Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
27-07-2023 08:28
Behavioral task
behavioral1
Sample
02_Suporte_Remoto_Infiniway.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
02_Suporte_Remoto_Infiniway.exe
Resource
win10v2004-20230703-en
General
-
Target
02_Suporte_Remoto_Infiniway.exe
-
Size
8.6MB
-
MD5
6e6fafdc46deefdaa676e0233b7b48bf
-
SHA1
7e7afdd02eaf252bb7d5156c068088d1a7adea27
-
SHA256
59f4b9a41b33a3246d1ec3a7a2a9928d1f9e9cfbb685428becadb4f26e76693e
-
SHA512
a1d380796cd11a808d9b2b99e024c0313bf1bddaa778dc4e8e11e907f54c5eb59fb117d883331994450b8ec506f0dd6d99f2fb609a6ea9e0d7e3bae1e0ac9fde
-
SSDEEP
196608:gj6w9eaCi7B4PPpo73I/OxJh784KpTTsEYIX44J9:gv9eSE839hY443ZYA4I
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2916-54-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2916-55-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2916-56-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2916-57-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2916-80-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2916-79-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2720-84-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2720-85-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2720-87-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2720-90-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2720-91-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2720-94-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2720-132-0x0000000000400000-0x00000000029E0000-memory.dmp upx behavioral1/memory/2720-141-0x0000000000400000-0x00000000029E0000-memory.dmp upx -
Executes dropped EXE 3 IoCs
Processes:
SupremoSystem.exeSupremoSystem.exeSupremoHelper.exepid process 2388 SupremoSystem.exe 3060 SupremoSystem.exe 2072 SupremoHelper.exe -
Loads dropped DLL 7 IoCs
Processes:
02_Suporte_Remoto_Infiniway.exe02_Suporte_Remoto_Infiniway.exepid process 2916 02_Suporte_Remoto_Infiniway.exe 2916 02_Suporte_Remoto_Infiniway.exe 2916 02_Suporte_Remoto_Infiniway.exe 2916 02_Suporte_Remoto_Infiniway.exe 2916 02_Suporte_Remoto_Infiniway.exe 2720 02_Suporte_Remoto_Infiniway.exe 2720 02_Suporte_Remoto_Infiniway.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 8 IoCs
Processes:
02_Suporte_Remoto_Infiniway.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000070a0c84e64c0d901 02_Suporte_Remoto_Infiniway.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d001cb4e64c0d901 02_Suporte_Remoto_Infiniway.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d001cb4e64c0d901 02_Suporte_Remoto_Infiniway.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d001cb4e64c0d901 02_Suporte_Remoto_Infiniway.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d001cb4e64c0d901 02_Suporte_Remoto_Infiniway.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d001cb4e64c0d901 02_Suporte_Remoto_Infiniway.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached 02_Suporte_Remoto_Infiniway.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000103fc64e64c0d901 02_Suporte_Remoto_Infiniway.exe -
Modifies registry class 9 IoCs
Processes:
