f41361260452ca88234175b4ab0aaa458178fb5c22a4798b4c68cafd3602e11d

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smartsoft_4.1.7/setup.exe
Size

1.4MB
MD5

fe5c2e1333b4477d029dedc9c1b5dd4d
SHA1

ce7e5a597b98eb1ec36a48e4368997b787228544
SHA256

fc91558efb40b16dd9f6b0e93c972a0f1ff85cad3ddefdd7028c2628d75a9ab9
SHA512

04892dfb3d356952a3bd4cac9026a3fac52b220af6b8a6371e81293483dbdeb76f08e8182ae0301dedef4d2904a6c113d02d8d48307fe498a428b595b0ec03b4
SSDEEP

24576:wJx22KNk+2ygEZZU6xUohcGGopn9iWsq/A9fzIDODmJfbtvyYtQEnRA2S/Y:w+29+2yn5+ohcGHpn97s7JzIa6dY4/RC

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3016	MsiExec.exe
3016	MsiExec.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral12/memory/2544-0-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral12/memory/2544-1-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral12/memory/2544-32-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral12/memory/2544-35-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral12/memory/2544-36-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral12/memory/2544-41-0x0000000000400000-0x0000000000930000-memory.dmp	upx

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	setup.exe
File opened (read-only)	\??\U:	setup.exe
File opened (read-only)	\??\V:	setup.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	setup.exe
File opened (read-only)	\??\L:	setup.exe
File opened (read-only)	\??\O:	setup.exe
File opened (read-only)	\??\P:	setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	setup.exe
File opened (read-only)	\??\K:	setup.exe
File opened (read-only)	\??\M:	setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	setup.exe
File opened (read-only)	\??\T:	setup.exe
File opened (read-only)	\??\Z:	setup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	setup.exe
File opened (read-only)	\??\H:	setup.exe
File opened (read-only)	\??\I:	setup.exe
File opened (read-only)	\??\W:	setup.exe
File opened (read-only)	\??\X:	setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	setup.exe
File opened (read-only)	\??\Q:	setup.exe
File opened (read-only)	\??\S:	setup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3748	msiexec.exe
Token: SeCreateTokenPrivilege	2544	setup.exe
Token: SeAssignPrimaryTokenPrivilege	2544	setup.exe
Token: SeLockMemoryPrivilege	2544	setup.exe
Token: SeIncreaseQuotaPrivilege	2544	setup.exe
Token: SeMachineAccountPrivilege	2544	setup.exe
Token: SeTcbPrivilege	2544	setup.exe
Token: SeSecurityPrivilege	2544	setup.exe
Token: SeTakeOwnershipPrivilege	2544	setup.exe
Token: SeLoadDriverPrivilege	2544	setup.exe
Token: SeSystemProfilePrivilege	2544	setup.exe
Token: SeSystemtimePrivilege	2544	setup.exe
Token: SeProfSingleProcessPrivilege	2544	setup.exe
Token: SeIncBasePriorityPrivilege	2544	setup.exe
Token: SeCreatePagefilePrivilege	2544	setup.exe
Token: SeCreatePermanentPrivilege	2544	setup.exe
Token: SeBackupPrivilege	2544	setup.exe
Token: SeRestorePrivilege	2544	setup.exe
Token: SeShutdownPrivilege	2544	setup.exe
Token: SeDebugPrivilege	2544	setup.exe
Token: SeAuditPrivilege	2544	setup.exe
Token: SeSystemEnvironmentPrivilege	2544	setup.exe
Token: SeChangeNotifyPrivilege	2544	setup.exe
Token: SeRemoteShutdownPrivilege	2544	setup.exe
Token: SeUndockPrivilege	2544	setup.exe
Token: SeSyncAgentPrivilege	2544	setup.exe
Token: SeEnableDelegationPrivilege	2544	setup.exe
Token: SeManageVolumePrivilege	2544	setup.exe
Token: SeImpersonatePrivilege	2544	setup.exe
Token: SeCreateGlobalPrivilege	2544	setup.exe
Token: SeCreateTokenPrivilege	2544	setup.exe
Token: SeAssignPrimaryTokenPrivilege	2544	setup.exe
Token: SeLockMemoryPrivilege	2544	setup.exe
Token: SeIncreaseQuotaPrivilege	2544	setup.exe
Token: SeMachineAccountPrivilege	2544	setup.exe
Token: SeTcbPrivilege	2544	setup.exe
Token: SeSecurityPrivilege	2544	setup.exe
Token: SeTakeOwnershipPrivilege	2544	setup.exe
Token: SeLoadDriverPrivilege	2544	setup.exe
Token: SeSystemProfilePrivilege	2544	setup.exe
Token: SeSystemtimePrivilege	2544	setup.exe
Token: SeProfSingleProcessPrivilege	2544	setup.exe
Token: SeIncBasePriorityPrivilege	2544	setup.exe
Token: SeCreatePagefilePrivilege	2544	setup.exe
Token: SeCreatePermanentPrivilege	2544	setup.exe
Token: SeBackupPrivilege	2544	setup.exe
Token: SeRestorePrivilege	2544	setup.exe
Token: SeShutdownPrivilege	2544	setup.exe
Token: SeDebugPrivilege	2544	setup.exe
Token: SeAuditPrivilege	2544	setup.exe
Token: SeSystemEnvironmentPrivilege	2544	setup.exe
Token: SeChangeNotifyPrivilege	2544	setup.exe
Token: SeRemoteShutdownPrivilege	2544	setup.exe
Token: SeUndockPrivilege	2544	setup.exe
Token: SeSyncAgentPrivilege	2544	setup.exe
Token: SeEnableDelegationPrivilege	2544	setup.exe
Token: SeManageVolumePrivilege	2544	setup.exe
Token: SeImpersonatePrivilege	2544	setup.exe
Token: SeCreateGlobalPrivilege	2544	setup.exe
Token: SeCreateTokenPrivilege	2544	setup.exe
Token: SeAssignPrimaryTokenPrivilege	2544	setup.exe
Token: SeLockMemoryPrivilege	2544	setup.exe
Token: SeIncreaseQuotaPrivilege	2544	setup.exe
Token: SeMachineAccountPrivilege	2544	setup.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2544	setup.exe
2544	setup.exe
2544	setup.exe
2544	setup.exe
2544	setup.exe
2544	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 3016	3748	msiexec.exe	94
PID 3748 wrote to memory of 3016	3748	msiexec.exe	94
PID 3748 wrote to memory of 3016	3748	msiexec.exe	94

