56e48c29469fffa9388e4f9461d483cb0c5bb8cdf44bc57ad4d244c5b9aadf5e

Resubmissions

21/07/2024, 16:37

240721-t41h4sxenr 7

21/07/2024, 16:31

240721-t1gxlaxejn 7

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SmartChecker v0.1.exe
Size

9.1MB
MD5

2dc905da5ac25639b1f89758df9840bc
SHA1

20a43a418bc017a349175ef6ef16e26ff1d78739
SHA256

56e48c29469fffa9388e4f9461d483cb0c5bb8cdf44bc57ad4d244c5b9aadf5e
SHA512

d42f1f3c6f78189c5543870a6e5e45e141589a6827d44e4f1f26189cc3f2d6953f19ddb818e9c77554a48b2900fc3031e028ff481519b722add159d5b420e6b5
SSDEEP

196608:ZAIlXzkneX38DXDQ9/tbYPvbJQlHHO2SvJCQJ8CeGIP2W8ye:Xly0MDTQ9/kJQlnneO

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 30 IoCs

pid	Process
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
956	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe
1032	SmartChecker v0.1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2904	ehshell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1064	AUDIODG.EXE
Token: 33	1064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1064	AUDIODG.EXE
Token: SeDebugPrivilege	2904	ehshell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 956	884	SmartChecker v0.1.exe	31
PID 884 wrote to memory of 956	884	SmartChecker v0.1.exe	31
PID 884 wrote to memory of 956	884	SmartChecker v0.1.exe	31
PID 884 wrote to memory of 956	884	SmartChecker v0.1.exe	31
PID 956 wrote to memory of 876	956	SmartChecker v0.1.exe	34
PID 956 wrote to memory of 876	956	SmartChecker v0.1.exe	34
PID 956 wrote to memory of 876	956	SmartChecker v0.1.exe	34
PID 956 wrote to memory of 876	956	SmartChecker v0.1.exe	34
PID 2812 wrote to memory of 1032	2812	SmartChecker v0.1.exe	40
PID 2812 wrote to memory of 1032	2812	SmartChecker v0.1.exe	40
PID 2812 wrote to memory of 1032	2812	SmartChecker v0.1.exe	40
PID 2812 wrote to memory of 1032	2812	SmartChecker v0.1.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SmartChecker v0.1.exe
"C:\Users\Admin\AppData\Local\Temp\SmartChecker v0.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\SmartChecker v0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\SmartChecker v0.1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:876

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2068

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\eHome\ehshell.exe
"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\SyncExpand.DVR"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\SmartChecker v0.1.exe
"C:\Users\Admin\AppData\Local\Temp\SmartChecker v0.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\SmartChecker v0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\SmartChecker v0.1.exe"
  2⤵
  - Loads dropped DLL
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI8842\VCRUNTIME140.dll

Filesize
81KB

MD5
4c360f78de1f5baaa5f110e65fac94b4

SHA1
20a2e66fd577293b33ba1c9d01ef04582deaf3a5

SHA256
ad1b0992b890bfe88ef52d0a830873acc0aecc9bd6e4fc22397dbccf4d2b4e37

SHA512
c6bba093d2e83b178a783d1ddfd1530c3adcb623d299d56db1b94ed34c0447e88930200bf45e5fb961f8fd7ad691310b586a7d754d7a6d7d27d58b74986a4db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_bz2.pyd

Filesize
76KB

MD5
0f75c236c4ccfea1b16f132f6c139236

SHA1
710bb157b01cafe8607400773b3940674506013b

SHA256
5dc26dcbf58cc7f5bfdec0badd5240d6724db3e34010aaf35a31876fe4057158

SHA512
5849ea147ada06c8b7a9fd523917009c173ace07ba1dbd320d7dda7f6d910b75ba4b7372f22bb56101c9dd836ce1a590b7715a7f34a67a489d70439b88998dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_ctypes.pyd