02_Suporte_Remoto_Infiniway.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\supremo 02_Suporte_Remoto_Infiniway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\supremo\ = "Supremo URI" 02_Suporte_Remoto_Infiniway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\supremo\Content Type = "application/x-supremo" 02_Suporte_Remoto_Infiniway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\supremo\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\02_Suporte_Remoto_Infiniway.exe\" \"%1\"" 02_Suporte_Remoto_Infiniway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\supremo\URL Protocol 02_Suporte_Remoto_Infiniway.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\supremo\shell 02_Suporte_Remoto_Infiniway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\supremo\shell\ = "open" 02_Suporte_Remoto_Infiniway.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\supremo\shell\open\command 02_Suporte_Remoto_Infiniway.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\supremo\shell\open 02_Suporte_Remoto_Infiniway.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
02_Suporte_Remoto_Infiniway.exeSupremoSystem.exe02_Suporte_Remoto_Infiniway.exeSupremoHelper.exepid process 2916 02_Suporte_Remoto_Infiniway.exe 2916 02_Suporte_Remoto_Infiniway.exe 3060 SupremoSystem.exe 3060 SupremoSystem.exe 2720 02_Suporte_Remoto_Infiniway.exe 2720 02_Suporte_Remoto_Infiniway.exe 2720 02_Suporte_Remoto_Infiniway.exe 2072 SupremoHelper.exe 2072 SupremoHelper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
02_Suporte_Remoto_Infiniway.exepid process 2916 02_Suporte_Remoto_Infiniway.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
02_Suporte_Remoto_Infiniway.exepid process 2916 02_Suporte_Remoto_Infiniway.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
02_Suporte_Remoto_Infiniway.exe02_Suporte_Remoto_Infiniway.exepid process 2916 02_Suporte_Remoto_Infiniway.exe 2720 02_Suporte_Remoto_Infiniway.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
02_Suporte_Remoto_Infiniway.exeSupremoSystem.exe02_Suporte_Remoto_Infiniway.exedescription pid process target process PID 2916 wrote to memory of 2388 2916 02_Suporte_Remoto_Infiniway.exe SupremoSystem.exe PID 2916 wrote to memory of 2388 2916 02_Suporte_Remoto_Infiniway.exe SupremoSystem.exe PID 2916 wrote to memory of 2388 2916 02_Suporte_Remoto_Infiniway.exe SupremoSystem.exe PID 2916 wrote to memory of 2388 2916 02_Suporte_Remoto_Infiniway.exe SupremoSystem.exe PID 3060 wrote to memory of 2720 3060 SupremoSystem.exe 02_Suporte_Remoto_Infiniway.exe PID 3060 wrote to memory of 2720 3060 SupremoSystem.exe 02_Suporte_Remoto_Infiniway.exe PID 3060 wrote to memory of 2720 3060 SupremoSystem.exe 02_Suporte_Remoto_Infiniway.exe PID 3060 wrote to memory of 2720 3060 SupremoSystem.exe 02_Suporte_Remoto_Infiniway.exe PID 2720 wrote to memory of 2072 2720 02_Suporte_Remoto_Infiniway.exe SupremoHelper.exe PID 2720 wrote to memory of 2072 2720 02_Suporte_Remoto_Infiniway.exe SupremoHelper.exe PID 2720 wrote to memory of 2072 2720 02_Suporte_Remoto_Infiniway.exe SupremoHelper.exe PID 2720 wrote to memory of 2072 2720 02_Suporte_Remoto_Infiniway.exe SupremoHelper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe"C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe"C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe" "C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe" "/SYSRUN"2⤵
- Executes dropped EXE
PID:2388
-
C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exeC:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe"C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe" /SYSRUN2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\Temp\SupremoRemoteDesktop\S-1-5-21-4219371764-2579186923-3390623117-1000\SupremoHelper.exe"C:\Windows\Temp\SupremoRemoteDesktop\S-1-5-21-4219371764-2579186923-3390623117-1000\SupremoHelper.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250B
MD5580cdbd7c9c57c057cf5d0048f60f7f2
SHA13f7ee67ffe7d9a45b3a634dae8b6f5370708d34e
SHA2566e9755f50b3efe4ef458f3eafc0a3086365a67b519a79d89cb44d1b730614b70
SHA512f0cca5dc3c5927eb64c00f425f4647cbb7af85eb34cf9a3bcc21fe541ff26e48efffcfba5a3f36ea3c2c655fca40dc7c8ebac9f4ac9938ecbec573dcff1c4273
