Overview
overview
7Static
static
7LVANLYS.DLL.4.dll
windows7-x64
1LVANLYS.DLL.4.dll
windows10-2004-x64
1LVZLIB.DLL.5.dll
windows7-x64
3LVZLIB.DLL.5.dll
windows10-2004-x64
3SMARTSOFTS....1.exe
windows7-x64
1SMARTSOFTS....1.exe
windows10-2004-x64
3smartsoft_...ll.msi
windows7-x64
7smartsoft_...ll.msi
windows10-2004-x64
7smartsoft_...se.rtf
windows7-x64
4smartsoft_...se.rtf
windows10-2004-x64
1smartsoft_...up.exe
windows7-x64
7smartsoft_...up.exe
windows10-2004-x64
7smartsoft_...09.dll
windows7-x64
1smartsoft_...09.dll
windows10-2004-x64
1merged.msi
windows7-x64
7merged.msi
windows10-2004-x64
7smartsoft_...ie.exe
windows7-x64
1smartsoft_...ie.exe
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 14:34
Behavioral task
behavioral1
Sample
LVANLYS.DLL.4.dll
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral2
Sample
LVANLYS.DLL.4.dll
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
LVZLIB.DLL.5.dll
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral4
Sample
LVZLIB.DLL.5.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
SMARTSOFTSSI.EXE.1.exe
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral6
Sample
SMARTSOFTSSI.EXE.1.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
smartsoft_4.1.7/bin/dp/install.msi
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral8
Sample
smartsoft_4.1.7/bin/dp/install.msi
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
smartsoft_4.1.7/license/SmartSoft SSI License.rtf
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral10
Sample
smartsoft_4.1.7/license/SmartSoft SSI License.rtf
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
smartsoft_4.1.7/setup.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral12
Sample
smartsoft_4.1.7/setup.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
smartsoft_4.1.7/supportfiles/customResource0009.dll
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral14
Sample
smartsoft_4.1.7/supportfiles/customResource0009.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
merged.msi
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral16
Sample
merged.msi
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
smartsoft_4.1.7/supportfiles/niPie.exe
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral18
Sample
smartsoft_4.1.7/supportfiles/niPie.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
General
-
Target
merged.msi
-
Size
1.4MB
-
MD5
cdbfcb13ea6bc3eaf18374bdff15fb68
-
SHA1
b6a201bca8b103e24394c44928ea1a0079ba3dc3
-
SHA256
171a0fe1c4969e3c669671f8725d99af7db37d7aa0268c1f8cd4bfdb9ff57f20
-
SHA512
8a87ac6d5597630ba46979d411c0661837e10b9d9eae28ca8e2fc0a9146267aa1287a2ced5d99772ff3d64f35d10d5c3a459154e67228e89ee07d3fff2a4e3a5
-
SSDEEP
24576:X8Ccnb7Ms/ZEcgqGqIWoVL6o/IfFpenMK1tOeKRuHw6NXViqGqDr:XTmwy5mVGngOeZHxX
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2984 MsiExec.exe 2984 MsiExec.exe 2984 MsiExec.exe 2984 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2964 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2964 msiexec.exe Token: SeIncreaseQuotaPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2848 msiexec.exe Token: SeTakeOwnershipPrivilege 2848 msiexec.exe Token: SeSecurityPrivilege 2848 msiexec.exe Token: SeCreateTokenPrivilege 2964 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2964 msiexec.exe Token: SeLockMemoryPrivilege 2964 msiexec.exe Token: SeIncreaseQuotaPrivilege 2964 msiexec.exe Token: SeMachineAccountPrivilege 2964 msiexec.exe Token: SeTcbPrivilege 2964 msiexec.exe Token: SeSecurityPrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeLoadDriverPrivilege 2964 msiexec.exe Token: SeSystemProfilePrivilege 2964 msiexec.exe Token: SeSystemtimePrivilege 2964 msiexec.exe Token: SeProfSingleProcessPrivilege 2964 msiexec.exe Token: SeIncBasePriorityPrivilege 2964 msiexec.exe Token: SeCreatePagefilePrivilege 2964 msiexec.exe Token: SeCreatePermanentPrivilege 2964 msiexec.exe Token: SeBackupPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeShutdownPrivilege 2964 msiexec.exe Token: SeDebugPrivilege 2964 msiexec.exe Token: SeAuditPrivilege 2964 msiexec.exe Token: SeSystemEnvironmentPrivilege 2964 msiexec.exe Token: SeChangeNotifyPrivilege 2964 msiexec.exe Token: SeRemoteShutdownPrivilege 2964 msiexec.exe Token: SeUndockPrivilege 2964 msiexec.exe Token: SeSyncAgentPrivilege 2964 msiexec.exe Token: SeEnableDelegationPrivilege 2964 msiexec.exe Token: SeManageVolumePrivilege 2964 msiexec.exe Token: SeImpersonatePrivilege 