Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 06:58

General

  • Target

    1.3.1.1002/SmartDesktop.exe

  • Size

    2.4MB

  • MD5

    7cada09f584b144683e6608ce2a6b6ed

  • SHA1

    1f5de69c90d1344482dd4fd2f8e32da480eed783

  • SHA256

    fe01e629e25da5b03294dc0dfa6c3ba1a11321268715d7fa4d108eb31db06aa9

  • SHA512

    7e7e91bca2b08831c9dcecc4048282cd823ab2211345ed037f36c4d4400986d583cb8d61a85e14a423548ca000a5df1b666be1ac40b83a87120474362e70a2f4

  • SSDEEP

    49152:vSWBLrXko7z2Qc7fcWOg+FYty/8trbI+qqQHTrFYvSHjHHl3:vS6LzkWz2QYV+FYAkXz8cujH5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe
    "C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\SmartDesktop.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe
      "C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper64.exe" /dll_launch=Install
      2⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2724
    • C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\1.3.1.1002\RunningHelper.exe" /active_dr
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      PID:1160
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
      PID:1540
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
        PID:3320

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\VirtualDesktop\Internet Explorer.lnk
        Filesize

        1KB

        MD5

        5454d6793d2f975f9dc1574f1b0864c2

        SHA1

        a907ec1dc48985e5b3f684ab6361d9647cea694c

        SHA256

        c79f00cc36e1bae146ce9b2c6c5ff7ec5cc42b861797b2ab0d5d9331f14dd1ed

        SHA512

        928d6f163a2563c4a403164371ceca40994bd81b363921f4b8adfd5a8ba1b5456f83c2a448d4f2e9cc21de74fe48b1bcde1cf49fef8f550bf9b0e76680fafeb4

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        256B

        MD5

        d69c5f20196477008ba293e2979dcabd

        SHA1

        ac8617d57d8b8c4972608da1b6539ab2bddcc02e

        SHA256

        a8279f4d967b5ba590637a02ff15b36b2ff370268162715ca4cf121e8eb683cb

        SHA512

        246090ba5808ffd9795c840f76f72647f0974ece30ecdf6629e8c6625871641e593c07358d35fa9cbdbd7e417eac4e01f0f2c57dde0e3e1d5876bced15a2f1f5

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        276B

        MD5

        137ee0849608a2c07b373b10695b3721

        SHA1

        9fe26b308066cce6380023e9d0f0eb898d97af62

        SHA256

        dee9691327dc0f287cb77aa83f96280e4a31d7ef90f565897467abc3023b163a

        SHA512

        da69a7f69f35431a305ebcda2ca7a1d95e459435d96b76bb4b25f0b2403da78f4ac8a3f948be503eb79a89808761f89b2015a16de1fa57eb5eb42fc53e9b53d1

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        70B

        MD5

        174265a58374b8543d443cbba004e513

        SHA1

        10052cb2c83a2548b69cb84f6a5439b473fed81e

        SHA256

        2bf1e2bb677ac9ae1236c3f633f7b959601fa9edcadc184202339fd3910fafab

        SHA512

        6113ae509de975ba69d27db772acaff836df2702fe8eeb4e9755c847b2dab6752fef5c2fd6ec0e93bef69c041ae167cf91a19b20f8be5d9a81e4427719e665d6

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        309B

        MD5

        6f4dac83de8dcd929d687888aa099b68

        SHA1

        1264e430b3f4832a8ce082cac7ec4650648e57b4

        SHA256

        7e783161abfe5fcb30a430c0cecf64d3c00874954ba0e0979b4c7e46c880dc12

        SHA512

        0a3c407c589b582a61c47b81743c58fc1f89966e1ec95aacae61c7464374916e3b3c7f925c7914fa4844a90b6897084e57652aecc0e1b5460afa1ef466475617