-
Filesize
56B
MD5f082bd11e38f5b4e34330ea21435a34a
SHA1c7098ba0930728c8b2801ae21b4b7c5bd060ee15
SHA256746caccbdf22c59b479fbb979ccae5b06f1d655c27998648335fa8914f48c191
SHA512b02d3baf57a57593ba73e1f70474ad709d246e121b8ada99e4b2cdaab56a5942ea13255cc13519f51641d6f69e302985379c940b9bfce257b43b3405b847c88b
-
Filesize
39B
MD568113d0a81b7e9410a045acb71f0c282
SHA117d735977bc01e1fa64be8a2c9ae0d835715c176
SHA2566f9c8b626e56930a8a83fda89652103dfea1ed42e02f99739e744a79a0fd8333
SHA512e07ab979c49f639d3c7d8c2df3c09535814faa1adada09c84236717f71e1f5d3f46d7d447b5098b452c63fabbf6dcfdf35ad5190dbe3012daba2b3a9df2919fa
-
Filesize
1.3MB
MD52435188f459524acbd29e23e47f708b0
SHA188a0d8ddc8360953190921c23b98feb2394eb7f7
SHA25642f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05
SHA51242694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b
-
Filesize
1.3MB
MD52435188f459524acbd29e23e47f708b0
SHA188a0d8ddc8360953190921c23b98feb2394eb7f7
SHA25642f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05
SHA51242694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b
-
Filesize
1.3MB
MD52435188f459524acbd29e23e47f708b0
SHA188a0d8ddc8360953190921c23b98feb2394eb7f7
SHA25642f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05
SHA51242694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b
-
C:\Windows\Temp\SupremoRemoteDesktop\S-1-5-21-4219371764-2579186923-3390623117-1000\SupremoHelper.exe
Filesize4.8MB
MD5006420f03a6255e64a8b74176de7a339
SHA18792c467a775a36885e9739e78a444f91db44665
SHA256f524b8c00d8ae38304107fdf79ca5fcf8cb64a67d0795b3d9ebaaacb3e15e837
SHA5125caf0528d3bd0b8aee7fe3045647594444ed7a2185adbf13e32f264a953f687a0e5f6f2799c1d5b9d80736154a140bc8ad3d66e72c00400306ea6a9558771610
-
Filesize
1.3MB
MD52435188f459524acbd29e23e47f708b0
SHA188a0d8ddc8360953190921c23b98feb2394eb7f7
SHA25642f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05
SHA51242694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b
-
Filesize
1.3MB
MD52435188f459524acbd29e23e47f708b0
SHA188a0d8ddc8360953190921c23b98feb2394eb7f7
SHA25642f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05
SHA51242694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b
-
Filesize
1.3MB
MD52435188f459524acbd29e23e47f708b0
SHA188a0d8ddc8360953190921c23b98feb2394eb7f7
SHA25642f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05
SHA51242694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b
-
Filesize
1.3MB
MD52435188f459524acbd29e23e47f708b0
SHA188a0d8ddc8360953190921c23b98feb2394eb7f7
SHA25642f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05
SHA51242694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b
-
Filesize
1.3MB
MD52435188f459524acbd29e23e47f708b0
SHA188a0d8ddc8360953190921c23b98feb2394eb7f7
SHA25642f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05
SHA51242694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b
-
Filesize
4.8MB
MD5006420f03a6255e64a8b74176de7a339
SHA18792c467a775a36885e9739e78a444f91db44665
SHA256f524b8c00d8ae38304107fdf79ca5fcf8cb64a67d0795b3d9ebaaacb3e15e837
SHA5125caf0528d3bd0b8aee7fe3045647594444ed7a2185adbf13e32f264a953f687a0e5f6f2799c1d5b9d80736154a140bc8ad3d66e72c00400306ea6a9558771610
-
\Windows\Temp\SupremoRemoteDesktop\S-1-5-21-4219371764-2579186923-3390623117-1000\openh264-win32.dll
Filesize734KB
MD5fb6f8a2358cf15f1007d6b63dee10fe8
SHA1dffab81315bf2e2c51f83b784814abfa02998f4d
SHA2564cc49a4d3f3118edc4ea4ff97e9307301a7b0129dc0c475717d41d06d3185b74
SHA5125f5b94182237faf2ab3004a804ccb1a5df194eb1f6bf19daf2a2e484ab2ee1443128cd3c4b378214315adf559534918a475f7d0e4f990f41660b3d04986e96d7