Analysis
-
max time kernel
121s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 14:15
Static task
static1
Behavioral task
behavioral1
Sample
002861ccdfb512ef404a945db6447fcf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
002861ccdfb512ef404a945db6447fcf.exe
Resource
win10v2004-20231215-en
General
-
Target
002861ccdfb512ef404a945db6447fcf.exe
-
Size
954KB
-
MD5
002861ccdfb512ef404a945db6447fcf
-
SHA1
633d4e8a0ce38b51feb830c398110d18b3a64721
-
SHA256
e76fd13e0c13f3bf664941314b483e4d42d16a158c936952cc58affa2c17059c
-
SHA512
e8896e8dc07be99d8351f8e59ce6ef4874df6b944f022b0b918d7bf6b4693232312efd6123bb834128ca23634872dd0f31f3f1a7d73be78cc1f2c5f5735591b0
-
SSDEEP
24576:gy91Ecn8uOA9Y53v0jMxmxgMNsAgji4GRDX1rQ6kF+o1ca+Nq:/HEkV/gxmWMaAgrcDlrQ6kIo1c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1468 smsk.exe -
Loads dropped DLL 4 IoCs
pid Process 2008 002861ccdfb512ef404a945db6447fcf.exe 2008 002861ccdfb512ef404a945db6447fcf.exe 1468 smsk.exe 1468 smsk.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 smsk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" smsk.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main smsk.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch smsk.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1468 smsk.exe 1468 smsk.exe 1468 smsk.exe 1468 smsk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1468 2008 002861ccdfb512ef404a945db6447fcf.exe 27 PID 2008 wrote to memory of 1468 2008 002861ccdfb512ef404a945db6447fcf.exe 27 PID 2008 wrote to memory of 1468 2008 002861ccdfb512ef404a945db6447fcf.exe 27 PID 2008 wrote to memory of 1468 2008 002861ccdfb512ef404a945db6447fcf.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\002861ccdfb512ef404a945db6447fcf.exe"C:\Users\Admin\AppData\Local\Temp\002861ccdfb512ef404a945db6447fcf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\smsk.exeC:\Users\Admin\AppData\Local\Temp2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD57215ee9c7d9dc229d2921a40e899ec5f
SHA1b858cb282617fb0956d960215c8e84d1ccf909c6
SHA25636a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768
-
Filesize
2KB
MD50b55a6f4a20fe6f6ceeb8ccf8ee53b36
SHA1865758ea7191cff22ea4e023494d58bbcafdab15
SHA256e5843ac010c8e5ad0e2a934cd53530935ec18ffaa84ddc452d80d98c3c81be75
SHA5129252aef1c3a7cbfbc478b0a91a9ecb1540f2234b650714747c4ffb52a14263018bd8acd1f6c75bd83e78be4452cf4b54e06d931f2867bf54de3f115b1b2b6639
-
Filesize
563KB
MD59f5c225a33f1906cae2282495f853aa0
SHA13d4b63e57c1688757d0e44fecb170864e1e3a94f
SHA2568f3f05a473edb637c7eb09bb7ad7a44f352316550bb304c131416a3a41ed9110
SHA512c916d19d108238b6cf1e1d553b18dee722f6f49a85e40c196f463e556f394ffabb0d92e1a6ed0e1004dc40decb7373aecf401440785e4c6b1d17971b6c82cb98
-
Filesize
728KB
MD56ce5c25f7fbd4aac47f61b04fcfef6a7
SHA1dcb62c309dffd74a234246891e2be3d15dd189cb
SHA25676800ef608e32f663c517c53b75d5f1cb8eb1040d8ef80d844ed70a989320f53
SHA512bf1eaa9e4fada4ce0ff85e003e1991d5a3af03ac9eee7b5ec74726f15e0fbcc373a06a9025cc5aad5b0f8f26cd90a0d51757d76f6806e184a8cb2b66704b1058
-
Filesize
695KB
MD5c9aac848d6ff1ca0c65423fd38a5e82b
SHA17bee9ac48e5ac5fc69435a62f8ac8624ec897e3f
SHA25620b675f97edf44d9c4ec2436645ada8bc048948c5ad9ed57ca98ef97be1ad6a4
SHA5121ce55564d90cb6863dd71e815361bbd4db39ad3843b879431926bb464467508be5d3b6a276453b7a10af5cab93f777a16f363db509ae6c4666e494a956541351
-
Filesize
404KB
MD589321b8eefdef8fff3f496070f28fbcf
SHA10d87ccbac8bb3414d507ef0bd2fcfbd9924dcd8e
SHA25676e6a1b0ef66120e8a2604fe3d7e14343d6cdf47d9c962b517a51bb9d2a66b03
SHA5122cffe54f3f8aa0ab12dae9c4263dedbe24837d4ae95f5b53864a8a0e038312c3513152c334b6112f8e4ce8fe2c30160a62d5128e80eeef796e4679cddc50814f
-
Filesize
734KB
MD587b6afeb9d16ae3570a075d9795f4d81
SHA1e989fe5dc134e0b2d1acc3bb58a2ba75885f9277
SHA25678c9217d201ea9c5d49535535cebd8e282289a00b0800502e9eefbfb6df2da0a
SHA5126ad024a64e4f4b6a4ca2714703fba5cf041e286fe5d4ddecf27e04bfa6776fcee2e92ff4b31950e096e7991839da95dbcacb8a4c92a1360189b634a8cd838c57
-
Filesize
727KB
MD51e07511fb6ae4101ba4a94245c19097b
SHA1d3651a21349ea42e9ef8ebb5ea1124576d5008ba
SHA256d0f55ee103c6e139380370f180b186243acd98bbf8fd6f2ae86db1dad8d9870b
SHA51207c55c16340c750f27c584ecf7f96dcb810fa62b6a7494a2cb0e35509fbc7c8cc734cccc483d0e6416189a9058bd362a29386a8f6367c26211f78da86c900d99
-
Filesize
58KB
MD5b00722fe169cd9c299ed680cf1f70f9d
SHA1d6866e9374f6bc200b79e421b6e49d73e72494a1
SHA256931e28058383f653f1fd61878fe9dc912e04349b3a55310640069e50f041081b
SHA5127d6e4be30e33fced995ce38e44870e00fdcfd05f955fcbd2d90658e8d42809fa910493e1ac0839a6b20e472c4f06d7a2f70122ac586d7c71d1264c7e7bef917f