Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2023 08:28

General

  • Target

    02_Suporte_Remoto_Infiniway.exe

  • Size

    8.6MB

  • MD5

    6e6fafdc46deefdaa676e0233b7b48bf

  • SHA1

    7e7afdd02eaf252bb7d5156c068088d1a7adea27

  • SHA256

    59f4b9a41b33a3246d1ec3a7a2a9928d1f9e9cfbb685428becadb4f26e76693e

  • SHA512

    a1d380796cd11a808d9b2b99e024c0313bf1bddaa778dc4e8e11e907f54c5eb59fb117d883331994450b8ec506f0dd6d99f2fb609a6ea9e0d7e3bae1e0ac9fde

  • SSDEEP

    196608:gj6w9eaCi7B4PPpo73I/OxJh784KpTTsEYIX44J9:gv9eSE839hY443ZYA4I

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe
    "C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe
      "C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe" "C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe" "/SYSRUN"
      2⤵
      • Executes dropped EXE
      PID:2388
  • C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe
    C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe
      "C:\Users\Admin\AppData\Local\Temp\02_Suporte_Remoto_Infiniway.exe" /SYSRUN
      2⤵
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\Temp\SupremoRemoteDesktop\S-1-5-21-4219371764-2579186923-3390623117-1000\SupremoHelper.exe
        "C:\Windows\Temp\SupremoRemoteDesktop\S-1-5-21-4219371764-2579186923-3390623117-1000\SupremoHelper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SupremoRemoteDesktop\Log\02_Suporte_Remoto_Infiniway.00.Client.log

    Filesize

    250B

    MD5

    580cdbd7c9c57c057cf5d0048f60f7f2

    SHA1

    3f7ee67ffe7d9a45b3a634dae8b6f5370708d34e

    SHA256

    6e9755f50b3efe4ef458f3eafc0a3086365a67b519a79d89cb44d1b730614b70

    SHA512

    f0cca5dc3c5927eb64c00f425f4647cbb7af85eb34cf9a3bcc21fe541ff26e48efffcfba5a3f36ea3c2c655fca40dc7c8ebac9f4ac9938ecbec573dcff1c4273

  • C:\ProgramData\SupremoRemoteDesktop\Settings.dat

    Filesize

    56B

    MD5

    f082bd11e38f5b4e34330ea21435a34a

    SHA1

    c7098ba0930728c8b2801ae21b4b7c5bd060ee15

    SHA256

    746caccbdf22c59b479fbb979ccae5b06f1d655c27998648335fa8914f48c191

    SHA512

    b02d3baf57a57593ba73e1f70474ad709d246e121b8ada99e4b2cdaab56a5942ea13255cc13519f51641d6f69e302985379c940b9bfce257b43b3405b847c88b

  • C:\ProgramData\SupremoRemoteDesktop\Settings.dat

    Filesize

    39B

    MD5

    68113d0a81b7e9410a045acb71f0c282

    SHA1

    17d735977bc01e1fa64be8a2c9ae0d835715c176

    SHA256

    6f9c8b626e56930a8a83fda89652103dfea1ed42e02f99739e744a79a0fd8333

    SHA512

    e07ab979c49f639d3c7d8c2df3c09535814faa1adada09c84236717f71e1f5d3f46d7d447b5098b452c63fabbf6dcfdf35ad5190dbe3012daba2b3a9df2919fa

  • C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe

    Filesize

    1.3MB

    MD5

    2435188f459524acbd29e23e47f708b0

    SHA1

    88a0d8ddc8360953190921c23b98feb2394eb7f7

    SHA256

    42f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05

    SHA512

    42694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b

  • C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe

    Filesize

    1.3MB

    MD5

    2435188f459524acbd29e23e47f708b0

    SHA1

    88a0d8ddc8360953190921c23b98feb2394eb7f7

    SHA256

    42f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05

    SHA512

    42694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b

  • C:\Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe

    Filesize

    1.3MB

    MD5

    2435188f459524acbd29e23e47f708b0

    SHA1

    88a0d8ddc8360953190921c23b98feb2394eb7f7

    SHA256

    42f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05

    SHA512

    42694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b

  • C:\Windows\Temp\SupremoRemoteDesktop\S-1-5-21-4219371764-2579186923-3390623117-1000\SupremoHelper.exe

