a6ddba48ab18463bf8c6db4b8c06fbbd1d9d6f659ce3cb0ce954bfede9f94743

Analysis

max time kernel
127s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ddba48ab18463bf8c6db4b8c06fbbd1d9d6f659ce3cb0ce954bfede9f94743.exe
Size

365KB
MD5

ee7d906ce2100fd7f0c7be70413b5494
SHA1

4f83ad1732f59f733d07d56b614963e0d38bed39
SHA256

a6ddba48ab18463bf8c6db4b8c06fbbd1d9d6f659ce3cb0ce954bfede9f94743
SHA512

18ca5e7300ce177c86100aebcb64c858dbcc8c67c785823a28f66adcfd6549672529373a307e5effaa2be5102fd43a1061465a4d6d17a2c54bfc769e9cb90f1a
SSDEEP

6144:2Si07irC2F8NXC796TB9vj48UlL2XrzDcaTul3wMJInem5olCxjW:VDiZeVQkTrvj4sXrzDql16nBolX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4808	Smart.exe
212	Smart.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a6ddba48ab18463bf8c6db4b8c06fbbd1d9d6f659ce3cb0ce954bfede9f94743.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 212	4808	Smart.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4432	212	WerFault.exe	82

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	Smart.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 4808	3988	a6ddba48ab18463bf8c6db4b8c06fbbd1d9d6f659ce3cb0ce954bfede9f94743.exe	81
PID 3988 wrote to memory of 4808	3988	a6ddba48ab18463bf8c6db4b8c06fbbd1d9d6f659ce3cb0ce954bfede9f94743.exe	81
PID 3988 wrote to memory of 4808	3988	a6ddba48ab18463bf8c6db4b8c06fbbd1d9d6f659ce3cb0ce954bfede9f94743.exe	81
PID 4808 wrote to memory of 212	4808	Smart.exe	82
PID 4808 wrote to memory of 212	4808	Smart.exe	82
PID 4808 wrote to memory of 212	4808	Smart.exe	82
PID 4808 wrote to memory of 212	4808	Smart.exe	82
PID 4808 wrote to memory of 212	4808	Smart.exe	82
PID 4808 wrote to memory of 212	4808	Smart.exe	82
PID 4808 wrote to memory of 212	4808	Smart.exe	82
PID 4808 wrote to memory of 212	4808	Smart.exe	82

C:\Users\Admin\AppData\Local\Temp\a6ddba48ab18463bf8c6db4b8c06fbbd1d9d6f659ce3cb0ce954bfede9f94743.exe
"C:\Users\Admin\AppData\Local\Temp\a6ddba48ab18463bf8c6db4b8c06fbbd1d9d6f659ce3cb0ce954bfede9f94743.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Roaming\Smart-Services\Smart.exe
  "C:\Users\Admin\AppData\Roaming\Smart-Services\Smart.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Users\Admin\AppData\Roaming\Smart-Services\Smart.exe
    C:\Users\Admin\AppData\Roaming\Smart-Services\Smart.exe
    3⤵
    - Executes dropped EXE
    PID:212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 12
      4⤵
      Program crash
      PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 212 -ip 212
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Smart-Services\Smart.exe

Filesize
291KB

MD5
0298764dad6845747cbe2978a3f14acb

SHA1
316f4f843f2b316f194232818e892e771621a661

SHA256
83eb699d6d16558d49d985fc40aa62b5c8f71d34673f09250784dc6248093a82

SHA512
7f3295f6b1e395719c0a9e9c78f151c6277eeea0f302e999d0ea097aefa36339af6c7b4b6143ae6b3bf83bc2188449937674bc8f6bcf583e27d204079ee7e72e

Download Submit
C:\Users\Admin\AppData\Roaming\Smart-Services\Smart.exe

Filesize
291KB

MD5
0298764dad6845747cbe2978a3f14acb

SHA1
316f4f843f2b316f194232818e892e771621a661

SHA256
83eb699d6d16558d49d985fc40aa62b5c8f71d34673f09250784dc6248093a82

SHA512
7f3295f6b1e395719c0a9e9c78f151c6277eeea0f302e999d0ea097aefa36339af6c7b4b6143ae6b3bf83bc2188449937674bc8f6bcf583e27d204079ee7e72e

Download Submit
C:\Users\Admin\AppData\Roaming\Smart-Services\Smart.exe

Filesize
291KB

MD5
0298764dad6845747cbe2978a3f14acb

SHA1
316f4f843f2b316f194232818e892e771621a661

SHA256
83eb699d6d16558d49d985fc40aa62b5c8f71d34673f09250784dc6248093a82

SHA512
7f3295f6b1e395719c0a9e9c78f151c6277eeea0f302e999d0ea097aefa36339af6c7b4b6143ae6b3bf83bc2188449937674bc8f6bcf583e27d204079ee7e72e

Download Submit
memory/3988-132-0x00007FFA0F220000-0x00007FFA0FC56000-memory.dmp

Filesize
10.2MB

Download
memory/4808-136-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-140-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-141-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-144-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-145-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-146-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-143-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-142-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-139-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-148-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-149-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-150-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-147-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-151-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-152-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-153-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-154-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-156-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-157-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-155-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-159-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/4808-160-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-161-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-158-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-163-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-164-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-162-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-165-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-166-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-167-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-168-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-169-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-170-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-171-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-172-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-174-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-175-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-173-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-176-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-178-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-177-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-179-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-180-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-181-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-182-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-183-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-184-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-185-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-186-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-187-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-188-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-189-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-190-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-191-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-192-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-193-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-194-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-195-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-196-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-197-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-198-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-199-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/4808-211-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download