42378b1eca3cfe3e71d500781cfe3dd11f82d8b65b848ddd04439b4b9952f5c5

Analysis

max time kernel
0s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08e6a2bb6a202710b693e2940808cef8.exe
Size

272KB
MD5

08e6a2bb6a202710b693e2940808cef8
SHA1

3d57163aa6b2cf8492db3cfb9b878d801fc23c7f
SHA256

42378b1eca3cfe3e71d500781cfe3dd11f82d8b65b848ddd04439b4b9952f5c5
SHA512

a408fb40a778f37ab94da87d6a337f2cb24253d3a437d72a335c8bdfb2a831e469d1296a2435d0a146db6ed7ddd3f468563000f43e9aa725db26c049b3d36839
SSDEEP

6144:6e34wtg75+ZPPfnE2Qyn20UlwkQKrPNHqdtj75+ZPPfnE2Qyn20U:BtgF+ZPPfnEUnFKrPQjF+ZPPfnEUn

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3068	SmartTool.exe

Loads dropped DLL 6 IoCs

pid	Process
2364	08e6a2bb6a202710b693e2940808cef8.exe
2364	08e6a2bb6a202710b693e2940808cef8.exe
2364	08e6a2bb6a202710b693e2940808cef8.exe
2364	08e6a2bb6a202710b693e2940808cef8.exe
2364	08e6a2bb6a202710b693e2940808cef8.exe
960	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2D891923-34B7-4186-9B47-752624535DC1}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SmartTool\SmartTool.dll	08e6a2bb6a202710b693e2940808cef8.exe
File created	C:\Program Files (x86)\SmartTool\SmartTool.exe	08e6a2bb6a202710b693e2940808cef8.exe
File created	C:\Program Files (x86)\SmartTool\adc.acc	08e6a2bb6a202710b693e2940808cef8.exe
File created	C:\Program Files (x86)\SmartTool\Uninstall.exe	08e6a2bb6a202710b693e2940808cef8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\ = "SmartToolCtl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\CLSID\ = "{2D891923-34B7-4186-9B47-752624535DC1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib\ = "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1\CLSID\ = "{2D891923-34B7-4186-9B47-752624535DC1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID\ = "SmartTool.SmartToolCtl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\0\win32\ = "C:\\Program Files (x86)\\SmartTool\\SmartTool.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ = "ISmartToolCtl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib\ = "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\CurVer\ = "SmartTool.SmartToolCtl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SmartTool\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ProgID\ = "SmartTool.SmartToolCtl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib\ = "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\ = "SmartTool 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32\ = "C:\\Program Files (x86)\\SmartTool\\SmartTool.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ = "SmartToolCtl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1\ = "SmartToolCtl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ = "ISmartToolCtl"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2364	08e6a2bb6a202710b693e2940808cef8.exe
2364	08e6a2bb6a202710b693e2940808cef8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3068	SmartTool.exe
3068	SmartTool.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 960	2364	08e6a2bb6a202710b693e2940808cef8.exe	21
PID 2364 wrote to memory of 960	2364	08e6a2bb6a202710b693e2940808cef8.exe	21
PID 2364 wrote to memory of 960	2364	08e6a2bb6a202710b693e2940808cef8.exe	21
PID 2364 wrote to memory of 960	2364	08e6a2bb6a202710b693e2940808cef8.exe	21
PID 2364 wrote to memory of 960	2364	08e6a2bb6a202710b693e2940808cef8.exe	21
PID 2364 wrote to memory of 960	2364	08e6a2bb6a202710b693e2940808cef8.exe	21
PID 2364 wrote to memory of 960	2364	08e6a2bb6a202710b693e2940808cef8.exe	21
PID 2364 wrote to memory of 3068	2364	08e6a2bb6a202710b693e2940808cef8.exe	20
PID 2364 wrote to memory of 3068	2364	08e6a2bb6a202710b693e2940808cef8.exe	20
PID 2364 wrote to memory of 3068	2364	08e6a2bb6a202710b693e2940808cef8.exe	20
PID 2364 wrote to memory of 3068	2364	08e6a2bb6a202710b693e2940808cef8.exe	20

C:\Users\Admin\AppData\Local\Temp\08e6a2bb6a202710b693e2940808cef8.exe
"C:\Users\Admin\AppData\Local\Temp\08e6a2bb6a202710b693e2940808cef8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  PID:2796
- C:\Program Files (x86)\SmartTool\SmartTool.exe
  "C:\Program Files (x86)\SmartTool\SmartTool.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3068
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\SmartTool\SmartTool.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:960

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\SmartTool\SmartTool.dll"
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2364-57-0x0000000074B50000-0x0000000074B59000-memory.dmp

Filesize
36KB

Download
memory/2364-26-0x0000000002A60000-0x0000000002A86000-memory.dmp

Filesize
152KB

Download