4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

Analysis

max time kernel
189s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Size

1.1MB
MD5

7560516355efa446658667a180977c11
SHA1

19cf36775b246599d9ae7fcd9b92f137a0d1c2bf
SHA256

4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc
SHA512

61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395
SSDEEP

24576:S2TqSc+qNUwI7VV3iQPhFt4EKqZGy8uux/vJQrg1neCEsitbBQv:SiqSc+afwn3iQ7Cl6uZJQk1neMinq

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe = "c:\\windows\\sms.exe:*:Enabled:Windows Messages Controler"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe:*:Enabled:Windows Messages Controler"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Executes dropped EXE 3 IoCs

pid	Process
4556	sms.exe
3008	sms.exe
3116	sms.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3260	netsh.exe
3796	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messages Controler = "c:\\windows\\sms.exe"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Messages Controler = "c:\\windows\\sms.exe"	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 624 set thread context of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	83
PID 4556 set thread context of 3008	4556	sms.exe	86
PID 3008 set thread context of 3116	3008	sms.exe	87

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\sms.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
File created	\??\c:\windows\sms.exe	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
File opened for modification	\??\c:\windows\sms.exe	sms.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "fbdirecto.net/1/"	sms.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3116	sms.exe
3116	sms.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 1436 wrote to memory of 624	1436	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	82
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	83
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	83
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	83
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	83
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	83
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	83
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	83
PID 624 wrote to memory of 1148	624	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	83
PID 1148 wrote to memory of 3260	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	84
PID 1148 wrote to memory of 3260	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	84
PID 1148 wrote to memory of 3260	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	84
PID 1148 wrote to memory of 4556	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	85
PID 1148 wrote to memory of 4556	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	85
PID 1148 wrote to memory of 4556	1148	4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe	85
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 4556 wrote to memory of 3008	4556	sms.exe	86
PID 3008 wrote to memory of 3116	3008	sms.exe	87
PID 3008 wrote to memory of 3116	3008	sms.exe	87
PID 3008 wrote to memory of 3116	3008	sms.exe	87
PID 3008 wrote to memory of 3116	3008	sms.exe	87
PID 3008 wrote to memory of 3116	3008	sms.exe	87
PID 3008 wrote to memory of 3116	3008	sms.exe	87
PID 3008 wrote to memory of 3116	3008	sms.exe	87
PID 3008 wrote to memory of 3116	3008	sms.exe	87
PID 3116 wrote to memory of 3796	3116	sms.exe	88
PID 3116 wrote to memory of 3796	3116	sms.exe	88
PID 3116 wrote to memory of 3796	3116	sms.exe	88

C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
  "C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe
    "C:\Users\Admin\AppData\Local\Temp\4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc.exe"
    3⤵
    - Modifies firewall policy service
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram 1.exe 1 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3260
  - - \??\c:\windows\sms.exe
      "c:\windows\sms.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4556
    - - \??\c:\windows\sms.exe
        
        "c:\windows\sms.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - \??\c:\windows\sms.exe
        
        "c:\windows\sms.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies Internet Explorer start page
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:3796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sms.exe

Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
C:\Windows\sms.exe

Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
C:\Windows\sms.exe

Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
\??\c:\windows\sms.exe

Filesize
1.1MB

MD5
7560516355efa446658667a180977c11

SHA1
19cf36775b246599d9ae7fcd9b92f137a0d1c2bf

SHA256
4e0cbea473e9781a5a4f7f643f4ea9e852504642cdeb157d1d014646ee36adbc

SHA512
61c04b2c9994477511c3abe4e0a7f1ec523420ffb727bd944e6517f4bb3af79b183c92b48a07b642e1f8f547cc0c00311a4efed31c489e78fa600c1004c2c395

Download Submit
memory/624-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-146-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-141-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-140-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-137-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1148-138-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3008-155-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3116-156-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3116-157-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3116-159-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3116-160-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download