7680beb83da8a5c2c2b6ba1cdd9254732888872abd8a30dcb822e223a6684555

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

getsmiledemo.exe
Size

4.0MB
MD5

3fac2a18e57b66b1fa48d43be4ac0227
SHA1

e6ec33353aa38dde614f85dfc9dc85e96eef224c
SHA256

fde759faba4fb78cf3470ae91e64aac409eba8d1f6702e29530a373f0744d6c7
SHA512

08471dee2fc3fa0581db0e7e578e4dbccc3fa6256e4788ffce62ee8ffc72457140eecb0997da7c5fc6d02bde3a07a77c00ab1e5d7c5c5782a0a0f38378fdd306
SSDEEP

98304:dBwyjv3zWVXV5MhNVDIZzngulwBOiZ6rQ2aF5k5O37:zFvzYqNxongu0OcAQ57kEr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2124	is-C3MRN.tmp

Loads dropped DLL 3 IoCs

pid	Process
2260	getsmiledemo.exe
2124	is-C3MRN.tmp
2124	is-C3MRN.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2124	is-C3MRN.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2124	2260	getsmiledemo.exe	28
PID 2260 wrote to memory of 2124	2260	getsmiledemo.exe	28
PID 2260 wrote to memory of 2124	2260	getsmiledemo.exe	28
PID 2260 wrote to memory of 2124	2260	getsmiledemo.exe	28
PID 2260 wrote to memory of 2124	2260	getsmiledemo.exe	28
PID 2260 wrote to memory of 2124	2260	getsmiledemo.exe	28
PID 2260 wrote to memory of 2124	2260	getsmiledemo.exe	28

C:\Users\Admin\AppData\Local\Temp\getsmiledemo.exe
"C:\Users\Admin\AppData\Local\Temp\getsmiledemo.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\is-D0MU8.tmp\is-C3MRN.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D0MU8.tmp\is-C3MRN.tmp" /SL4 $70120 "C:\Users\Admin\AppData\Local\Temp\getsmiledemo.exe" 3896598 52736
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-D0MU8.tmp\is-C3MRN.tmp

Filesize
157KB

MD5
0d96844713fa734951181fe7e57d3d7e

SHA1
e0b5b4be2c2e9da7bf91968810f4f472cc69de9d

SHA256
3e61bd66e76fa3595082a781a18032656b9a9f9af3c12f3716fabe40b0e818cf

SHA512
3c56e85ba7549a11bc31ef6b6d3e898407e8aba09ae75afc1d96be36639784285d7778cb3253915cc5ffc16b5a891e99aacfef582119c596d79d191ff3227a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0MU8.tmp\is-C3MRN.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
\Users\Admin\AppData\Local\Temp\is-D0MU8.tmp\is-C3MRN.tmp

Filesize
531KB

MD5
df70a50c6a3aea78a51b974c095f9ccc

SHA1
484ea72a78b558f0e0a0b063d5c484de06712b96

SHA256
7a2d3d609b3f57d935626e1538b9f1ad49ecd53e0dc5762bf08392e7b54dcec3

SHA512
c641833962fdbbb0034ac7bd7a13b636aab7217b087a65836c748209c74b56996dc3a06a4abb670eebbded43333c40f06fcf189ee08d3d20b902212a10ffe7ed

Download Submit
\Users\Admin\AppData\Local\Temp\is-GSIVA.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2124-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2124-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2124-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2260-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download