dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038

Analysis

max time kernel
194s
max time network
230s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 19:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
Size

741KB
MD5

eddec3e7cad93b0f3b84f63b3193e4d6
SHA1

3705670af8cd8741d870a62b421ec5696a97befc
SHA256

dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038
SHA512

5ba56bb4b4833f0b80d8764df3a16fe6e3981c1e12ed8d34a77ccf26a38624cf2334f4c20f7f6e0a0e83878d4c7eb6e5b6fd1f4534769e68b1c19dacf446d7a6
SSDEEP

12288:QSnoAxlVNWJEGMx9tRAidB8qm2ynh21v0hOFbgZHvASlT0fhJfg+KjBwzU/3SEnq:bJxl3Z1qMB8l2ynhyv3dgRK5taBcU/Ct

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
392	SmartWebHelper.exe
3400	SmartWebApp.exe
1996	SmartWebApp.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartWeb.lnk	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe

Loads dropped DLL 10 IoCs

pid	Process
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
3400	SmartWebApp.exe
1996	SmartWebApp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SmartWeb = "C:\\Users\\Admin\\AppData\\Local\\SmartWeb\\SmartWebHelper.exe"	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 392	1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe	81
PID 1476 wrote to memory of 392	1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe	81
PID 1476 wrote to memory of 392	1476	dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe	81
PID 392 wrote to memory of 3400	392	SmartWebHelper.exe	87
PID 392 wrote to memory of 3400	392	SmartWebHelper.exe	87
PID 392 wrote to memory of 3400	392	SmartWebHelper.exe	87
PID 392 wrote to memory of 1996	392	SmartWebHelper.exe	92
PID 392 wrote to memory of 1996	392	SmartWebHelper.exe	92
PID 392 wrote to memory of 1996	392	SmartWebHelper.exe	92

C:\Users\Admin\AppData\Local\Temp\dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe
"C:\Users\Admin\AppData\Local\Temp\dd2c240c845542bc118abcda8ff676c3d836e65383b4d60c095b59ad44e76038.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\SmartWeb\SmartWebHelper.exe
  "C:\Users\Admin\AppData\Local\SmartWeb\SmartWebHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Local\SmartWeb\SmartWebApp.exe
    SmartWebApp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3400
- - C:\Users\Admin\AppData\Local\SmartWeb\SmartWebApp.exe
    SmartWebApp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1996

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SmartWeb\SmartWebApp.exe

Filesize
544KB

MD5
44069c2ac699c8dad80a96fb1c8dfe57

SHA1
6142578cd21cf27fd3c1b3a4f0626de9fc6df275

SHA256
543cb50b03ff125dc8f1cec9850597982797f5bf54a96beb78d139ca25bd3a5b

SHA512
34d3e69417f1d1211d4a1ffedb725e0358f29ef0cf663b54bba08380a86eb05b0403c6d55dd893fb1a19f09bb0ba0cffe6f9d5423df55520feba33f0ad880997

Download Submit
C:\Users\Admin\AppData\Local\SmartWeb\SmartWebApp.exe

Filesize
544KB

MD5
44069c2ac699c8dad80a96fb1c8dfe57

SHA1
6142578cd21cf27fd3c1b3a4f0626de9fc6df275

SHA256
543cb50b03ff125dc8f1cec9850597982797f5bf54a96beb78d139ca25bd3a5b

SHA512
34d3e69417f1d1211d4a1ffedb725e0358f29ef0cf663b54bba08380a86eb05b0403c6d55dd893fb1a19f09bb0ba0cffe6f9d5423df55520feba33f0ad880997

Download Submit
C:\Users\Admin\AppData\Local\SmartWeb\SmartWebApp.exe

Filesize
544KB

MD5
44069c2ac699c8dad80a96fb1c8dfe57

SHA1
6142578cd21cf27fd3c1b3a4f0626de9fc6df275

SHA256
543cb50b03ff125dc8f1cec9850597982797f5bf54a96beb78d139ca25bd3a5b

SHA512
34d3e69417f1d1211d4a1ffedb725e0358f29ef0cf663b54bba08380a86eb05b0403c6d55dd893fb1a19f09bb0ba0cffe6f9d5423df55520feba33f0ad880997