Filesize
113KB

MD5
3a2e78784b929003a6baceebdb0efa4d

SHA1
abb48b6a96e22b9bd6d2a8443f5811088c540922

SHA256
f205948b01b29cb244ae09c5b57fd4b6c8f356dfcd2f8cb49e7cfd177a748cf9

SHA512
ad5a9a5143b7e452d92cc7ea5db12967b2073b626be3437d17041d7ae6d82ee24b15d161d2f708639d3bbf8c657202cd845009a219657557203497ea355876ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_hashlib.pyd

Filesize
37KB

MD5
05362add80824b06014645a7951337d8

SHA1
76699e6dae7df93626906e488ef6218f9afcf8b5

SHA256
20b3a3d3350b3d4d57911ecfdb15f77512a6e73c3bf72b410724f81c79a5b1af

SHA512
061562b46e38c9bb83d49a9983d9848669ce2a20970451157b6474ef5dcc4ff38cc2a837b03cff89eacb4eae2063d2c1f43fccd6bd481dbbcabc5527f8489f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_lzma.pyd

Filesize
182KB

MD5
54f12e2385a77d825ae4d41a4ac515fe

SHA1
5ba526ac1c5f16fb7db225a4876996ab01ee979f

SHA256
08de18fba635822f3bb89c9429f175e3680b7261546430ba9e2ed09bb31f5218

SHA512
ea88774fd63a3d806f96e99255705ac68f615508c5887ae18b8d488bdf87268a634c12eb167c13199f4a0fb31795531b1f7d48bdacbd46cf8affa694a630d259

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_queue.pyd

Filesize
24KB

MD5
bc5fce7b8de6ca765cbf79f9d0587164

SHA1
d4d56e53ddc6bb5d21697a3460f310e9655525c0

SHA256
a5db4d041f40fb01761b5baa907099db89cf891b0df0251d92da2fbf9dc3897b

SHA512
23b616ce997eddaafd4c61da7c6d5da1210d0a0373b3df75750843951008234eb2cbe4c6c9a33a4f1cdfe2d115e6c7569d0a97a83ed9c5e85205dba43c5d4363

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_socket.pyd

Filesize
67KB

MD5
cea329ce0935e99a8bc01070f07fefaf

SHA1
9d81307e9559d0661633530e5756957b05d84268

SHA256
d1a4d66c557c2fe7dc441614ca62e67f37ec44bef5a762bac41bac15d491a930

SHA512
b6aea9c2221bf35b0895c35942cf3c9613ec7919540b4c24a3b97d7a0846256e9ba654e8f233fadca1b15ff0b7d30d73adfaec85bcadb6100fd73e62d3a068ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_ssl.pyd

Filesize
139KB

MD5
b9ecf769fc63a542a113ca1552dc7a7b

SHA1
04bd2c2f6f3ae7d8d996c0166d98e0d6aae7b514

SHA256
e0bdb16cffc7b5a19c5af22d8a33d3c999d55a3117f2da07ed3171ca9487927e

SHA512
593075258548d3ab125ea2f71822662d5ab19c8e036edaf2b92eb63fe721af09fbeae27fdb36e033f654fb55e78a5922a18d5a527fd1c815f691950ba6adcb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_yaml.cp38-win32.pyd

Filesize
233KB

MD5
849abb137c531a366f595736411989f7

SHA1
70d1ad6c2c99337f9293f4a5fbc6bf9efaf3d9a3

SHA256
0e5184cbff52cf2f4abe59b58c964631a372d9dc5c2c8dc093cc9c8b81774b92

SHA512
033499f24d325dafe9470d1f71a9d06882f810ad8693f18d5cd46cc7bfc6f5618dd7fafae1431816a7134ee371fbe0ff293ced75292581f111db3ed676ea34c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\base_library.zip

Filesize
769KB

MD5
df822dfa1d7dd754e7b80d513c57d278

SHA1
1c95ef4ae867ee9a91fcc7893bf93e758e731ac3

SHA256
37151920c648ba0d5c6250862c9eabddbe5dddea14b8ebce7b140e32c0018a47

SHA512
d428cabcc55f05bd2d11ace413a7ea5937aa6b37f125b0b3c4e29196e3f1abe4aefd9657e7487badab392efbe5223edc98a38674868485b24eb74c8fd3982f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\libcrypto-1_1.dll