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        70B

        MD5

        e0356f1d3a3da4f00baa4c6e68c9c8b6

        SHA1

        79397120a80116b6ab156e0669f001bb16d67b43

        SHA256

        6f0aa5985413c8de6f0284aa8b5bca30a8a5dc12a98caba5d11e20075f000fb5

        SHA512

        238ea77e36e6a1e5ba0510b3f7837148d768cda33fd8af1431725ab2e1dab3a973fd943a2b87b97ef28e2e3c9e18d2085ebbf7fa1f788424c79cb21554541f94

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        158B

        MD5

        7891eb8bdd9283bd91ec14164bfda694

        SHA1

        2a0bed9fe4c14f686403cb3c926e62be42d9b528

        SHA256

        2aa641ce12287d49431fca31e06cd64cc3c596db1104f999a1186952e6ae29a3

        SHA512

        a9aaba8d0de04597472bc286f5df90528e87e462fe066da8208eb7e335bdf5cbcbb04d1b60f538e0a62cd7d0689f46e4ea85b21b98ce2d6a396ed3c64bbb91a3

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDConfig.ini
        Filesize

        70B

        MD5

        d4cb6152a39e52256a676dfe5fb9a2b4

        SHA1

        2202dbdf0c6d4beba22ad2bc5b39ecb1630e5f0d

        SHA256

        36e189ab0a5fb4cedef2f0bbff3e93b52d39d5bfcec6dc2c3324f2fabc1b0236

        SHA512

        b60b9d291d9a705c19be87c5d1d715689ba95a95a938a932272e7342639c7bede1193d07a9fd9f559d42020f7a80b48f05a6659d482524c14cd33d360c3a397b

      • C:\Users\Admin\AppData\Roaming\SmartDesktopData\UserData\SDData.sdd.bk
        Filesize

        15KB

        MD5

        47a40f4fdf8ab4daa2fb450aab3ff92a

        SHA1

        804de7e3eefaa02c8deeb67e526995e557767ecb

        SHA256

        afe50e2a6e3f625fd62c5489320c430d501335864468a0623511fd0f5934a1a2

        SHA512

        bd5a44eb9407411624c2ba2c1cb24c6ce245f8e3a8864d2db80fc70d8cbe312f3d1753b448d52b2d7ac93bc87793a692914ac6f2df8f44f328db0051e7c8d815

      • memory/1440-111-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-142-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-79-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-80-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-81-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-82-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-83-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-84-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-85-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-86-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-87-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-89-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-88-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-91-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-92-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-90-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-93-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-94-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-95-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-96-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-97-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-98-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-100-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-103-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-101-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-109-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-102-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-105-0x0000000006460000-0x0000000006470000-memory.dmp
        Filesize

        64KB

      • memory/1440-104-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-106-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-107-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-108-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-110-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-77-0x0000000004840000-0x0000000004850000-memory.dmp
        Filesize

        64KB

      • memory/1440-117-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-116-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-115-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-114-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-239-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-78-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-99-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-118-0x0000000004840000-0x0000000004850000-memory.dmp
        Filesize

        64KB

      • memory/1440-119-0x0000000004840000-0x0000000004850000-memory.dmp
        Filesize

        64KB

      • memory/1440-120-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-123-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-121-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-122-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-124-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-126-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-125-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-128-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-127-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-130-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-129-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-134-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-133-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-132-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-131-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-135-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-136-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-140-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-139-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-138-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-137-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-141-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-112-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-143-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-144-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-147-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-76-0x0000000004840000-0x0000000004850000-memory.dmp
        Filesize

        64KB

      • memory/1440-146-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-145-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-156-0x0000000000010000-0x0000000000011000-memory.dmp
        Filesize

        4KB

      • memory/1440-113-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB

      • memory/1440-240-0x0000000004CF0000-0x0000000004D00000-memory.dmp
        Filesize

        64KB

      • memory/1440-241-0x0000000006460000-0x0000000006470000-memory.dmp
        Filesize

        64KB

      • memory/1440-242-0x0000000006300000-0x0000000006310000-memory.dmp
        Filesize

        64KB