ab62b4c70c1555383d7ba77ea0421a5d9c38baeedd9b46e0cbdecca033580708

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f2ff530e022aa423b1d41f0ca3b59e1.exe
Size

720KB
MD5

3f2ff530e022aa423b1d41f0ca3b59e1
SHA1

80bc6f791d867776f69eb42f9683d27711074b40
SHA256

ab62b4c70c1555383d7ba77ea0421a5d9c38baeedd9b46e0cbdecca033580708
SHA512

f033e00011850024d59cf9e08a5deceaa6adae6a7516371521bcd18196462097ba55fc7166b7fb31d31764d5db233076edacceafbf7e7574d466c5e6db19779c
SSDEEP

12288:pwmdF0kCOTksRBMsXVVDEn7Df8cfPTV39t1QXl2d1q82vRRzZUax9SvgByHAx:pxNTksRBMxn7D8cf53mYoR7Uwxcgx

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2256-27-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/files/0x0006000000018b5f-124.dat	upx
behavioral1/files/0x0006000000018b75-127.dat	upx
behavioral1/files/0x0006000000018b4d-130.dat	upx
behavioral1/files/0x0006000000018b7e-136.dat	upx

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Process.exe	cmd.exe
File created	C:\Windows\SysWOW64\swsc.exe	cmd.exe
File created	C:\Windows\SysWOW64\SrchSTS.exe	cmd.exe
File created	C:\Windows\SysWOW64\dumphive.exe	cmd.exe
File created	C:\Windows\SysWOW64\swxcacls.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\swxcacls.exe	cmd.exe
File created	C:\Windows\SysWOW64\Process.exe	cmd.exe
File created	C:\Windows\SysWOW64\swreg.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\swreg.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\swsc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SrchSTS.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dumphive.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkntfs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2732	2256	3f2ff530e022aa423b1d41f0ca3b59e1.exe	28
PID 2256 wrote to memory of 2732	2256	3f2ff530e022aa423b1d41f0ca3b59e1.exe	28
PID 2256 wrote to memory of 2732	2256	3f2ff530e022aa423b1d41f0ca3b59e1.exe	28
PID 2256 wrote to memory of 2732	2256	3f2ff530e022aa423b1d41f0ca3b59e1.exe	28
PID 2256 wrote to memory of 2732	2256	3f2ff530e022aa423b1d41f0ca3b59e1.exe	28
PID 2256 wrote to memory of 2732	2256	3f2ff530e022aa423b1d41f0ca3b59e1.exe	28
PID 2256 wrote to memory of 2732	2256	3f2ff530e022aa423b1d41f0ca3b59e1.exe	28
PID 2732 wrote to memory of 2804	2732	cmd.exe	30
PID 2732 wrote to memory of 2804	2732	cmd.exe	30
PID 2732 wrote to memory of 2804	2732	cmd.exe	30
PID 2732 wrote to memory of 2804	2732	cmd.exe	30
PID 2732 wrote to memory of 2804	2732	cmd.exe	30
PID 2732 wrote to memory of 2804	2732	cmd.exe	30
PID 2732 wrote to memory of 2804	2732	cmd.exe	30
PID 2732 wrote to memory of 2752	2732	cmd.exe	31
PID 2732 wrote to memory of 2752	2732	cmd.exe	31
PID 2732 wrote to memory of 2752	2732	cmd.exe	31
PID 2732 wrote to memory of 2752	2732	cmd.exe	31
PID 2732 wrote to memory of 2752	2732	cmd.exe	31
PID 2732 wrote to memory of 2752	2732	cmd.exe	31
PID 2732 wrote to memory of 2752	2732	cmd.exe	31
PID 2732 wrote to memory of 2420	2732	cmd.exe	32
PID 2732 wrote to memory of 2420	2732	cmd.exe	32
PID 2732 wrote to memory of 2420	2732	cmd.exe	32
PID 2732 wrote to memory of 2420	2732	cmd.exe	32
PID 2732 wrote to memory of 2420	2732	cmd.exe	32
PID 2732 wrote to memory of 2420	2732	cmd.exe	32
PID 2732 wrote to memory of 2420	2732	cmd.exe	32
PID 2732 wrote to memory of 3044	2732	cmd.exe	33
PID 2732 wrote to memory of 3044	2732	cmd.exe	33
PID 2732 wrote to memory of 3044	2732	cmd.exe	33
PID 2732 wrote to memory of 3044	2732	cmd.exe	33
PID 2732 wrote to memory of 3044	2732	cmd.exe	33
PID 2732 wrote to memory of 3044	2732	cmd.exe	33
PID 2732 wrote to memory of 3044	2732	cmd.exe	33
PID 2732 wrote to memory of 2848	2732	cmd.exe	34
PID 2732 wrote to memory of 2848	2732	cmd.exe	34
PID 2732 wrote to memory of 2848	2732	cmd.exe	34
PID 2732 wrote to memory of 2848	2732	cmd.exe	34
PID 2732 wrote to memory of 2848	2732	cmd.exe	34
PID 2732 wrote to memory of 2848	2732	cmd.exe	34
PID 2732 wrote to memory of 2848	2732	cmd.exe	34
PID 2732 wrote to memory of 2736	2732	cmd.exe	35
PID 2732 wrote to memory of 2736	2732	cmd.exe	35
PID 2732 wrote to memory of 2736	2732	cmd.exe	35
PID 2732 wrote to memory of 2736	2732	cmd.exe	35
PID 2732 wrote to memory of 2736	2732	cmd.exe	35
PID 2732 wrote to memory of 2736	2732	cmd.exe	35
PID 2732 wrote to memory of 2736	2732	cmd.exe	35
PID 2732 wrote to memory of 2608	2732	cmd.exe	36
PID 2732 wrote to memory of 2608	2732	cmd.exe	36
PID 2732 wrote to memory of 2608	2732	cmd.exe	36
PID 2732 wrote to memory of 2608	2732	cmd.exe	36
PID 2732 wrote to memory of 2608	2732	cmd.exe	36
PID 2732 wrote to memory of 2608	2732	cmd.exe	36
PID 2732 wrote to memory of 2608	2732	cmd.exe	36
PID 2732 wrote to memory of 2660	2732	cmd.exe	37
PID 2732 wrote to memory of 2660	2732	cmd.exe	37
PID 2732 wrote to memory of 2660	2732	cmd.exe	37
PID 2732 wrote to memory of 2660	2732	cmd.exe	37
PID 2732 wrote to memory of 2660	2732	cmd.exe	37
PID 2732 wrote to memory of 2660	2732	cmd.exe	37
PID 2732 wrote to memory of 2660	2732	cmd.exe	37
PID 2732 wrote to memory of 2860	2732	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\3f2ff530e022aa423b1d41f0ca3b59e1.exe
"C:\Users\Admin\AppData\Local\Temp\3f2ff530e022aa423b1d41f0ca3b59e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cd SmitfraudFix && SmitfraudFix.cmd
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\find.exe
    find "Windows 95"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\find.exe
    find "Windows 98"
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\find.exe
    find "Windows Millennium"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\find.exe
    find "Windows XP"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER"
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\find.exe
    find "Windows 2000"
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\find.exe
    find "Version 5.2.3790"
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" VER"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\find.exe
    find "Version 6.0"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cscript.exe
    cscript //I //nologo GetPaths.vbs
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\chkntfs.exe
    chkntfs C:
    3⤵
    - Enumerates system info in registry
    PID:1904
- - C:\Windows\SysWOW64\find.exe
    find /V "C:"
    3⤵
    PID:644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type tmp.txt "
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\find.exe
    find /i "NTFS"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type tmp.txt "
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\find.exe
    find /i "FAT32"
    3⤵
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\GetPaths.vbs

Filesize
2KB

MD5
59c575913028340cb6328455fbc53276

SHA1
8ba2bc9ee342fb5992e24eb6434b75b253fa24b2

SHA256
d340a5091a3c9ec8b559e51aea1f46478acbc6c1ad805341263b4eace6f4479a

SHA512
e9984a76b0272e7d90ccb2382679305f9b869f73e6a27728be903a4f053e1c025ca1263f7484b53beff70b5838ec3bf088106411f8f3ea9c8e1af3b193db1435

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\Process.exe

Filesize
52KB

MD5
7397f6ee4a9601a123b645c0cd428017

SHA1
890368473ecbc404dcd42ff0c6c38397102f59c0

SHA256
5aaf73ef89f0efab963abb170bc9b7cd7d4d5bd7a691cd83137b4cc39cd120de

SHA512
8c9f85b64d8c1c43a11e654609d357fffdada311422cc02e5efbf1243b4d35fc20f4a58b1a663f85717d8a626c3db8f59af62d7044ed02974cd3d2b107f08784

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\SetPaths.bat

Filesize
350B

MD5
3f19b715686abfb0f2b0019631e4f790

SHA1
5ef320067b92d063e0b55d3d2eeda3c6276e2fae

SHA256
05547662cb090e49aae1718b8c59fe51aebf57db7d12b58a450005a670f1597c

SHA512
20a0f8cc6147de9b2c4f818993925cf2b080f4db058b9bb204694656baa5b934a88fe0b2541c7a07c46d6ea32cf39e8b4618fc9cfc10ae5f1d850eabf5040035

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\SmitfraudFix.cmd

Filesize
944KB

MD5
f5672b30ecbef174192c696fc2bbf9c9

SHA1
4104e28e29201adb9c674b6c367f3c79d7c8ba71

SHA256
94f6d077c36757831cc58f21be163b99d0d3a76dc158b21456efd7711e1ed7e4

SHA512
03f5873724f35366ff6b78b8a0d501a65baa42d579a127f48809974d6b4b2c60a094f9dcfe5af2834803d7d2860c5d04e314b74db2f54e5a9e6a3e239852e882

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\SrchSTS.exe

Filesize
281KB

MD5
fc041f7d1341eee456f1fa1a256cd24f

SHA1
79bf4b742b8decaa516c2a29145facb83796f1d6

SHA256
562c5f4a7674c9eeeda4b8e99324b3f78a266e7f42048b5a27b8f917af8a3dba

SHA512
0ae2f475ea485d8fdf9c63cb582c72be3d306982d54517f3e97e78ac807981bd20ea8c29e3cc2110a21c2bf672de49af7ff939b4cdce344d8a3d4135e78b0f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\dumphive.exe

Filesize
50KB

MD5
21868b2d22c726d94d98f15825d4134b

SHA1
b8ecd21f17fdd3845e0eb3c52496a1353a856523

SHA256
4a0202e069e3c1029ecb1f72639a7e35ccca28e1a81a7ca08d5f9206b4dc9363

SHA512
a9de3cab356ed8db4ebd2e85dcc750cd5407bc2ba71485ebf0caca030997a73e60b0006922d1e1cec434ca41e2b4dfcf98a0703098eaa5182f1b68860601a460

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\swreg.exe

Filesize
132KB

MD5
e417d888fdde9a2290c369c82a7aec3e

SHA1
54a6acf7ed038afc6a632ccd568c17fc31eac00e

SHA256
668232d0976e87f30bcfe1a52b17c96702eef3028fe05ef6263596ff9c80279b

SHA512
6b5c490537adc038ff0e1fc60ef566e93a1b3aebc39b60bef1a9f01ff4fd3e9e842f84310ae67c3556ab1fb12d8e80324c723b6b37ee45926937694b3f349ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\swsc.exe

Filesize
40KB

MD5
c16b1595e3c2ffc875ef28bf66ec557f

SHA1
4da6d047e81fd13e0cfa4e390b85d35f9a136887

SHA256
6842347ad8ace0a204827a39084b1d78c224db9a20f8d9c10c09808cda85dc70

SHA512
148b650d1ccf97ed962d265e483e5000060c1bd4ec37aa542a2af8a2398a54dc86d51e51363beedec51d58d118434b21fa59ed32c3ba1c402e1b5587b3545bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\swxcacls.exe

Filesize
77KB

MD5
ef5dc4cf7c39cfb4653859878c14d86c

SHA1
82ab38d121c5d6ccce79d0e63bf51604cd3c9fd6

SHA256
dd9784c35e6e1d0e12b7b8c1fd9b9b287848eacb541d736f5d850ba286bd3f47

SHA512
a8b74ccb30fccd7ea3e9749ad31039b771491bc2e0cfcfa6ea01a4a48f25e6eed8f7d32b99ffc4be517f425c3e4183ad25466cee55f7b34d0448c78394ffa4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmitfraudFix\tmp.txt

Filesize
38B

MD5
373f3c9db458420f57eca4ad06fa5392

SHA1
7b25146bfc867b77ee455bf07cce61fb1c505ab3

SHA256
58608d8c6f07e333357178ef8730e294f4639f80033239a84113b66044e32e56

SHA512
372f4b47435b70da860f400cf48132c4ed1f75b9c8b31c66fb515cd47602c7247db32ae2303ee202c0609dad6c1e3cbd4f66c162294b0d1e1715d11360b75f15

Download Submit
memory/2256-28-0x00000000001D0000-0x00000000001DD000-memory.dmp

Filesize
52KB

Download
memory/2256-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2256-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2256-2-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/2256-1-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download