7a4fc48841f5d9027d0b50ae6d5fe1a68a3c8fb25e7ae388de53dedb21c03ed4

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c70bf07e4e32f9f33d1589ec9f4b1068.exe
Size

272KB
MD5

c70bf07e4e32f9f33d1589ec9f4b1068
SHA1

32cc47f378953323de4dd116b5d110bd9228ff74
SHA256

7a4fc48841f5d9027d0b50ae6d5fe1a68a3c8fb25e7ae388de53dedb21c03ed4
SHA512

e7f65cfb08221fb8b5c0a97ddc0f9f421b7b3228f1b7f47e332778c8974fb6148e7ab1337be214c87ea509b79866e21a6993726dce8f84d650d4b7f501269343
SSDEEP

6144:ye34wt475+ZPPfnE2Qyn20UlwkQKrPNHqdtj75+ZPPfnE2Qyn20U:pt4F+ZPPfnEUnFKrPQjF+ZPPfnEUn

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016176-43.dat	acprotect
behavioral1/memory/1364-45-0x00000000755F0000-0x00000000755F9000-memory.dmp	acprotect

Deletes itself 1 IoCs

pid	Process
2672	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2912	SmartTool.exe

Loads dropped DLL 10 IoCs

pid	Process
1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe
1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe
1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe
1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe
1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe
2860	regsvr32.exe
2912	SmartTool.exe
1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe
2472	regsvr32.exe
1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016176-43.dat	upx
behavioral1/memory/1364-45-0x00000000755F0000-0x00000000755F9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SmartTool = "C:\\Program Files (x86)\\SmartTool\\SmartTool.exe"	SmartTool.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2D891923-34B7-4186-9B47-752624535DC1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2D891923-34B7-4186-9B47-752624535DC1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2D891923-34B7-4186-9B47-752624535DC1}	regsvr32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 2672	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	32

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SmartTool\Uninstall.exe	c70bf07e4e32f9f33d1589ec9f4b1068.exe
File created	C:\Program Files (x86)\SmartTool\SmartTool.dll	c70bf07e4e32f9f33d1589ec9f4b1068.exe
File created	C:\Program Files (x86)\SmartTool\SmartTool.exe	c70bf07e4e32f9f33d1589ec9f4b1068.exe
File created	C:\Program Files (x86)\SmartTool\adc.acc	c70bf07e4e32f9f33d1589ec9f4b1068.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib\ = "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\0\win32\ = "C:\\Program Files (x86)\\SmartTool\\SmartTool.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib\ = "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ = "SmartToolCtl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ = "SmartToolCtl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1\ = "SmartToolCtl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1\CLSID\ = "{2D891923-34B7-4186-9B47-752624535DC1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\ = "SmartToolCtl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ = "ISmartToolCtl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1\ = "SmartToolCtl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1\CLSID\ = "{2D891923-34B7-4186-9B47-752624535DC1}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\CurVer\ = "SmartTool.SmartToolCtl.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID\ = "SmartTool.SmartToolCtl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\CLSID\ = "{2D891923-34B7-4186-9B47-752624535DC1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib\ = "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\CLSID\ = "{2D891923-34B7-4186-9B47-752624535DC1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ProgID\ = "SmartTool.SmartToolCtl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID\ = "SmartTool.SmartToolCtl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ProgID\ = "SmartTool.SmartToolCtl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\CurVer\ = "SmartTool.SmartToolCtl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\ = "SmartTool 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib\ = "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartTool.SmartToolCtl\ = "SmartToolCtl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SmartTool\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32\ = "C:\\Program Files (x86)\\SmartTool\\SmartTool.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32\ = "C:\\Program Files (x86)\\SmartTool\\SmartTool.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe
1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe
2912	SmartTool.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2860	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	28
PID 1364 wrote to memory of 2860	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	28
PID 1364 wrote to memory of 2860	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	28
PID 1364 wrote to memory of 2860	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	28
PID 1364 wrote to memory of 2860	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	28
PID 1364 wrote to memory of 2860	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	28
PID 1364 wrote to memory of 2860	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	28
PID 1364 wrote to memory of 2912	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	29
PID 1364 wrote to memory of 2912	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	29
PID 1364 wrote to memory of 2912	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	29
PID 1364 wrote to memory of 2912	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	29
PID 2912 wrote to memory of 2472	2912	SmartTool.exe	31
PID 2912 wrote to memory of 2472	2912	SmartTool.exe	31
PID 2912 wrote to memory of 2472	2912	SmartTool.exe	31
PID 2912 wrote to memory of 2472	2912	SmartTool.exe	31
PID 2912 wrote to memory of 2472	2912	SmartTool.exe	31
PID 2912 wrote to memory of 2472	2912	SmartTool.exe	31
PID 2912 wrote to memory of 2472	2912	SmartTool.exe	31
PID 1364 wrote to memory of 2672	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	32
PID 1364 wrote to memory of 2672	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	32
PID 1364 wrote to memory of 2672	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	32
PID 1364 wrote to memory of 2672	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	32
PID 1364 wrote to memory of 2672	1364	c70bf07e4e32f9f33d1589ec9f4b1068.exe	32