    Filesize

    4.8MB

    MD5

    006420f03a6255e64a8b74176de7a339

    SHA1

    8792c467a775a36885e9739e78a444f91db44665

    SHA256

    f524b8c00d8ae38304107fdf79ca5fcf8cb64a67d0795b3d9ebaaacb3e15e837

    SHA512

    5caf0528d3bd0b8aee7fe3045647594444ed7a2185adbf13e32f264a953f687a0e5f6f2799c1d5b9d80736154a140bc8ad3d66e72c00400306ea6a9558771610

  • \Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe

    Filesize

    1.3MB

    MD5

    2435188f459524acbd29e23e47f708b0

    SHA1

    88a0d8ddc8360953190921c23b98feb2394eb7f7

    SHA256

    42f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05

    SHA512

    42694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b

  • \Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe

    Filesize

    1.3MB

    MD5

    2435188f459524acbd29e23e47f708b0

    SHA1

    88a0d8ddc8360953190921c23b98feb2394eb7f7

    SHA256

    42f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05

    SHA512

    42694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b

  • \Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe

    Filesize

    1.3MB

    MD5

    2435188f459524acbd29e23e47f708b0

    SHA1

    88a0d8ddc8360953190921c23b98feb2394eb7f7

    SHA256

    42f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05

    SHA512

    42694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b

  • \Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe

    Filesize

    1.3MB

    MD5

    2435188f459524acbd29e23e47f708b0

    SHA1

    88a0d8ddc8360953190921c23b98feb2394eb7f7

    SHA256

    42f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05

    SHA512

    42694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b

  • \Users\Admin\AppData\Local\Temp\SupremoRemoteDesktop\SupremoSystem.exe

    Filesize

    1.3MB

    MD5

    2435188f459524acbd29e23e47f708b0

    SHA1

    88a0d8ddc8360953190921c23b98feb2394eb7f7

    SHA256

    42f4995cadd81c4fa2be1078c3f58c9a36b24ee6c2ebf5511272a80d062a0d05

    SHA512

    42694d7436c87bfe098b5b45fbdd4b7cea700d118b0332707c528304e76b95cd4246b3f2d2e54c17f8222bcdcf2866f3b5ac681ba6c5d6624f61808e9684454b

  • \Windows\Temp\SupremoRemoteDesktop\S-1-5-21-4219371764-2579186923-3390623117-1000\SupremoHelper.exe

    Filesize

    4.8MB

    MD5

    006420f03a6255e64a8b74176de7a339

    SHA1

    8792c467a775a36885e9739e78a444f91db44665

    SHA256

    f524b8c00d8ae38304107fdf79ca5fcf8cb64a67d0795b3d9ebaaacb3e15e837

    SHA512

    5caf0528d3bd0b8aee7fe3045647594444ed7a2185adbf13e32f264a953f687a0e5f6f2799c1d5b9d80736154a140bc8ad3d66e72c00400306ea6a9558771610

  • \Windows\Temp\SupremoRemoteDesktop\S-1-5-21-4219371764-2579186923-3390623117-1000\openh264-win32.dll

    Filesize

    734KB

    MD5

    fb6f8a2358cf15f1007d6b63dee10fe8

    SHA1

    dffab81315bf2e2c51f83b784814abfa02998f4d

    SHA256

    4cc49a4d3f3118edc4ea4ff97e9307301a7b0129dc0c475717d41d06d3185b74

    SHA512

    5f5b94182237faf2ab3004a804ccb1a5df194eb1f6bf19daf2a2e484ab2ee1443128cd3c4b378214315adf559534918a475f7d0e4f990f41660b3d04986e96d7

  • memory/2072-174-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-143-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

  • memory/2072-163-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-157-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-153-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-135-0x0000000000A20000-0x0000000000A21000-memory.dmp

    Filesize

    4KB

  • memory/2072-146-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-142-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-180-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-170-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-133-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

  • memory/2072-134-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

  • memory/2072-186-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-190-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-196-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-202-0x0000000000400000-0x00000000008CC000-memory.dmp

    Filesize

    4.8MB

  • memory/2072-136-0x0000000002400000-0x0000000002401000-memory.dmp

    Filesize

    4KB

  • memory/2388-78-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/2720-85-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2720-132-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2720-84-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2720-96-0x0000000002A60000-0x0000000002A61000-memory.dmp

    Filesize

    4KB

  • memory/2720-91-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2720-90-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2720-87-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2720-150-0x0000000002A60000-0x0000000002A61000-memory.dmp

    Filesize

    4KB

  • memory/2720-141-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2720-94-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2916-55-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2916-79-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2916-80-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2916-54-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2916-57-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/2916-56-0x0000000000400000-0x00000000029E0000-memory.dmp

    Filesize

    37.9MB

  • memory/3060-81-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/3060-83-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB