419b6c03a01ad10354c6f70c9077d0bc97a04ca03d0e39748823c8d604da7fe2

Resubmissions

24/08/2024, 21:59

240824-1v7z6ateqk 10

28/07/2024, 20:08

240728-ywzztswdnb 9

Analysis

max time kernel
79s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/07/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smert.exe
Size

20KB
MD5

9741dc2a48ef315a5032a3190c6a9752
SHA1

595cfcf134ac6a97a75407350b509ad37666d546
SHA256

419b6c03a01ad10354c6f70c9077d0bc97a04ca03d0e39748823c8d604da7fe2
SHA512

a8f26e08cdb7078f51f716014499f4af3f0be2ed057cbc3f67da38120d69534ff05a010ab8879ec5bfc692caac7db6f47e777d701d733a6cda307aaddb70cb6f
SSDEEP

384:asaFiLCCr05Sx158JLLU4Act6GoMZOaB8BYsszReS:aPwXl1585LUNGoMZOXszR

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (2029) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\amdxata.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\tcpipreg.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\Wdf01000.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\vsmraid.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\dxgmms1.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\vmstorfl.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\ws2ifsl.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\fileinfo.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\fvevol.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\ndiscap.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\adpu320.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\acpi.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\acpipmi.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\bxvbda.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\vwifimp.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\msfs.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\irda.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\adpahci.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\rmcast.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\ndproxy.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\BrUsbSer.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\cdfs.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\tcpip.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\FWPKCLNT.SYS.smert	smert.exe
File created	C:\Windows\System32\drivers\README.txt	smert.exe
File created	C:\Windows\System32\drivers\asyncmac.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\msahci.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\exfat.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\UAGP35.SYS.smert	smert.exe
File created	C:\Windows\System32\drivers\ksecpkg.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\lltdio.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\volmgrx.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\evbda.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\gmreadme.txt.smert	smert.exe
File created	C:\Windows\System32\drivers\amdk8.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\compbatt.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\crashdmp.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\Rtnic64.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\appid.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\storvsc.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\swenum.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\hidusb.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\1394ohci.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\BrSerId.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\bthmodem.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\cng.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\netbios.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\TsUsbFlt.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\mpio.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\ipfltdrv.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\isapnp.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\arcsas.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\cmdide.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\mouclass.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\wmiacpi.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\vga.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\wanarp.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\errdev.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\lsi_scsi.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\blbdrive.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\udfs.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\vmbus.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\null.sys.smert	smert.exe
File created	C:\Windows\System32\drivers\drmk.sys.smert	smert.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	smert.exe
File opened (read-only)	\??\B:	smert.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\BioCredProv.dll.smert	smert.exe
File created	C:\Windows\System32\C_1258.NLS.smert	smert.exe
File created	C:\Windows\System32\de-DE\dtsh.dll.mui.smert	smert.exe
File created	C:\Windows\System32\en-US\connect.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\iphlpsvc.dll.mui.smert	smert.exe
File created	C:\Windows\System32\fr-FR\actionqueue.dll.mui.smert	smert.exe
File created	C:\Windows\System32\de-DE\CertEnrollUI.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\msobjs.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\p2psvc.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\wsecedit.dll.mui.smert	smert.exe
File created	C:\Windows\System32\en-US\wshrm.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\MFC42u.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\qedit.dll.mui.smert	smert.exe
File created	C:\Windows\System32\fr-FR\appmgr.dll.mui.smert	smert.exe
File created	C:\Windows\System32\de-DE\DevicePairingFolder.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\slc.dll.mui.smert	smert.exe
File created	C:\Windows\System32\fi-FI\FntCache.dll.mui.smert	smert.exe
File created	C:\Windows\System32\dsquery.dll.smert	smert.exe
File created	C:\Windows\System32\feclient.dll.smert	smert.exe
File created	C:\Windows\System32\fr-FR\amstream.dll.mui.smert	smert.exe
File created	C:\Windows\System32\fr-FR\ActionCenterCPL.dll.mui.smert	smert.exe
File created	C:\Windows\System32\CscMig.dll.smert	smert.exe
File created	C:\Windows\System32\activeds.dll.smert	smert.exe
File created	C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll.smert	smert.exe
File created	C:\Windows\System32\CardGames.dll.smert	smert.exe
File created	C:\Windows\System32\en-US\wmpshell.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\DeviceCenter.dll.mui.smert	smert.exe
File created	C:\Windows\System32\cscui.dll.smert	smert.exe
File created	C:\Windows\System32\catroot2\edb006C1.log.smert	smert.exe
File created	C:\Windows\System32\es-ES\sppc.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\accessibilitycpl.dll.mui.smert	smert.exe
File created	C:\Windows\System32\de-DE\cero.rs.mui.smert	smert.exe
File created	C:\Windows\System32\DriverStore\infstor.dat.smert	smert.exe
File created	C:\Windows\System32\el-GR\FntCache.dll.mui.smert	smert.exe
File created	C:\Windows\System32\en-US\wwanconn.dll.mui.smert	smert.exe
File created	C:\Windows\System32\fr-FR\activeds.dll.mui.smert	smert.exe
File created	C:\Windows\System32\C_28591.NLS.smert	smert.exe
File created	C:\Windows\System32\config\SYSTEM.LOG.smert	smert.exe
File created	C:\Windows\System32\C_1256.NLS.smert	smert.exe
File created	C:\Windows\System32\dhcpcsvc6.dll.smert	smert.exe
File created	C:\Windows\System32\en-US\desk.cpl.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\lpeula.rtf.smert	smert.exe
File created	C:\Windows\System32\es-ES\rtffilt.dll.mui.smert	smert.exe
File created	C:\Windows\System32\azroleui.dll.smert	smert.exe
File created	C:\Windows\System32\DDACLSys.dll.smert	smert.exe
File created	C:\Windows\System32\de-DE\authfwgp.dll.mui.smert	smert.exe
File created	C:\Windows\System32\en-US\ucmhc.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\advpack.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\hidphone.tsp.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\intl.cpl.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\sppcomapi.dll.mui.smert	smert.exe
File created	C:\Windows\System32\de-DE\adtschema.dll.mui.smert	smert.exe
File created	C:\Windows\System32\de-DE\crypt32.dll.mui.smert	smert.exe
File created	C:\Windows\System32\de-DE\efssvc.dll.mui.smert	smert.exe
File created	C:\Windows\System32\de-DE\kswdmcap.ax.mui.smert	smert.exe
File created	C:\Windows\System32\dhcpsapi.dll.smert	smert.exe
File created	C:\Windows\System32\es-ES\dhcpcsvc6.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\onex.dll.mui.smert	smert.exe
File created	C:\Windows\System32\en-US\AuxiliaryDisplayClassInstaller.dll.mui.smert	smert.exe
File created	C:\Windows\System32\de-DE\AxInstSv.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\dsound.dll.mui.smert	smert.exe
File created	C:\Windows\System32\es-ES\rascfg.dll.mui.smert	smert.exe
File created	C:\Windows\System32\FDResPub.dll.smert	smert.exe
File created	C:\Windows\System32\clb.dll.smert	smert.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll.smert	smert.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui.smert	smert.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\PhotoBase.dll.smert	smert.exe
File created	C:\Program Files\Windows Mail\ja-JP\README.txt	smert.exe
File created	C:\Program Files\VideoLAN\VLC\Documentation.url.smert	smert.exe
File created	C:\Program Files\Internet Explorer\JSProfilerCore.dll.smert	smert.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.smert	smert.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\README.txt	smert.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\README.txt	smert.exe
File created	C:\Program Files\Windows Sidebar\de-DE\README.txt	smert.exe
File created	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\mozwer.dll.smert	smert.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.smert	smert.exe
File created	C:\Program Files\Windows Journal\Templates\README.txt	smert.exe
File created	C:\Program Files\VideoLAN\VLC\README.txt.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.smert	smert.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.smert	smert.exe
File created	C:\Program Files\desktop.ini.smert	smert.exe
File created	C:\Program Files\Microsoft Office\Office14\Custom.propdesc.smert	smert.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\msoeres.dll.mui.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\firefox.cfg.smert	smert.exe
File created	C:\Program Files\JoinBlock.TTS.smert	smert.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\sbdrop.dll.mui.smert	smert.exe
File created	C:\Program Files\UnpublishRemove.htm.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.smert	smert.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.smert	smert.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\sbdrop.dll.mui.smert	smert.exe
File created	C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\README.txt.smert	smert.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.smert	smert.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui.smert	smert.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui.smert	smert.exe
File created	C:\Program Files (x86)\Internet Explorer\README.txt	smert.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.smert	smert.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\README.txt	smert.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\README.txt	smert.exe
File created	C:\Program Files\DVD Maker\SecretST.TTF.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\ucrtbase.dll.smert	smert.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui.smert	smert.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\WMPDMCCore.dll.mui.smert	smert.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\WMPDMCCore.dll.mui.smert	smert.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui.smert	smert.exe
File created	C:\Program Files\Microsoft Games\Solitaire\README.txt	smert.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini.smert	smert.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\README.txt	smert.exe
File created	C:\Program Files\7-Zip\License.txt.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.smert	smert.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt.smert	smert.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\README.txt	smert.exe
File created	C:\Program Files\Common Files\System\DirectDB.dll.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\mozavcodec.dll.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll.smert	smert.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.smert	smert.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll.smert	smert.exe
File created	C:\Program Files\GrantSkip.mpe.smert	smert.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~hu-HU~7.1.7601.16492.mum.smert	smert.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.cat.smert	smert.exe
File created	C:\Windows\inf\nv_lh.PNF.smert	smert.exe
File created	C:\Windows\Media\Calligraphy\Windows Print complete.wav.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-MediaCenter-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~uk-UA~7.1.7601.16492.cat.smert	smert.exe
File created	C:\Windows\ehome\it-IT\ehglid.dll.mui.smert	smert.exe
File created	C:\Windows\inf\prnlx005.inf.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.mum.smert	smert.exe
File created	C:\Windows\inf\mdmlucnt.PNF.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16492.mum.smert	smert.exe
File created	C:\Windows\Media\Characters\README.txt	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-MSMQ-Client-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.cat.smert	smert.exe
File created	C:\Windows\schemas\EAPHost\baseeapmethodconfig.xsd.smert	smert.exe
File created	C:\Windows\inf\wiaca00d.inf.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum.smert	smert.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~da-DK~7.1.7601.16492.mum.smert	smert.exe
File created	C:\Windows\inf\netbrdgs.inf.smert	smert.exe
File created	C:\Windows\schemas\TSWorkSpace\tswcx.xsd.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-ServicingBaseline-Ultimate-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\inf\prnrc303.inf.smert	smert.exe
File created	C:\Windows\inf\prnms002.inf.smert	smert.exe
File created	C:\Windows\inf\vhdmp.inf.smert	smert.exe
File created	C:\Windows\schemas\WCN\FlashConfig.xsd.smert	smert.exe
File created	C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum.smert	smert.exe
File created	C:\Windows\ehome\CreateDisc\sonic.xml.smert	smert.exe
File created	C:\Windows\inf\wsearchidxpi\README.txt	smert.exe
File created	C:\Windows\L2Schemas\WLAN_policy_v1.xsd.smert	smert.exe
File created	C:\Windows\inf\hdaudss.inf.smert	smert.exe
File created	C:\Windows\inf\mdmgen.inf.smert	smert.exe
File created	C:\Windows\inf\prnsv004.inf.smert	smert.exe
File created	C:\Windows\Media\Afternoon\Windows Print complete.wav.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-MobilePC-Client-Basic-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.cat.smert	smert.exe
File created	C:\Windows\Cursors\README.txt	smert.exe
File created	C:\Windows\Media\Calligraphy\Windows Information Bar.wav.smert	smert.exe
File created	C:\Windows\Media\Raga\Windows Feed Discovered.wav.smert	smert.exe
File created	C:\Windows\PolicyDefinitions\de-DE\CEIPEnable.adml.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-ICM-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-Shell-InboxGames-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum.smert	smert.exe
File created	C:\Windows\Cursors\wait_rm.cur.smert	smert.exe
File created	C:\Windows\inf\mdmsupr3.inf.smert	smert.exe
File created	C:\Windows\ja-JP\README.txt	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-NetFx3-OC-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-Shell-MultiplayerInboxGames-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~lv-LV~7.1.7601.16492.cat.smert	smert.exe
File created	C:\Windows\ehome\es-ES\ehepgres.dll.mui.smert	smert.exe
File created	C:\Windows\inf\prnin003.inf.smert	smert.exe
File created	C:\Windows\inf\stexstor.PNF.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-MediaCenter-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum.smert	smert.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-SnippingTool-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat.smert	smert.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~da-DK~7.1.7601.16492.mum.smert	smert.exe
File created	C:\Windows\inf\prnca00d.inf.smert	smert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	smert.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	smert.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1664	3012	smert.exe	30
PID 3012 wrote to memory of 1664	3012	smert.exe	30
PID 3012 wrote to memory of 1664	3012	smert.exe	30