2964 msiexec.exe Token: SeCreateGlobalPrivilege 2964 msiexec.exe Token: SeCreateTokenPrivilege 2964 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2964 msiexec.exe Token: SeLockMemoryPrivilege 2964 msiexec.exe Token: SeIncreaseQuotaPrivilege 2964 msiexec.exe Token: SeMachineAccountPrivilege 2964 msiexec.exe Token: SeTcbPrivilege 2964 msiexec.exe Token: SeSecurityPrivilege 2964 msiexec.exe Token: SeTakeOwnershipPrivilege 2964 msiexec.exe Token: SeLoadDriverPrivilege 2964 msiexec.exe Token: SeSystemProfilePrivilege 2964 msiexec.exe Token: SeSystemtimePrivilege 2964 msiexec.exe Token: SeProfSingleProcessPrivilege 2964 msiexec.exe Token: SeIncBasePriorityPrivilege 2964 msiexec.exe Token: SeCreatePagefilePrivilege 2964 msiexec.exe Token: SeCreatePermanentPrivilege 2964 msiexec.exe Token: SeBackupPrivilege 2964 msiexec.exe Token: SeRestorePrivilege 2964 msiexec.exe Token: SeShutdownPrivilege 2964 msiexec.exe Token: SeDebugPrivilege 2964 msiexec.exe Token: SeAuditPrivilege 2964 msiexec.exe Token: SeSystemEnvironmentPrivilege 2964 msiexec.exe Token: SeChangeNotifyPrivilege 2964 msiexec.exe Token: SeRemoteShutdownPrivilege 2964 msiexec.exe Token: SeUndockPrivilege 2964 msiexec.exe Token: SeSyncAgentPrivilege 2964 msiexec.exe Token: SeEnableDelegationPrivilege 2964 msiexec.exe Token: SeManageVolumePrivilege 2964 msiexec.exe Token: SeImpersonatePrivilege 2964 msiexec.exe Token: SeCreateGlobalPrivilege 2964 msiexec.exe Token: SeCreateTokenPrivilege 2964 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2964 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2984 2848 msiexec.exe 29 PID 2848 wrote to memory of 2984 2848 msiexec.exe 29 PID 2848 wrote to memory of 2984 2848 msiexec.exe 29 PID 2848 wrote to memory of 2984 2848 msiexec.exe 29 PID 2848 wrote to memory of 2984 2848 msiexec.exe 29 PID 2848 wrote to memory of 2984 2848 msiexec.exe 29 PID 2848 wrote to memory of 2984 2848 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\merged.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2964
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B1BAAAC7F38152D971BBD0A4E7A053C9 C2⤵
- Loads dropped DLL
PID:2984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
590KB
MD57b2e16b40253b3664bd209416e40d832
SHA10b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26
SHA2565479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a
SHA512425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d
-
Filesize
590KB
MD57b2e16b40253b3664bd209416e40d832
SHA10b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26
SHA2565479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a
SHA512425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d
-
Filesize
590KB
MD57b2e16b40253b3664bd209416e40d832
SHA10b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26
SHA2565479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a
SHA512425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d
-
Filesize
590KB
MD57b2e16b40253b3664bd209416e40d832
SHA10b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26
SHA2565479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a
SHA512425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d
-
Filesize
590KB
MD57b2e16b40253b3664bd209416e40d832
SHA10b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26
SHA2565479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a
SHA512425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d
-
Filesize
590KB
MD57b2e16b40253b3664bd209416e40d832
SHA10b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26
SHA2565479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a
SHA512425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d
-
Filesize
590KB
MD57b2e16b40253b3664bd209416e40d832
SHA10b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26
SHA2565479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a
SHA512425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d
-
Filesize
590KB
MD57b2e16b40253b3664bd209416e40d832
SHA10b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26
SHA2565479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a
SHA512425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d
-
Filesize
590KB
MD57b2e16b40253b3664bd209416e40d832
SHA10b8f4c27d7c366e19ebdfa6dcc4540ef46f76f26
SHA2565479a842ede9595a950bbc70a1fa52622f64fc80971aef689c22701ffc506c9a
SHA512425d57105dc80008f06c96af06726b470d753f32f5159706a20579fbafa1465055c2605da754b51644e0171a6be1fe374c0003d507c8827515341c1628eea94d