Download Submit
C:\Users\Admin\AppData\Local\SmartWeb\SmartWebHelper.exe

Filesize
264KB

MD5
153f088dfdb3f940ad9daeb04a3acc4d

SHA1
aa2ba9d6607589a3c93d1c760e3512ec8e61f968

SHA256
6d63825bb6280fc97fb0c4d401196cdb8fdcfbae787f9901aa926c26245e1632

SHA512
9bdb2f3fb153f9987a988cf4a6ed5eddae46419575eda6ae9f59bc0c2d19d6a696e527b748de2cb29b27a3d6371d62fbc66c76c5f62f5cab9050c7bcfd6bd658

Download Submit
C:\Users\Admin\AppData\Local\SmartWeb\SmartWebHelper.exe

Filesize
264KB

MD5
153f088dfdb3f940ad9daeb04a3acc4d

SHA1
aa2ba9d6607589a3c93d1c760e3512ec8e61f968

SHA256
6d63825bb6280fc97fb0c4d401196cdb8fdcfbae787f9901aa926c26245e1632

SHA512
9bdb2f3fb153f9987a988cf4a6ed5eddae46419575eda6ae9f59bc0c2d19d6a696e527b748de2cb29b27a3d6371d62fbc66c76c5f62f5cab9050c7bcfd6bd658

Download Submit
C:\Users\Admin\AppData\Local\SmartWeb\swhk.dll

Filesize
104KB

MD5
bce139e3d1b13ab38b58e645abe30679

SHA1
080016256c564232771ed8d6effc94ecaecad316

SHA256
aba397ac2db949d1d8690763a6e770f3f18dbfe1e2f8dbccd67498ab6495a724

SHA512
b345fe3136be34efff85d3066b6f3c0c2f565a8b00c7d9a8a1d6188fa209825635aac1ef28b923246b843dfad2b3eadc5c14c659d83fcfa528d275d7229b21f4

Download Submit
C:\Users\Admin\AppData\Local\SmartWeb\swhk.dll

Filesize
104KB

MD5
bce139e3d1b13ab38b58e645abe30679

SHA1
080016256c564232771ed8d6effc94ecaecad316

SHA256
aba397ac2db949d1d8690763a6e770f3f18dbfe1e2f8dbccd67498ab6495a724

SHA512
b345fe3136be34efff85d3066b6f3c0c2f565a8b00c7d9a8a1d6188fa209825635aac1ef28b923246b843dfad2b3eadc5c14c659d83fcfa528d275d7229b21f4

Download Submit
C:\Users\Admin\AppData\Local\SmartWeb\swhk.dll

Filesize
104KB

MD5
bce139e3d1b13ab38b58e645abe30679

SHA1
080016256c564232771ed8d6effc94ecaecad316

SHA256
aba397ac2db949d1d8690763a6e770f3f18dbfe1e2f8dbccd67498ab6495a724

SHA512
b345fe3136be34efff85d3066b6f3c0c2f565a8b00c7d9a8a1d6188fa209825635aac1ef28b923246b843dfad2b3eadc5c14c659d83fcfa528d275d7229b21f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\SmartWebInstallerHelperDll.dll

Filesize
213KB

MD5
d23f83a73748e5391a3a591a11bf1ea0

SHA1
6219be5c746d154e6d15b81b44b46539f274ab56

SHA256
85ab81ce8db373c2b7a568a23013ae0985403c05ea2b4eab880c22aafcc6ca9e

SHA512
0f054e73f5c6ef3aaa94ae79833ea6f44a8b8920ec7fbc42c32cdc8a7b2ad8599cc725617648c4dc079a211452a8238722c6459161ef07fe36816b8ae07878d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\SmartWebInstallerHelperDll.dll

