f180918ae626e83ff83064c7342bfc202491a661284cb0dcb68eb3481e4792f9

Analysis

max time kernel
137s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sm-online.exe
Size

1.9MB
MD5

bccb6c12a3452abd59b71f499c2797f5
SHA1

97fc6b43506164c747a71e0ecf065f4f12f6d0a2
SHA256

f180918ae626e83ff83064c7342bfc202491a661284cb0dcb68eb3481e4792f9
SHA512

3c22ca6fcaa4fb738357943765696d6c05dfb759ae89196bcfeec79daf837d0d579e42fe613992a69334f61af64e6960cdd5965128cf121880024bafdcab87ea
SSDEEP

49152:It4ZnXnnCILzepJ6LkxUntZwCyKy0MxwTMR7bt7X:ItgnXnnCILzeD6LkiZvhMR/t

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sm-online.exe

Executes dropped EXE 1 IoCs

pid	Process
4528	OnlineInstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sm-online.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OnlineInstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4528	1464	sm-online.exe	94
PID 1464 wrote to memory of 4528	1464	sm-online.exe	94
PID 1464 wrote to memory of 4528	1464	sm-online.exe	94

C:\Users\Admin\AppData\Local\Temp\sm-online.exe
"C:\Users\Admin\AppData\Local\Temp\sm-online.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\OnlineInstall.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\OnlineInstall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4280,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\OnlineInstall.exe

Filesize
4.0MB

MD5
ec9d8f6c8891d320c6df55f507f99521

SHA1
1c4ecb1696657b9e9d04957f73f1c0c90188a217

SHA256
bf03b8619bd571f9e11efc8e38afd93774280bf26666c52a300a84da6ac71b72

SHA512
42443ee0c54a5f3233b2a23e446735cafb9f761303cc95d4285bebb88671a8ad70ee1ba4e157c0ebc5ed32e1abe3c6706f13cb2dd5ade7bd70c771727e6633c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Check_Selected.png

Filesize
1KB

MD5
6d116dccaac5056d7d1f4a593d5ac0db

SHA1
242a6a198c7e1e22bda176065cf0b26a276b6f72

SHA256
0946efee104652f084c6fb2f271b06fcdfb50de893d64cd4287cc8e64deced92

SHA512
037c4cb011492a27da3f7a6d2e7e75cabac8c58eca3607d57df248491b4786247c08a2f9ffd5fe49d3ef0b9f862b3ecb4a4783e04b1801c13935f271df224e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Close_Nomal.png

Filesize
1KB

MD5
99fcff2aca703823e083cb90a3192146

SHA1
376158f2e3e6c4f42e67415f180539d562bd27fb

SHA256
cbe96210dc6c28e21625c01db80e510152eecbf4ddbc75a30feeefb9ffa318ef

SHA512
86b51f428a34f7de88f8aa5268028c86dee41a894ec3704c7ba10c0c8f7ef065af9c18d8d1999c903c5aa062abb2910630477b3b11db02f33c6e77373cff3d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Config.ini

Filesize
403B

MD5
ebc1e705794cb3b3b4da6a202615dff4

SHA1
214cffad28fec3f11988df9009ee8a99eeadc019

SHA256
f679fb8df3a97d0980856470dc5b46e473d2fdff1d5caf76728c0a150e77da71

SHA512
861c40c13928e19b798128e9b6f11dd5fae4f75f8d1bbeb0943e736aa3e2acc6847901231e89b7107bc0d7e11adbe3e58a4e9ebebbf919422503da77c858e96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Dropdown_Nomal.png

Filesize
1KB

MD5
79a297af3cc5d3501558bfc2344f250a

SHA1
7cae747038212afaf6ac69ae57e99cdf9a7ee97d

SHA256
0f8ed5fdb53a8895e0159855268e0b8bb084766473ceb3ced8b96209844e359f

SHA512
e5e4a5feb042725564885be76d8a6bf7d1e68fcd8734822c8f5b5653f1cef9065dfa7d07e57df24332a95567020bb9135ae2233b9d7fbe0a6caa4cd5691b0c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Installnow_nomal.png

Filesize
1KB

MD5
5a02fb88141286b03e5c96bfab807c11

SHA1
4639a647d31d267cf08f4d3e92d62e61749ca1fa

SHA256
7a668d959b0c980edb8fa1b1a359e881f7865a4ec78f879afb2460f99c45367c

SHA512
f6d8b34e7c60ec8ad8d43b6cdb449dd608d29efd2abe377b2439e8fbdb70b72b048948fb17a65dd8b4469c2c65bbfb2e7c583cb880441e26a0d41b14f1e27c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Language.ini

Filesize
80B

MD5
b242e5140134513d58d4930992d8d2c7

SHA1
64b208c1ed80183dbb0982cf33db7a4696f6c734

SHA256
7fab414a11faf0e49e79edce34cbc2b4eac52217b9db9b8b26630d7db35a79a6

SHA512
bea21e4135712513f1f80e1df287b6f45c143fbb9765312863bb6cca15922a7850303ade462574c130c19d3ff90c1174d232afff0f8175aff20eff52f5944cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\Main.png

Filesize
30KB

MD5
47e473f23178e31c2b426a187381746c

SHA1
f39a529d5872efeb190e72da07d724a5b8c87b24

SHA256
12d62f0da29795526a2c65097db14913c6c4de09ac7030916aced6308b83438e

SHA512
aafdbe3b4b159a4c75d2970da422f59dc7ac37eafdc9f567bd5ae4d4b292fc97256550f1b0a28a2c37e7e1620f5e08828d995133f509cc28f01422d3dbccc81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\skin_anima\MainUI.xml

Filesize
9KB

MD5
07b8f533f28315da1702b38a01e600c1

SHA1
f9c5d67efd32ea51ec7c01212bfc35256817c033

SHA256
44c1286c5b6ff50e0ea4291eb73b3810d4708abd38531c4da309d444b3ad7a3d

SHA512
39a1bf6b0a4f2b1d1f45449ee9a200cc27a9869ddb68296c878bb4a003ead2b0e982ae1422abaf37bd66a6e7deb2ba1993048d7cae3daf1896a32047c31cfaeb

Download Submit