Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 06:58

General

  • Target

    1.3.1.1002/SmartDesktop.exe

  • Size

    2.4MB

  • MD5

    7cada09f584b144683e6608ce2a6b6ed

  • SHA1

    1f5de69c90d1344482dd4fd2f8e32da480eed783

  • SHA256

    fe01e629e25da5b03294dc0dfa6c3ba1a11321268715d7fa4d108eb31db06aa9

  • SHA512

    7e7e91bca2b08831c9dcecc4048282cd823ab2211345ed037f36c4d4400986d583cb8d61a85e14a423548ca000a5df1b666be1ac40b83a87120474362e70a2f4

  • SSDEEP

    49152:vSWBLrXko7z2Qc7fcWOg+FYty/8trbI+qqQHTrFYvSHjHHl3:vS6LzkWz2QYV+FYAkXz8cujH5

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1348
      • C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe
        "C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe"
        2⤵
        • Adds Run key to start application
        • Writes to the Master Boot Record (MBR)
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe
          "C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install
          3⤵
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1212
        • C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe
          "C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe" /active_dr
          3⤵
          • Writes to the Master Boot Record (MBR)
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1904
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
        PID:816
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        1⤵
          PID:2424

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        2
        T1112

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\VirtualDesktop\Internet Explorer.lnk
          Filesize

          1017B

          MD5

          d215d8861369a16cb916a950388acb13

          SHA1

          702bf49b2da82e138c77d913791ef12370a75cba

          SHA256

          110158832a414227235e5f5d364fc740c67c7f5c17d272f39ae7b6b99b2f3c6f

          SHA512

          661b188f2b744bcd0a5eea83503029bfc572cf43221fc51894820781c968e445d491de4176fcc21c69a7952361381f29c37a7818ba05f47fe098b4d3e014468c

        • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
          Filesize

          309B

          MD5

          61c8b5393e6e76630667aea236a5800a

          SHA1

          c9394bb61ed19af78dfd1acff474699b21602149

          SHA256

          a912fba1f989c303c8872a7faa9ccb073b8aabe69b98622e54a5f9ddf526a80b

          SHA512

          f5c8887df4c11fd010414fdf4fbcfa727189cdb9ceb4c9b07953b71d9f18608e98d1fe2ee7bd7a6e0054b086c56b3279d3026abbbd7d1f668dd580748316e987

        • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
          Filesize

          256B

          MD5

          f8968cd1e5478ab835802b6f4618abbe

          SHA1

          21d4846101d752333dddeb88401da1775277e9eb

          SHA256

          10feadd89e2fc2012d5cf7380bfedec5687419e8ff0fc6e3c603b3d7be911c19

          SHA512

          66e24a0d4a8090c730f009a7f029a2693cc2dd7a31996a0325ae3b0bf5a30c2a26d8b399cd524f6d0926873b48224716e7b915d47537b27206edcf3941c18e13

        • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
          Filesize

          158B

          MD5

          29d98d7092071d2a635fd03684e0bde4

          SHA1

          51a238a256126cf45ee03874c9c7128229353598

          SHA256

          76824bed4e7d3f50132fb792e050cc486b18f38bd042be9720c40e5e1238a7bd

          SHA512

          aeea62bad741c561c5d8f3879bcc1e0c347384866c88fdad50e62d66b1af3168cdfc697523a32c3f86b4e76e591e64f323f40539b3e67310f7bd2b0e13d9f8e4

        • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
          Filesize

          276B

          MD5

          f4a13b4ec54170d48f2e020248212c6d

          SHA1

          e5477c39ea0154557d9d0425267ccb7c3c90284c

          SHA256

          cc07e70db3fdf4103bb666a8e3a08d0832cb8fb25b6d1aa057a1c173772544df

          SHA512

          9efa9d8abbc168dbbb300b96fe2df3a67444053b716efe78deaa7ca991460fbcbcc5fdec3f23bb27bbfea5c35dae6d50b1a0381dd6f59b57646945a886054c37

        • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDData.sdd.bk
          Filesize

          13KB

          MD5

          6464b38e115f004d9cd62470e023bbe4

          SHA1

          1cd35e48ae864b14512782be3d12b8616a6705f0

          SHA256

          a5c99fcc28c8b79833b463aa026d4cf6b8d714c7e68271615153934b32b32d65

          SHA512

          30997c772c6d1fe8306a9d7708ef9dd05e59bf0d41206cfdaddf64de0c0c815ccc3e2adb6487cebee11d6adabe229261fb96ed0af0034f876df4f31c0afe346f

        • memory/1348-1-0x0000000000250000-0x0000000000350000-memory.dmp
          Filesize

          1024KB

        • memory/2820-0-0x0000000000180000-0x0000000000181000-memory.dmp
          Filesize

          4KB

        • memory/2820-77-0x00000000044F0000-0x00000000044F1000-memory.dmp
          Filesize

          4KB

        • memory/2820-87-0x0000000000180000-0x0000000000181000-memory.dmp
          Filesize

          4KB