Filesize
213KB

MD5
d23f83a73748e5391a3a591a11bf1ea0

SHA1
6219be5c746d154e6d15b81b44b46539f274ab56

SHA256
85ab81ce8db373c2b7a568a23013ae0985403c05ea2b4eab880c22aafcc6ca9e

SHA512
0f054e73f5c6ef3aaa94ae79833ea6f44a8b8920ec7fbc42c32cdc8a7b2ad8599cc725617648c4dc079a211452a8238722c6459161ef07fe36816b8ae07878d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\SmartWebInstallerHelperDll.dll

Filesize
213KB

MD5
d23f83a73748e5391a3a591a11bf1ea0

SHA1
6219be5c746d154e6d15b81b44b46539f274ab56

SHA256
85ab81ce8db373c2b7a568a23013ae0985403c05ea2b4eab880c22aafcc6ca9e

SHA512
0f054e73f5c6ef3aaa94ae79833ea6f44a8b8920ec7fbc42c32cdc8a7b2ad8599cc725617648c4dc079a211452a8238722c6459161ef07fe36816b8ae07878d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\SmartWebInstallerHelperDll.dll

Filesize
213KB

MD5
d23f83a73748e5391a3a591a11bf1ea0

SHA1
6219be5c746d154e6d15b81b44b46539f274ab56

SHA256
85ab81ce8db373c2b7a568a23013ae0985403c05ea2b4eab880c22aafcc6ca9e

SHA512
0f054e73f5c6ef3aaa94ae79833ea6f44a8b8920ec7fbc42c32cdc8a7b2ad8599cc725617648c4dc079a211452a8238722c6459161ef07fe36816b8ae07878d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\SmartWebInstallerHelperDll.dll

Filesize
213KB

MD5
d23f83a73748e5391a3a591a11bf1ea0

SHA1
6219be5c746d154e6d15b81b44b46539f274ab56

SHA256
85ab81ce8db373c2b7a568a23013ae0985403c05ea2b4eab880c22aafcc6ca9e

SHA512
0f054e73f5c6ef3aaa94ae79833ea6f44a8b8920ec7fbc42c32cdc8a7b2ad8599cc725617648c4dc079a211452a8238722c6459161ef07fe36816b8ae07878d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\SmartWebInstallerHelperDll.dll

Filesize
213KB

MD5
d23f83a73748e5391a3a591a11bf1ea0

SHA1
6219be5c746d154e6d15b81b44b46539f274ab56

SHA256
85ab81ce8db373c2b7a568a23013ae0985403c05ea2b4eab880c22aafcc6ca9e

SHA512
0f054e73f5c6ef3aaa94ae79833ea6f44a8b8920ec7fbc42c32cdc8a7b2ad8599cc725617648c4dc079a211452a8238722c6459161ef07fe36816b8ae07878d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\SmartWebInstallerHelperDll.dll

Filesize
213KB

MD5
d23f83a73748e5391a3a591a11bf1ea0

SHA1
6219be5c746d154e6d15b81b44b46539f274ab56

SHA256
85ab81ce8db373c2b7a568a23013ae0985403c05ea2b4eab880c22aafcc6ca9e

SHA512
0f054e73f5c6ef3aaa94ae79833ea6f44a8b8920ec7fbc42c32cdc8a7b2ad8599cc725617648c4dc079a211452a8238722c6459161ef07fe36816b8ae07878d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\SmartWebInstallerHelperDll.dll

Filesize
213KB

MD5
d23f83a73748e5391a3a591a11bf1ea0

SHA1
6219be5c746d154e6d15b81b44b46539f274ab56

SHA256
85ab81ce8db373c2b7a568a23013ae0985403c05ea2b4eab880c22aafcc6ca9e

SHA512
0f054e73f5c6ef3aaa94ae79833ea6f44a8b8920ec7fbc42c32cdc8a7b2ad8599cc725617648c4dc079a211452a8238722c6459161ef07fe36816b8ae07878d6

Download Submit