e76fd13e0c13f3bf664941314b483e4d42d16a158c936952cc58affa2c17059c

General

Target

002861ccdfb512ef404a945db6447fcf.exe
Size

954KB
MD5

002861ccdfb512ef404a945db6447fcf
SHA1

633d4e8a0ce38b51feb830c398110d18b3a64721
SHA256

e76fd13e0c13f3bf664941314b483e4d42d16a158c936952cc58affa2c17059c
SHA512

e8896e8dc07be99d8351f8e59ce6ef4874df6b944f022b0b918d7bf6b4693232312efd6123bb834128ca23634872dd0f31f3f1a7d73be78cc1f2c5f5735591b0
SSDEEP

24576:gy91Ecn8uOA9Y53v0jMxmxgMNsAgji4GRDX1rQ6kF+o1ca+Nq:/HEkV/gxmWMaAgrcDlrQ6kIo1c

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
860	smsk.exe

Loads dropped DLL 4 IoCs

pid	Process
860	smsk.exe
860	smsk.exe
860	smsk.exe
860	smsk.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	smsk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	smsk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	smsk.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\IESettingSync	smsk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	smsk.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
860	smsk.exe
860	smsk.exe
860	smsk.exe
860	smsk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 860	1848	002861ccdfb512ef404a945db6447fcf.exe	89
PID 1848 wrote to memory of 860	1848	002861ccdfb512ef404a945db6447fcf.exe	89
PID 1848 wrote to memory of 860	1848	002861ccdfb512ef404a945db6447fcf.exe	89

C:\Users\Admin\AppData\Local\Temp\002861ccdfb512ef404a945db6447fcf.exe
"C:\Users\Admin\AppData\Local\Temp\002861ccdfb512ef404a945db6447fcf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\smsk.exe
  C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.txt

Filesize
1B

MD5
7215ee9c7d9dc229d2921a40e899ec5f

SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6

SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggxs.htm

Filesize
2KB

MD5
0b55a6f4a20fe6f6ceeb8ccf8ee53b36

SHA1
865758ea7191cff22ea4e023494d58bbcafdab15

SHA256
e5843ac010c8e5ad0e2a934cd53530935ec18ffaa84ddc452d80d98c3c81be75

SHA512
9252aef1c3a7cbfbc478b0a91a9ecb1540f2234b650714747c4ffb52a14263018bd8acd1f6c75bd83e78be4452cf4b54e06d931f2867bf54de3f115b1b2b6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsk.dll

Filesize
374KB

MD5
29a382858882ead96b7e69b32135147b

SHA1
10e7a8a2a9910b8ac2cdfb105f537ff7d08f7d49

SHA256
c6b37038ca2cb457c77cb01f5864abca4167dc1860a6b1bcd6d25aa33080b37b

SHA512
49a285b1e2425d2860ef4dd319f5667fd0bd508c25688e69c2e98e51f5f44ed667ab1b85182993b97a999089c12af8df625fed42f4943b05c63b16a84707f198

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsk.exe

Filesize
450KB

MD5
596c82092d43de1a2b94eecf966aee3f

SHA1
a90e6374ebd7c6f1028b7955d12f71788ebd3e43

SHA256
9500865fadbbe24d9017b77ad9cc098dc8b77ca9c9557c1d7b2d7b6eb092471f

SHA512
6fd9730800f65c235ebf56a99a92f82d7071f8d057426045b5e7dad82db17e561a755c94bbff2f9563554b70d5175d6e5d3db392617199c8aa5503509f3ab977

Download Submit
C:\Users\Admin\AppData\Local\Temp\smsk.exe

Filesize
323KB

MD5
718a66d97def00d592433fe43317ffb8

SHA1
be519a41cf3b8bb81ad4272f0fa2044c4a25759d

SHA256
b3f4d2d377767a70c592ad5cb8616b53dbaf037bdaa067f1a4c17bd77084b9b6

SHA512
98e990fd4ccd9f8c8d722b812bd33bb479d35e5b010217ac15b2783ead6ad43481c86a33bb0791b6997ab5e7f88a4900830bbf69e3eb09a522c6d0033dfa51cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.dll

Filesize
58KB

MD5
b00722fe169cd9c299ed680cf1f70f9d

SHA1
d6866e9374f6bc200b79e421b6e49d73e72494a1

SHA256
931e28058383f653f1fd61878fe9dc912e04349b3a55310640069e50f041081b

SHA512
7d6e4be30e33fced995ce38e44870e00fdcfd05f955fcbd2d90658e8d42809fa910493e1ac0839a6b20e472c4f06d7a2f70122ac586d7c71d1264c7e7bef917f

Download Submit
memory/860-17-0x0000000000C20000-0x0000000000C33000-memory.dmp

Filesize
76KB

Download
memory/1848-8-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1848-0-0x0000000000400000-0x0000000000905000-memory.dmp

Filesize
5.0MB

Download
memory/1848-2-0x0000000000400000-0x0000000000905000-memory.dmp

Filesize
5.0MB

Download
memory/1848-1-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1848-23-0x0000000000400000-0x0000000000905000-memory.dmp

Filesize
5.0MB

Download
memory/1848-24-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads