3fb0542513b89a1a4225f95863447cd9efc1c58398cab3158ebe893f3ea13258

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 07:40

Target

smtuninst.exe
Size

221KB
MD5

f64fad676b4d248c1a4c48f6af993886
SHA1

ed77ea6401a8cfb0b92f2cc082bac016c2f89dc8
SHA256

ff5f752015b910541796437895ef76e397913c06f28e28049d77c2f1737ef7ec
SHA512

f9917f99aaa3273090ea75138baea5b85da130e6f9847c3884dc2c05062908b48ea6f68b0d1b33fcac083ba58d8bbdaaa4d693ba322bca98b46487b177555c7b
SSDEEP

3072:dvUKOnZaxaqbSPGyFDjJLDuSW+xQnMh09TfUBy689RoZSlGdRcUqwh8C1Z+iM:+KGayVVjWVnMh09TbQZXAUqwh8ZiM

Score

7^/10

upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral5/memory/2184-0-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral5/memory/2184-10-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral5/memory/2184-11-0x0000000000400000-0x0000000000499000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\$$865.bat	smtuninst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	smtuninst.exe
2184	smtuninst.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2116	2184	smtuninst.exe	28
PID 2184 wrote to memory of 2116	2184	smtuninst.exe	28
PID 2184 wrote to memory of 2116	2184	smtuninst.exe	28
PID 2184 wrote to memory of 2116	2184	smtuninst.exe	28

C:\Users\Admin\AppData\Local\Temp\smtuninst.exe
"C:\Users\Admin\AppData\Local\Temp\smtuninst.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\$$865.bat""
  2⤵
  PID:2116

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Program Files (x86)\$$865.bat

Filesize
155B

MD5
cf0a4771b75a498d0781ad9911b36c60

SHA1
52b0766eaf7ae9fa50c4b9866e5e2a90f46923c7

SHA256
12f6962ffdbeb10877b51630377ff6cbfbc1c60b4fea05c16713c69abac998c4

SHA512
984b1fe40e4e462e579605bb2cfdcbd284309b24e56e607b6df2515e3762e711b2360aea220aa3e83d4d810c5f399098958c789f1bfe73b11bfac866b1d2155e

Download Submit
memory/2184-0-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2184-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-10-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2184-11-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download