dc112d8256a70e47f86c

      SHA256

      5262ec5ef454233725e71134fa513b4cd183a6340cea6e0d0b97f1b0fb90d2fb

      SHA512

      1acc284a97de87f28ea4e5e4a60ec03f62130e4955b9cdf7558252d501eff830fb943d4453118244402e482fd25aea245f363a10df6f3085d3b1463f42c59597

      Download Submit

    • C:\{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\redgate.installerwizard.ui.exe.config
      Filesize

      273B

      MD5

      b7ca2454db9ef29e3aff1bdc14b061c2

      SHA1

      a81646efbbc1a99f78a3c9619799b5a413ea12a8

      SHA256

      1e19fc18e58acbf47c665da13d2dd4e9a3b732807d794e87828bd859c0401d0f

      SHA512

      184411721b96d98a1795fdeafdc9aadfc6d4db8721b850c91ae913704ea7286c5e2f25e5d1c6e6786fcb02241a91a14a191e61b949e19ac688518c49f77dd169

      Download Submit

    • \Users\Admin\AppData\Local\Temp\SmartAssembly..exe
      Filesize

      5.4MB

      MD5

      a79542a482fa06184be385cff4d4917b

      SHA1

      befef726d5d8ae7f28450c931497ef00d91b90fc

      SHA256

      ac7bcc47e17fbbde98d12dc59eaf1a19aa3067f90bb73d673ac9ab46fd4a168d

      SHA512

      cdd4bd5def071b13a20793a21a6520a0eab7385bc16498a600049cfc29d67892b0cd4cd05b276be6560ba4beafbd26f39eb6f447836c5125ce5039dbb60565fe

      Download Submit

    • \Users\Admin\AppData\Local\Temp\SmartAssembly..exe
      Filesize

      5.4MB

      MD5

      a79542a482fa06184be385cff4d4917b

      SHA1

      befef726d5d8ae7f28450c931497ef00d91b90fc

      SHA256

      ac7bcc47e17fbbde98d12dc59eaf1a19aa3067f90bb73d673ac9ab46fd4a168d

      SHA512

      cdd4bd5def071b13a20793a21a6520a0eab7385bc16498a600049cfc29d67892b0cd4cd05b276be6560ba4beafbd26f39eb6f447836c5125ce5039dbb60565fe

      Download Submit

    • \Users\Admin\AppData\Local\Temp\SmartAssembly.exe
      Filesize

      4.5MB

      MD5

      6eb901407ff50f5ede56ac4f90480f4f

      SHA1

      021138198c75c8282ed4b97ffa1a201fc48c35eb

      SHA256

      38d7dbd2fd38df509174c3d1b205304313c12d206a7b0dc4635ef56916ecf812

      SHA512

      3e4480a4b2aa77df5f734c1f7ef3aaaf1a6ef72f695fcab083e004a45125d9650aec92836fdf86ee4b235cdb8abcd2b2c7a2ab6fceb984de71d05cd27c884494

      Download Submit

    • \Users\Admin\AppData\Local\Temp\SmartAssembly.exe
      Filesize

      4.5MB

      MD5

      6eb901407ff50f5ede56ac4f90480f4f

      SHA1

      021138198c75c8282ed4b97ffa1a201fc48c35eb

      SHA256

      38d7dbd2fd38df509174c3d1b205304313c12d206a7b0dc4635ef56916ecf812

      SHA512

      3e4480a4b2aa77df5f734c1f7ef3aaaf1a6ef72f695fcab083e004a45125d9650aec92836fdf86ee4b235cdb8abcd2b2c7a2ab6fceb984de71d05cd27c884494

      Download Submit

    • \Users\Admin\AppData\Local\Temp\SmartAssembly.exe
      Filesize

      4.5MB

      MD5

      6eb901407ff50f5ede56ac4f90480f4f

      SHA1

      021138198c75c8282ed4b97ffa1a201fc48c35eb

      SHA256

      38d7dbd2fd38df509174c3d1b205304313c12d206a7b0dc4635ef56916ecf812

      SHA512

      3e4480a4b2aa77df5f734c1f7ef3aaaf1a6ef72f695fcab083e004a45125d9650aec92836fdf86ee4b235cdb8abcd2b2c7a2ab6fceb984de71d05cd27c884494

      Download Submit

    • \{8B8E67AF-1CA4-49B7-A9FB-933972559B22}\redgate.installerwizard.ui.exe
      Filesize

      222KB

      MD5

      d570313bfb2be30b4890d2856b2cefaa

      SHA1

      e87f7c4699eaebc56366dc112d8256a70e47f86c

      SHA256

      5262ec5ef454233725e71134fa513b4cd183a6340cea6e0d0b97f1b0fb90d2fb

      SHA512

      1acc284a97de87f28ea4e5e4a60ec03f62130e4955b9cdf7558252d501eff830fb943d4453118244402e482fd25aea245f363a10df6f3085d3b1463f42c59597

      Download Submit

    • memory/432-62-0x0000000000000000-mapping.dmp

      Download

    • memory/748-69-0x0000000000000000-mapping.dmp

      Download

    • memory/748-70-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/916-76-0x0000000000AF0000-0x0000000000B2A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/916-72-0x0000000000000000-mapping.dmp

      Download

    • memory/916-78-0x0000000000420000-0x000000000045E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/916-82-0x0000000000460000-0x0000000000474000-memory.dmp

      Filesize

      80KB

      Download

    • memory/916-86-0x000000001B206000-0x000000001B225000-memory.dmp

      Filesize

      124KB

      Download

    • memory/916-88-0x000000001B206000-0x000000001B225000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1212-57-0x0000000000000000-mapping.dmp

      Download

    • memory/1212-68-0x000007FEEE510000-0x000007FEEF5A6000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1212-61-0x000007FEF4190000-0x000007FEF4BB3000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/2024-54-0x0000000075881000-0x0000000075883000-memory.dmp

      Filesize

      8KB

      Download