C:\Users\Admin\AppData\Local\Temp\c70bf07e4e32f9f33d1589ec9f4b1068.exe
"C:\Users\Admin\AppData\Local\Temp\c70bf07e4e32f9f33d1589ec9f4b1068.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\SmartTool\SmartTool.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2860
- C:\Program Files (x86)\SmartTool\SmartTool.exe
  "C:\Program Files (x86)\SmartTool\SmartTool.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\SmartTool\SmartTool.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2472
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SmartTool\SmartTool.dll

Filesize
106KB

MD5
c3fe27e59dba45b00172fb0e556951cb

SHA1
39cd86014029a7d1080250650cb79eec6e280d19

SHA256
5caad6897762c1781d9fe1227b068a940a50ffca7cb4b563116a5b3f14f4a45b

SHA512
c7511156ebaea6de4f06961d881389f67843e9e6550dd05de03d500b59d1beebe5e2808be85e2e67be91780d53013ef0ff29937cbb7c6ebc2eecba4587448ac1

Download Submit
\Program Files (x86)\SmartTool\SmartTool.exe

Filesize
42KB

MD5
d1859658605c11d217cb9d3e0540ca61

SHA1
1e2cb13bdbe6c6e6568a127258d7df38e67e26d5

SHA256
7b9fd7ea1c9dc710f67d3066369f51bf5fc4002062b356a2f53038b02c79fce0

SHA512
5b144619b2b4d97724fcbb850c8041f020f1b44494121ce42a8949280c8570fb8cd9213e7d467eb695364c6ae31e8b83e08e609e55473c933e0828fed3ad052f

Download Submit
\Program Files (x86)\SmartTool\adc.acc

Filesize
28KB

MD5
90fb210a39450f5cc40685f1af8e8cba

SHA1
8a4d4b84c5a8de91c4123dcb1f097daea2e8344f

SHA256
3c20fa6446d636d46c9e049887437e794787574969e0b7818571da7169543f11

SHA512
522769d16dcc161e63b796c82ce6b78e3015f9836987c9a22222858b422160acda6516fc320e28dd103df8bafce5eac2c1209d9af0bec9a8adfbb889086a60d0

Download Submit
\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\SelfDel.dll

Filesize
4KB

MD5
7cff7fe2caea5184d98c147e7e263132

SHA1
21f39d3d0dd5f7198d67ef30e95d10ae3460093e

SHA256
281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

SHA512
fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\UAC.dll

Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy17E5.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/1364-26-0x00000000028A0000-0x00000000028C6000-memory.dmp

Filesize
152KB

Download
memory/1364-45-0x00000000755F0000-0x00000000755F9000-memory.dmp

Filesize
36KB

Download