3de5f8732ba0959ba80909ca24344d6a58cded1792210b146c9d416c524b5371

Analysis

max time kernel
96s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SmartAssembly.exe
Size

4.8MB
MD5

772cf222a9183d529f0f8d33d35d079a
SHA1

0fce1ebb7254b5118d73a268863d7e312b203546
SHA256

c85a61c4ea4526afdb7ff61344c5266d3d8a65df80e5c437e0460e902651e71d
SHA512

d2dc77692ebe611f27960ef9de6d3f5268eaf4e646d61f4da910092d53d35f70d8e10793fc78802e5855a72f635727c1e6bdfaa348ee179924e8ae74b9eef3e5
SSDEEP

98304:N48aPAB2z0XEg8JyLbLJBbRq5PHmbTUl2LA6T+WMJ14e+9Cr3l6/:e4ZXTL/J9Rq5/oLbTps14eAOl6

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1616	redgate.installerwizard.ui.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	SmartAssembly.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\V:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\X:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\Z:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\F:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\K:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\M:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\O:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\S:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\T:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\W:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\E:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\H:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\J:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\N:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\I:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\R:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\Y:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\P:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\Q:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\A:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\B:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\G:	redgate.installerwizard.ui.exe
File opened (read-only)	\??\L:	redgate.installerwizard.ui.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeRestorePrivilege	760	msiexec.exe
Token: SeTakeOwnershipPrivilege	760	msiexec.exe
Token: SeSecurityPrivilege	760	msiexec.exe
Token: SeCreateTokenPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeAssignPrimaryTokenPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeLockMemoryPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeIncreaseQuotaPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeMachineAccountPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeTcbPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeSecurityPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeTakeOwnershipPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeLoadDriverPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeSystemProfilePrivilege	1616	redgate.installerwizard.ui.exe
Token: SeSystemtimePrivilege	1616	redgate.installerwizard.ui.exe
Token: SeProfSingleProcessPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeIncBasePriorityPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeCreatePagefilePrivilege	1616	redgate.installerwizard.ui.exe
Token: SeCreatePermanentPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeBackupPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeRestorePrivilege	1616	redgate.installerwizard.ui.exe
Token: SeShutdownPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeDebugPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeAuditPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeSystemEnvironmentPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeChangeNotifyPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeRemoteShutdownPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeUndockPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeSyncAgentPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeEnableDelegationPrivilege	1616	redgate.installerwizard.ui.exe
Token: SeManageVolumePrivilege	1616	redgate.installerwizard.ui.exe
Token: SeImpersonatePrivilege	1616	redgate.installerwizard.ui.exe
Token: SeCreateGlobalPrivilege	1616	redgate.installerwizard.ui.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1224	SmartAssembly.exe
1224	SmartAssembly.exe
1224	SmartAssembly.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1616	1224	SmartAssembly.exe	28
PID 1224 wrote to memory of 1616	1224	SmartAssembly.exe	28
PID 1224 wrote to memory of 1616	1224	SmartAssembly.exe	28
PID 1224 wrote to memory of 1616	1224	SmartAssembly.exe	28
PID 1616 wrote to memory of 1740	1616	redgate.installerwizard.ui.exe	30
PID 1616 wrote to memory of 1740	1616	redgate.installerwizard.ui.exe	30
PID 1616 wrote to memory of 1740	1616	redgate.installerwizard.ui.exe	30
PID 1740 wrote to memory of 1632	1740	csc.exe	32
PID 1740 wrote to memory of 1632	1740	csc.exe	32
PID 1740 wrote to memory of 1632	1740	csc.exe	32

C:\Users\Admin\AppData\Local\Temp\SmartAssembly.exe
"C:\Users\Admin\AppData\Local\Temp\SmartAssembly.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224
- C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\redgate.installerwizard.ui.exe
  "C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\redgate.installerwizard.ui.exe" RG_I="SmartAssembly 6.7.0"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_mbhs6wu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C15.tmp"
      4⤵
      PID:1632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_657F086E05976DCDC616B9D59B4C0B1E

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5

Filesize
1KB

MD5
ebb46376adf0db170aaaf4016946555e

SHA1
8771259b395c9c0e09fac7d9761636fdc558d6f6

SHA256
8fa245758d279fb34e36f04531963d511b529d932d9a8504c7d101a88fd09520

SHA512
48b94935fa1d26733c9284112bb9b15388ec8178dd59fc0eb5cbcc5f8c8ade2b8c5f06d6a51086e8566c111c85e6970a99851dc73e92ebd9fc3f11aa7764e9b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_657F086E05976DCDC616B9D59B4C0B1E

Filesize
408B

MD5
2057e1b3efc48a496201a7674054223c

SHA1
326637c514f583559c2c9d2a9651afad5857757b

SHA256
6154c77d50c092d8c23d63cb29fed93ad0e2d870df44ab49c0100409f0f5f9e4

SHA512
62feb0c08eae808073eaf1e2b45e9028c31983b27e8c3efb14734d3b13c4cfc4dc40c30c14870e412d2397e80ed9e6ba56d11f72a295649c15c617fd29df135c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5

Filesize
182B

MD5
3171571ad8063beb0cd29cc5b153bf6d

SHA1
959ea4c86f063b9217fccc2dde8c421ae4b88ae7

SHA256
ba2b26d449270e2b9939e11a6fa001c4297c7937025936646891046b0b743c8a

SHA512
9b92b1fecddcf2aade4ab99dc543105967949942b3cbca380f57e2e0b9ad57d6e122fd94d77ae4f1bd175d4db788d3ee145407b544b302ba0daa4605c0c7c662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
80b88d832d3b730bf8d529d732854981

SHA1
8503d47aa830ece51e5bbc71f6685d06ab071200

SHA256
f82c7db86f2c06e95ec843f1fba1a055be8cbf04412b316b028cffebe77e2699

SHA512
8217d6fdd4e3a92f5cb8cd691b6babd43aed7b1fbbc16df569d6cb85dc3e1fe728d8a326d090ca8c85c1be7c7a8d490074c87f1dcceada61be318d43e23b5e27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC

Filesize
404B

MD5
44f01fd5c36c0b7eb7fbf9f75b4153b3

SHA1
daf447b9bca43d0315aa38f2425aebd7773a53e7

SHA256
3122bafb0ad56661b22977f8cb1056bea8700a99668e9b35d376d20b047f2ad9

SHA512
f303a418d920f47140dfa38c2da1cabb1f89b845b5b5bb831890a9c496192ed1c193287e990506119909bba0757134202bf6d7cdd53345aa4a0e7f138f05c124

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5C16.tmp

Filesize
1KB

MD5
9ba7c7455743ca26ebdc713ba2780a55

SHA1
779d425ccb9bbc4a2c189949dfb667be0e54832a

SHA256
5f0e44fbcfb531be85a83228c04fba11e6f93df4c978e6ef147f7d827a2ecf19

SHA512
315282c8cb8e757afb5adbd302f4910037e2d878f6a1c608964a5471e383aa4ed83a447c3ee302c1e8d97318a73fce404bd73ebeffb10b0acd80a852b005b109

Download Submit
C:\Users\Admin\AppData\Local\Temp\_mbhs6wu.dll

Filesize
9KB

MD5
3139b6084d6bb7f4acba9aab4c489f2d

SHA1
022ea69a0d8099c70c853f9dc0b56463480961e2

SHA256
585e2c30d18c52893f0a982c5945659f35e497516ad89b5d4bee766a8ff8346c

SHA512
c30c366cfa79c8577d3998eb0d43307164a06fd23eb3c93b1d5b2078e63f97d69ab264c93f0da05523b0dabbbd7def965557a09838fea727a8bd242d1e9edf20

Download Submit
C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\ProjectItems.xml

Filesize
293B

MD5
d3abf5657d06a1443f6546d330a09be7

SHA1
df32637f03cd960747a9f4583b00e62d1e4ce6ee

SHA256
44ab3b3a28b0abf61769a6cf2a22383fd7c8d62581b81b6e22e484a5400b13e7

SHA512
07fd1195a0cec05fec818767fd7a83d48114a4f9fd2ec126a8fa4e9a0e23582e510a161ca1cc2b17997d0011ef49d121a1a8847cecce13828ed78947cd3427c1

Download Submit
C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\RedGate.CompressEngine.dll

Filesize
73KB

MD5
e41cde4e39029b744c09afd7d5603e5a

SHA1
c48b38dd8354802924d36ba87def4ae185d2f64c

SHA256
3cdd320b018d61468bc88e5addc862144354cfc82d9316da95220c9af14e0890

SHA512
40d660f17e81886b16ca57f0d9be45faa560ef57164738e328a650eeb540a87c975c28c12faa1c07d67444f9b2ac344c26aa69a0dab8d80fa527edbf695f1dc6

Download Submit
C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\RedGate.InstallerWizard.Engine.dll

Filesize
237KB

MD5
89844a4628b604694dcf994f56f2b117

SHA1
a5770289abd701ee49bdf77855b6893534761d0d

SHA256
5e5cd397c9959dd76999b1ed7df80ff2708593ea80dc427c57b7732ce6d0ef83

SHA512
d9f41c8bb6529af683864368fcdda75274ecb826aa372a89194dfbad9b0d3b53a3c1d3c8125975b8aa844b5f561347048c1ac7f543c3e613e0d5160385024e08

Download Submit
C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\SQLToolBeltInstaller.project

Filesize
437KB

MD5
389c8a8d1b6645c153defcbb2dbc64c8

SHA1
5d5d4f0db640606aa1b74ac035013eb462b5d4a3

SHA256
95e32c619a9f168cd23c44095c5876de7175f2d695758248d353f2ac8a47ec7a

SHA512
d54a5236ffb418b91ba04d0acc8355063d8d1b5363419cc116a7c158529b8438c938b2eb98bd53e1440b794d347cdc1ffd1c3f7517f10b7a230cc28d47d65e78

Download Submit
C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\empty.msi

Filesize
9KB

MD5
2ab205e6e7f17b3d0888aeb3589d8fe2

SHA1
fa0e787ce24967ad382abc64f3989757d7718d13

SHA256
03cdb087506fa560ce8213abf66e8f4b486c96ddbf2a02b6c8ef29bea491b276

SHA512
d6b609f6b9aaa9721146d26f45306de17b03d4eb766a32886a355d4bcd1649175c84dac0220f84272a80de32bb47abd757878722187969bcfaccc6166704bebc

Download Submit
C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\info.xml

Filesize
78B

MD5
4fedd1ca11f7a2f24645fec06b8523c1

SHA1
b6418a75dea30e3737d522f1fc8618ddccf21827

SHA256
65f37e5784811886eece4324af9b12b4926efdd59dd4adf5a79c09d514c23e6a

SHA512
8dcda563bb72c932aa61a3f3f2b9c611501a189bae3defd29298311dab1bb2a88f0c39aa1c604ba0c9ef4db845f7a937918360683e51e6de32fa141f11d9eabd

Download Submit
C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\install.bin

Filesize
3.2MB

MD5
e7e2b7f2f949c1462b28ad69e046c7b3

SHA1
0a6888c3e03508cba9d2dac07e23a25a5e552c6d

SHA256
e0d8c72a91df5af1ab151ddc2461777b8765ab502ad6c54d73b21bc777ce32dd

SHA512
7b489261b79a829f51a7f785d42ce51e614fd96f66c88979671403de154873aa2ac367ffac3c48a9f9830c2f2b1701f149491a1d61ff5b048c42e8b157c3571e