C:\Users\Admin\AppData\Local\Temp\smartsoft_4.1.7\setup.exe
"C:\Users\Admin\AppData\Local\Temp\smartsoft_4.1.7\setup.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1DAFBE1B44120ED37548017B6DCAF9EE C
  2⤵
  - Loads dropped DLL
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIFA8C.tmp

Filesize
590KB

MD5
7b2e16b40253b3664bd209416e40d832

SHA1
0b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26

SHA256
5479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a

SHA512
425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFA8C.tmp

Filesize
590KB

MD5
7b2e16b40253b3664bd209416e40d832

SHA1
0b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26

SHA256
5479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a

SHA512
425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFBE5.tmp

Filesize
590KB

MD5
7b2e16b40253b3664bd209416e40d832

SHA1
0b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26

SHA256
5479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a

SHA512
425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFBE5.tmp

Filesize
590KB

MD5
7b2e16b40253b3664bd209416e40d832

SHA1
0b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26

SHA256
5479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a

SHA512
425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nii31194\merged.bin

Filesize
1.4MB

MD5
829e929f9e880ffded2995dc46a4cd3e

SHA1
10c60445d697dbd652895fa19405399e9979d200

SHA256
3dc8c2e2c5d9dd8f01e6bb9c6bb3810e24bb94df210f29299708ff192ddd9979

SHA512
9d880b5ce0ffc8b2076ea08f80649bd3b2eaebc73c9b14497c5481cf0ed96121a268ed081e77a8bbbe9b9fc5c16c0cf6d2d9fd74b3ff84583ea62f0de62bc081

Download Submit
memory/2544-0-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2544-1-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2544-32-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2544-35-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2544-36-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2544-41-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download