Analysis Overview
SHA256
1650fa7dfd5cc553776b130e27195d407ab18a356773e0c4b471102764ef25dd
Threat Level: Known bad
The file smes.exe was found to be: Known bad.
Malicious Activity Summary
Phoenix Keylogger
Phoenix Keylogger payload
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-27 09:06
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-27 09:06
Reported
2023-08-27 09:08
Platform
win7-20230712-en
Max time kernel
117s
Max time network
132s
Command Line
Signatures
Phoenix Keylogger
Phoenix Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2208 set thread context of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 2208 wrote to memory of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 2208 wrote to memory of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 2208 wrote to memory of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 2208 wrote to memory of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 2208 wrote to memory of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\smes.exe
"C:\Users\Admin\AppData\Local\Temp\smes.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 34.160.111.145:80 | ifconfig.me | tcp |
| US | 8.8.8.8:53 | bhavnatutor.com | udp |
| US | 162.211.86.20:587 | bhavnatutor.com | tcp |
Files
memory/2208-0-0x00000000003A0000-0x00000000003BF000-memory.dmp
memory/2208-1-0x0000000000380000-0x0000000000381000-memory.dmp
memory/2220-2-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2220-3-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2220-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2220-9-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2220-10-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2220-12-0x0000000000500000-0x0000000000538000-memory.dmp
memory/2220-11-0x00000000740A0000-0x000000007478E000-memory.dmp
memory/2220-13-0x0000000004990000-0x00000000049D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarB1BA.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2220-51-0x00000000740A0000-0x000000007478E000-memory.dmp
memory/2220-52-0x0000000004990000-0x00000000049D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-27 09:06
Reported
2023-08-27 09:08
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1560 set thread context of 3760 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1560 wrote to memory of 3760 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1560 wrote to memory of 3760 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1560 wrote to memory of 3760 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1560 wrote to memory of 3760 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1560 wrote to memory of 3760 | N/A | C:\Users\Admin\AppData\Local\Temp\smes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\smes.exe
"C:\Users\Admin\AppData\Local\Temp\smes.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 34.160.111.145:80 | ifconfig.me | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.111.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bhavnatutor.com | udp |
| US | 162.211.86.20:587 | bhavnatutor.com | tcp |
| US | 8.8.8.8:53 | 20.86.211.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
memory/1560-0-0x00000000034E0000-0x00000000034FF000-memory.dmp
memory/1560-1-0x0000000003500000-0x0000000003501000-memory.dmp
memory/3760-2-0x0000000000600000-0x0000000000624000-memory.dmp
memory/3760-6-0x00000000742A0000-0x0000000074A50000-memory.dmp
memory/3760-7-0x0000000004C90000-0x0000000004CA0000-memory.dmp
memory/3760-8-0x0000000005710000-0x0000000005CB4000-memory.dmp
memory/3760-9-0x0000000005200000-0x000000000529C000-memory.dmp
memory/3760-10-0x0000000005650000-0x00000000056B6000-memory.dmp
memory/3760-11-0x00000000064C0000-0x0000000006552000-memory.dmp
memory/3760-12-0x0000000006490000-0x000000000649A000-memory.dmp
memory/3760-13-0x00000000742A0000-0x0000000074A50000-memory.dmp
memory/3760-14-0x0000000004C90000-0x0000000004CA0000-memory.dmp