C:\Users\Admin\AppData\Local\Temp\smert.exe
"C:\Users\Admin\AppData\Local\Temp\smert.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\smert.exe
  "C:\Users\Admin\AppData\Local\Temp\smert.exe" --foodsum
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui.smert

Filesize
21KB

MD5
3cca6df1db4760a52fe87e64e090833f

SHA1
e79d77e0d1e85d4f490260f3a4878905be3b7cd1

SHA256
c2103f9920ae8661391ebf230675acb1ce81eb30c1e7d277bef911cc5d4fb7df

SHA512
bc41068ab6b382018997141c6c8ba4b2e8a49e9ba55a15a34a3c48b714a1965e2f53238d7260e2d74a5dc5cdbb745bb33657af179018d06cb6e0aa7230c3f682

Download Submit
C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui.smert

Filesize
2KB

MD5
2356f27d021ce3b85ebce6a8ca00ca9b

SHA1
b8f9377b7809cec2dd95ed7dc25ecbb7bc7136d0

SHA256
80100663476511c671fa285b05c75705b699ff6be148c6b77a81491bd291a52b

SHA512
f5eaea730ee31f51f96a1e872f515428ea98d5713163a3b0ade55ef239f61c14e83a25c8084a7267e2f80c33d2c942cb98266c2001c3eda29ae546e7a942bcec

Download Submit
C:\Users\Admin\Desktop\ApproveUndo.vb.smert

Filesize
475KB

MD5
45d977045bc7af29e25b24e66fe148be

SHA1
c18ad8f00ef0e77e7862505cf0fa7f3e2b557dec

SHA256
9895b0bc8c9c6aad95f1a2f7e7377ca6d228e75765ae7d66cbf97dd38b40b1dc

SHA512
7d8cdf330e463644b9ac5d3d9dbfa98e74dc664a827e013d35a97f53bdb4cda289332c964a8b88fe056137fa928602cad3612d9b9b58394e5f0884f6d595be00

Download Submit
C:\Users\Admin\Documents\README.txt

Filesize
795B

MD5
41b2cb92f1ec3aa7cfd2f04cc5b90940

SHA1
6fc9bbc669d35b4ce1a1ef282f6318bdd5fd9ee6

SHA256
c520a31166e2a3406a928e2d47417bcba208c2ce6493ceb049db8266e4db5f7b

SHA512
54e49d7485ab123af68c63da45a3aca5e79f3f9c9055e9a80ee6b2d129603b854ad00d436b437528da98ce4b51a880f7d27cdb75998b35b483b225484e315a31

Download Submit
C:\Windows\Cursors\size2_r.cur.smert

Filesize
1KB

MD5
9074e384b177d9f9c9d121233f489cb1

SHA1
20ee68a15c560b17307b5cedc20d6188909799f8

SHA256
4bea8d919362e1323e7b84e8f777eba1b4dcd1f2d406e8eb0a4d4cc989cb9c8f

SHA512
d0167d85598d9eea1da15448546d772a60ac36785a3265862646aa813162ab70df0e763d9018e77d88549f49fbd2c9d4d02941c52402b4121abc46b9b844e3f0

Download Submit
C:\Windows\Media\Savanna\Windows Hardware Remove.wav.smert

Filesize
17KB

MD5
e1f6f9cb8791888a493df50c05221453

SHA1
b55a81a45bcad6b8254fea535bcb7bfe7321c8d9

SHA256
dbc743669e9642dba5cb1b253fb4b82469231cabe457043cb4f2d17a48d55785

SHA512
e3d5046c6799f0bce8aec427df79f296dab4c39eed286686af6632f281409737c7aff6425d882bc9f75ed996d80c5cec763d81f016ba2f230bbcff7a6c30cc82

Download Submit
C:\Windows\System32\C_10010.NLS.smert

Filesize
64KB

MD5
501ba545c539c473b6b0eb0e97e348eb

SHA1
4f68a74f928802b899a7948c9c40182c31ef2f52

SHA256
ac7beb0bf74431914f114b02fe901969e70df8df8ef99768e43f0c9228863393

SHA512
71f0ff4d03f15c4797df7cc775437ab9a571abd45e56330135b5faa2eaec9ec78709cb2569bf382d78f0413905649612fde79e70af7f819e8421e74a6f486d3b

Download Submit
C:\Windows\System32\de-DE\MFC42.dll.mui.smert

Filesize
37KB

MD5
43f2ecf0bf7712ea198e73f786574995

SHA1
30aa7397ea3d23dd5d2bd6c1f7815a0eea2d7196

SHA256
6a081d070a70c45d2c138a94f61ef0578ea40cd841fa20e1fc4fe044073e00ff

SHA512
c9607109be0223b302acacc0264564d1a935e2d41a00ed12d76a8608f82208324142f449f17ab6a30af94dd96cf780d1765d01a4362ca9690dc7dad55a27a0de

