e76fd13e0c13f3bf664941314b483e4d42d16a158c936952cc58affa2c17059c

Analysis

max time kernel
121s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

002861ccdfb512ef404a945db6447fcf.exe
Size

954KB
MD5

002861ccdfb512ef404a945db6447fcf
SHA1

633d4e8a0ce38b51feb830c398110d18b3a64721
SHA256

e76fd13e0c13f3bf664941314b483e4d42d16a158c936952cc58affa2c17059c
SHA512

e8896e8dc07be99d8351f8e59ce6ef4874df6b944f022b0b918d7bf6b4693232312efd6123bb834128ca23634872dd0f31f3f1a7d73be78cc1f2c5f5735591b0
SSDEEP

24576:gy91Ecn8uOA9Y53v0jMxmxgMNsAgji4GRDX1rQ6kF+o1ca+Nq:/HEkV/gxmWMaAgrcDlrQ6kIo1c

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1468	smsk.exe

Loads dropped DLL 4 IoCs

pid	Process
2008	002861ccdfb512ef404a945db6447fcf.exe
2008	002861ccdfb512ef404a945db6447fcf.exe
1468	smsk.exe
1468	smsk.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	smsk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	smsk.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	smsk.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	smsk.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1468	smsk.exe
1468	smsk.exe
1468	smsk.exe
1468	smsk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1468	2008	002861ccdfb512ef404a945db6447fcf.exe	27
PID 2008 wrote to memory of 1468	2008	002861ccdfb512ef404a945db6447fcf.exe	27
PID 2008 wrote to memory of 1468	2008	002861ccdfb512ef404a945db6447fcf.exe	27
PID 2008 wrote to memory of 1468	2008	002861ccdfb512ef404a945db6447fcf.exe	27

C:\Users\Admin\AppData\Local\Temp\002861ccdfb512ef404a945db6447fcf.exe
"C:\Users\Admin\AppData\Local\Temp\002861ccdfb512ef404a945db6447fcf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\smsk.exe
  C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
1B

MD5
7215ee9c7d9dc229d2921a40e899ec5f

SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6

SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggxs.htm

Filesize
2KB

MD5
0b55a6f4a20fe6f6ceeb8ccf8ee53b36

SHA1
865758ea7191cff22ea4e023494d58bbcafdab15

SHA256
e5843ac010c8e5ad0e2a934cd53530935ec18ffaa84ddc452d80d98c3c81be75

SHA512
9252aef1c3a7cbfbc478b0a91a9ecb1540f2234b650714747c4ffb52a14263018bd8acd1f6c75bd83e78be4452cf4b54e06d931f2867bf54de3f115b1b2b6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsk.dll

Filesize
563KB

MD5
9f5c225a33f1906cae2282495f853aa0

SHA1
3d4b63e57c1688757d0e44fecb170864e1e3a94f

SHA256
8f3f05a473edb637c7eb09bb7ad7a44f352316550bb304c131416a3a41ed9110

SHA512
c916d19d108238b6cf1e1d553b18dee722f6f49a85e40c196f463e556f394ffabb0d92e1a6ed0e1004dc40decb7373aecf401440785e4c6b1d17971b6c82cb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsk.exe

Filesize
728KB

MD5
6ce5c25f7fbd4aac47f61b04fcfef6a7

SHA1
dcb62c309dffd74a234246891e2be3d15dd189cb

SHA256
76800ef608e32f663c517c53b75d5f1cb8eb1040d8ef80d844ed70a989320f53

SHA512
bf1eaa9e4fada4ce0ff85e003e1991d5a3af03ac9eee7b5ec74726f15e0fbcc373a06a9025cc5aad5b0f8f26cd90a0d51757d76f6806e184a8cb2b66704b1058

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsk.exe

Filesize
695KB

MD5
c9aac848d6ff1ca0c65423fd38a5e82b

SHA1
7bee9ac48e5ac5fc69435a62f8ac8624ec897e3f

SHA256
20b675f97edf44d9c4ec2436645ada8bc048948c5ad9ed57ca98ef97be1ad6a4

SHA512
1ce55564d90cb6863dd71e815361bbd4db39ad3843b879431926bb464467508be5d3b6a276453b7a10af5cab93f777a16f363db509ae6c4666e494a956541351

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsk.exe

Filesize
404KB

MD5
89321b8eefdef8fff3f496070f28fbcf

SHA1
0d87ccbac8bb3414d507ef0bd2fcfbd9924dcd8e

SHA256
76e6a1b0ef66120e8a2604fe3d7e14343d6cdf47d9c962b517a51bb9d2a66b03

SHA512
2cffe54f3f8aa0ab12dae9c4263dedbe24837d4ae95f5b53864a8a0e038312c3513152c334b6112f8e4ce8fe2c30160a62d5128e80eeef796e4679cddc50814f

Download Submit
\Users\Admin\AppData\Local\Temp\smsk.exe

Filesize
734KB

MD5
87b6afeb9d16ae3570a075d9795f4d81

SHA1
e989fe5dc134e0b2d1acc3bb58a2ba75885f9277

SHA256
78c9217d201ea9c5d49535535cebd8e282289a00b0800502e9eefbfb6df2da0a

SHA512
6ad024a64e4f4b6a4ca2714703fba5cf041e286fe5d4ddecf27e04bfa6776fcee2e92ff4b31950e096e7991839da95dbcacb8a4c92a1360189b634a8cd838c57

Download Submit
\Users\Admin\AppData\Local\Temp\smsk.exe

Filesize
727KB

MD5
1e07511fb6ae4101ba4a94245c19097b

SHA1
d3651a21349ea42e9ef8ebb5ea1124576d5008ba

SHA256
d0f55ee103c6e139380370f180b186243acd98bbf8fd6f2ae86db1dad8d9870b

SHA512
07c55c16340c750f27c584ecf7f96dcb810fa62b6a7494a2cb0e35509fbc7c8cc734cccc483d0e6416189a9058bd362a29386a8f6367c26211f78da86c900d99

Download Submit
\Users\Admin\AppData\Local\Temp\user.dll

Filesize
58KB

MD5
b00722fe169cd9c299ed680cf1f70f9d

SHA1
d6866e9374f6bc200b79e421b6e49d73e72494a1

SHA256
931e28058383f653f1fd61878fe9dc912e04349b3a55310640069e50f041081b

SHA512
7d6e4be30e33fced995ce38e44870e00fdcfd05f955fcbd2d90658e8d42809fa910493e1ac0839a6b20e472c4f06d7a2f70122ac586d7c71d1264c7e7bef917f

Download Submit
memory/1468-20-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/2008-0-0x0000000000400000-0x0000000000905000-memory.dmp

Filesize
5.0MB

Download
memory/2008-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-2-0x0000000000400000-0x0000000000905000-memory.dmp

Filesize
5.0MB

Download
memory/2008-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-31-0x0000000000400000-0x0000000000905000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads