4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

Analysis

max time kernel
114s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Size

1.1MB
MD5

7560516355efa446658667a180977c11
SHA1

19cf36775b246599d9ae7fcd9b92f137a0d1c2bf
SHA256

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc
SHA512

61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395
SSDEEP

24576:S2TqSc+qNUwI7VV3iQPhFt4EKqZGy8uux/vJQrg1neCEsitbBQv:SiqSc+afwn3iQ7Cl6uZJQk1neMinq

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe:*:Enabled:Windows Messages Controler"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe = "c:\\windows\\sms.exe:*:Enabled:Windows Messages Controler"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Executes dropped EXE 3 IoCs

pid	Process
1492	sms.exe
1544	sms.exe
1816	sms.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
672	netsh.exe
1380	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messages Controler = "c:\\windows\\sms.exe"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Messages Controler = "c:\\windows\\sms.exe"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	28
PID 1792 set thread context of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 936 set thread context of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 1492 set thread context of 1544	1492	sms.exe	33
PID 1544 set thread context of 1816	1544	sms.exe	34

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\sms.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
File opened for modification	\??\c:\windows\sms.exe	sms.exe
File opened for modification	\??\c:\windows\sms.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "fbdirecto.net/1/"	sms.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1816	sms.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	28
PID 1888 wrote to memory of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	28
PID 1888 wrote to memory of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	28
PID 1888 wrote to memory of 1792	1888	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	28
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 1792 wrote to memory of 936	1792	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	29
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 936 wrote to memory of 1180	936	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	30
PID 1180 wrote to memory of 672	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	31
PID 1180 wrote to memory of 672	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	31
PID 1180 wrote to memory of 672	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	31
PID 1180 wrote to memory of 672	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	31
PID 1180 wrote to memory of 1492	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	32
PID 1180 wrote to memory of 1492	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	32
PID 1180 wrote to memory of 1492	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	32
PID 1180 wrote to memory of 1492	1180	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	32
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1492 wrote to memory of 1544	1492	sms.exe	33
PID 1544 wrote to memory of 1816	1544	sms.exe	34
PID 1544 wrote to memory of 1816	1544	sms.exe	34
PID 1544 wrote to memory of 1816	1544	sms.exe	34
PID 1544 wrote to memory of 1816	1544	sms.exe	34
PID 1544 wrote to memory of 1816	1544	sms.exe	34
PID 1544 wrote to memory of 1816	1544	sms.exe	34
PID 1544 wrote to memory of 1816	1544	sms.exe	34
PID 1544 wrote to memory of 1816	1544	sms.exe	34
PID 1544 wrote to memory of 1816	1544	sms.exe	34
PID 1816 wrote to memory of 1380	1816	sms.exe	35
PID 1816 wrote to memory of 1380	1816	sms.exe	35
PID 1816 wrote to memory of 1380	1816	sms.exe	35
PID 1816 wrote to memory of 1380	1816	sms.exe	35

C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
  "C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
    "C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
      "C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
      4⤵
      Modifies firewall policy service
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:672
    - - \??\c:\windows\sms.exe
        
        "c:\windows\sms.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - \??\c:\windows\sms.exe
        
        "c:\windows\sms.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        \??\c:\windows\sms.exe
        
        "c:\windows\sms.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies Internet Explorer start page
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        8⤵
        Modifies Windows Firewall
        
        PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sms.exe

Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
C:\Windows\sms.exe

Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
C:\Windows\sms.exe

Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
\??\c:\windows\sms.exe

Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
memory/936-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-66-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/936-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/936-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1180-76-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-69-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-80-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-82-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-74-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-86-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1180-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1544-113-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1816-119-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1816-120-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download