Download Submit
C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\redgate.installerwizard.ui.exe

Filesize
225KB

MD5
7eb6248ef3f7edc6017c4cf1371b71ed

SHA1
212a04694b27a8bf5d70462c4e8794f406eb0aa5

SHA256
e80d606e9a0637db7975bd978fb88db567219cec4ce29665040dde8f596e491f

SHA512
2f1b676f2e9f7446befccb41f12088b45b84707ac4ce217cc555b6498ca4b55292486c289b1e25873133ea8e268734870f43501cea6584821cba4b76821c0b8f

Download Submit
C:\{73BC2DE3-002B-41D8-955F-1075604AFD68}\redgate.installerwizard.ui.exe

Filesize
225KB

MD5
7eb6248ef3f7edc6017c4cf1371b71ed

SHA1
212a04694b27a8bf5d70462c4e8794f406eb0aa5

SHA256
e80d606e9a0637db7975bd978fb88db567219cec4ce29665040dde8f596e491f

SHA512
2f1b676f2e9f7446befccb41f12088b45b84707ac4ce217cc555b6498ca4b55292486c289b1e25873133ea8e268734870f43501cea6584821cba4b76821c0b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5C15.tmp

Filesize
664B

MD5
1b58be32e0bc59d616469a4d13ec1ef3

SHA1
657186f04669c868282abcc3f9634559c60728dd

SHA256
9646a59404ad378fc64377bd5ddd73fb169810cd7b83509fe8ecff70a60dd71a

SHA512
9a463af2fc4db79d94290cd7d1638dd3e594c3dd1bf4fb57ee7ddd8ad7d9c48a82069122591935d37a6c8cbff1d78a56df4b78c1c0e821a54e9ded6421cb75f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_mbhs6wu.0.cs

Filesize
15KB

MD5
5bec0c4530751cdd44df42c719fa2c5e

SHA1
eac3058aa0cfa4639026e926f72d02edf07ac2cd

SHA256
8fb42b36ccbd6b05586b0e924a6b4df73d291f4cd3936b97fb743f36fc5cc903

SHA512
3fa67e1a4b601487930a3fc26482c88ab2be1686362d3e8ae9baa76771803e6c096af3191c85e186b75b5b0bbf63660e3275e1f2ac6e099f9370ded30676bcce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_mbhs6wu.cmdline

Filesize
431B

MD5
8916a73f9118333763130c62076b6ef2

SHA1
29e966d62a707c19d87829578fb9d99d43069508

SHA256
1a332047f60af6ecf399c71a8ca0b64b3960eba00cbf9785ae771f3c74fa9003

SHA512
cb7bff4cdb1c8ce18caace1b7a9069fa2165e15deec3e738c4fc7d8472a0c680cbb35515fb1b92875600ea50a73bed6012d3b5b17897d5594c363a655d30543e

Download Submit
\{73BC2DE3-002B-41D8-955F-1075604AFD68}\redgate.installerwizard.ui.exe

Filesize
225KB

MD5
7eb6248ef3f7edc6017c4cf1371b71ed

SHA1
212a04694b27a8bf5d70462c4e8794f406eb0aa5

SHA256
e80d606e9a0637db7975bd978fb88db567219cec4ce29665040dde8f596e491f

SHA512
2f1b676f2e9f7446befccb41f12088b45b84707ac4ce217cc555b6498ca4b55292486c289b1e25873133ea8e268734870f43501cea6584821cba4b76821c0b8f

Download Submit
memory/760-73-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

Filesize
8KB

Download
memory/1224-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1616-66-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/1616-67-0x000007FEF2C10000-0x000007FEF3CA6000-memory.dmp

Filesize
16.6MB

Download
memory/1616-84-0x0000000002186000-0x00000000021A5000-memory.dmp

Filesize
124KB

Download
memory/1616-85-0x0000000002186000-0x00000000021A5000-memory.dmp

Filesize
124KB

Download