Filesize
2.1MB

MD5
73def838c090acd4be070c649cbd3bf1

SHA1
3dd16cf7740119e7a1d4f56b4c4934a724682e84

SHA256
52d89fac9e42d87300e1427cb41c331f78a7e488d0cbbed8db4adf9d930c89d1

SHA512
1a1e799cce4986059b53856761810f63829cbc5ead197032ce02e9d3905804d34c8d4d8fcf8a0fe5ac9e5f2f30883f7d4181d0551d4195c2356baf3ff5bd0da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\libssl-1_1.dll

Filesize
528KB

MD5
ad77250dbaa7faf0c2c9e13d717faec7

SHA1
d6450be5a28caac59d47ac620cd128febfbf95ab

SHA256
ccba760e6607fb6b08215452a8c0b6f84b2cb13937e86514995e9e86352f487a

SHA512
ae89207cd3831b8d0be8b336a9336b69541d1d86e9b9b331d0a64a5bb97c2c9481e735b72bc958bfdb0458f49311b2bd4fcf6d4ca255b7ef510d02de1573c096

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\python38.dll

Filesize
3.9MB

MD5
7e771d92e814a9fe3520b9f1af6176e0

SHA1
2b1d2fc31fdc2d1940d3835e1e62214414e6cffd

SHA256
54326ecd163c7fffcdd02620490b6bde727c6a3153bff9706cf086510e4aa36d

SHA512
547bdf9048d3b3bc88741ce2307ed4a48b10407d17dbb9f5ba5a727d59d208069abddb90d24b3d4bf0aa5ced2bdcabec3230baf73f2576652035afe5a1297667

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\select.pyd

Filesize
23KB

MD5
26bc7e9826bc13a4d0cf681b0e5cf3c8

SHA1
effff42e88cdd66bc4397de1a6d3b5ae540f820b

SHA256
8e7366cf6e128f977f8977a8db45a714ba72e643b31bd26b7676f33d3d8df612

SHA512
16d92785a234e60301aa6c4c5d508bdaff805689d4f160ab3c0c4d0c2376dd3616f676ad2fa81c08ea80e4fb862c3a15e1b59212508dddb388c8a768726b018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\unicodedata.pyd

Filesize
1.0MB

MD5
7d24a6d7f45ee7190d867cc92a818ba8

SHA1
5ff89024f541670d7846cf8cab3747b6a3a9dc1c

SHA256
b3df52727dddd333076299f2f8148d1a13bbd39e4481a0ad9a8d88f638d7385b

SHA512
28a4af7c30caa116db00790f1f0584b0a0b42dde07f410dddda9caee123bd7082a62c8779bb7aab4931ee0b44343b8e26d5559e63eebe9c581347bb17809da5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.yml

Filesize
317B

MD5
12b5256ade435d75bacd373379eb3490

SHA1
99f4b2f99a89083ea694b41bfbc76c9f1d51238f

SHA256
1d2d02119733e051b93816d3ad4434fac754397c92b4dfafc57e6fd0ea7c8efb

SHA512
e62f96a66b2577b3bd12ebcdf948382d83467fcb20ab8b09114bae893a0da6e441ef3eddea72f2a9782fda925345b2cebc93efeac2ddb3417a99a57b8c52c531

Download Submit
memory/2904-980-0x000000001E320000-0x000000001E928000-memory.dmp

Filesize
6.0MB

Download
memory/2904-981-0x000000001D550000-0x000000001D6D4000-memory.dmp

Filesize
1.5MB

Download
memory/2904-982-0x000000001C0C0000-0x000000001C15E000-memory.dmp

Filesize
632KB

Download
memory/2904-983-0x000000001EAB0000-0x000000001EB68000-memory.dmp

Filesize
736KB

Download
memory/2904-985-0x000000001B7A0000-0x000000001B7D7000-memory.dmp

Filesize
220KB

Download
memory/2904-987-0x000000001B460000-0x000000001B46A000-memory.dmp

Filesize
40KB

Download
memory/2904-986-0x000000001B460000-0x000000001B46A000-memory.dmp

Filesize
40KB

Download