Download Submit
C:\Windows\ehome\fr-FR\ehjpnime.dll.mui.smert

Filesize
2KB

MD5
d91dc58589a605cc0de5ef31a85b8d7c

SHA1
5cd8988bae72f3d17a29354060bd2878864c5ade

SHA256
3285ff24660ff2c12cf8e993cdfcb91795827f2124b98293258614aed4574e73

SHA512
389aeb26ecbfdca278bd6b209ad4c54bbbdc7d0bb991abf652651200bb1acc736eba8db907ecebab7cb45c0c8683ee46c04adf3e618a2e7664097c3f771bb762

Download Submit
C:\Windows\ehome\ja-JP\ehchsime.dll.mui.smert

Filesize
2KB

MD5
d7fb51b5fce5973453d766ba297ca2e1

SHA1
b495a3e6e9186c2891d0cdeee19350b33bb499d7

SHA256
d35227836ff68f68ce5472dfc4125f4ce3f9af04767afaf58f2e48ef65b10d0f

SHA512
07b62ff2e518eac912e58244c5b329e254f9f951d6a4f0c96f867c59d5071bd4eaa6dc0b5d6f3d3b5986a9ccd3d932debaa7e94b16e5c4d173544425c4e89828

Download Submit
C:\Windows\inf\hcw72b64.PNF.smert

Filesize
57KB

MD5
aac31153a755404930fb8fed5185fec9

SHA1
36ef62f1d5b26c916eeec7f39c98ff2702aa901b

SHA256
1bfa8f0e0ba9ebc4f33c3f71481f6756b37399713955b5a9ce748d29e86f3f6c

SHA512
36640ff7b8152398e5b906fc571ee60712ef129b7f91c2b9687c108f7462a3b83e0e38905db103fb89613437eb41fb1a39d4c9ef71af92feb165cddf00489d32

Download Submit
C:\Windows\inf\hdaudss.inf.smert

Filesize
70KB

MD5
74bd9b8260c48dac7fe61ec5ed22bf35

SHA1
b0b6d4db175fee6f3aaa38e6959353ec325e22b2

SHA256
6c2534cfa79ce1e6034efd34ffd860eedcff9b9f02de620caca169ebf5a4be58

SHA512
4b740b22c2ee7ecd9e780051a4335328b86c88f1a58633df4705ae02b0a78abfd7dc74e692f06af16451a6dc2ed1618f33fbf81cfd12b238b4c1f1cb70b38dba

Download Submit
C:\Windows\inf\lsi_scsi.inf.smert

Filesize
6KB

MD5
b00a23695155aee1014d81a627b233bd

SHA1
cc70c57624319e227dfe78e38be93e8326ae744c

SHA256
df8f50e9c8cb50c8b6eb1cfcf90ff3d4700477fc3e5becf2b6945f0035c37d09

SHA512
138c5852f8a93d58e2b8db6b9cb17a264d582b6d47771ef4b75ce770287cb1f98389d5af5a49b4db22b185bdbcf897457dc276a6745faf9054cae7414ca80719

Download Submit
C:\Windows\inf\mdmdyna.inf.smert

Filesize
84KB

MD5
a122f5af69d0a8c43706794c24b4b968

SHA1
f53ceea1af0470352f86c8e8ede0170d04b1de71

SHA256
c464798fa212fa8141922d0bb5710bc74e32279540beba033bf08d5703bcb61a

SHA512
bed2a182d75abd232952c85bf78e0ac51c0d9101dd36b2c9de518d89ab5f92abfe6e5e2598a47ad726ccbd9d71890d54e82e2afd46332cbe35847f6cd61597ac

Download Submit
C:\Windows\inf\prnts003.PNF.smert

Filesize
15KB

MD5
d5fb72f72af4bf0238a0eeaa8baccbae

SHA1
171024a7bbe3576c4e9a5384663bd94eebadbf72

SHA256
3b3d5788eb8095a0d426e4b9c3ac9359903b01d68abb50cba00d070079966a0d

SHA512
665434dc14639197d4e9a81021278c48ffb4bd1599b5f34f7d1772cb8002dbed4cfcd2fba26bd88b6b372c82190d0cd437a6c65fd1df0edaaa85847f151b4016

Download Submit
C:\Windows\inf\tpm.inf.smert

Filesize
8KB

MD5
49a51e930c59361c1efc251cd7d083de

SHA1
70d6ce075d2cc1d6c5ad785829e36b543740bf55

SHA256
f6346cfa02616a20af320aaa45f10979da259d2b09010ec2abb54895d23d8b56

SHA512
6c019fbd28ff6ba43f4436d34f75d3483dcba025200edb726717de50a97eed1f337f36aabd274f2b9c29008e2fe3bb5c5a6ae79852ab6cec6e88be5b76b38e0e

Download Submit