1228fba822a3d86c342197d110d46c6c8a3104d69f577799141255016689cdc8

General

Target

3c446290d6fc0a1e0bb0abe68033e070N.exe
Size

74KB
MD5

3c446290d6fc0a1e0bb0abe68033e070
SHA1

a13dc12dcbddb7081cb5a55cbbddaf77f89f4dd2
SHA256

1228fba822a3d86c342197d110d46c6c8a3104d69f577799141255016689cdc8
SHA512

1000da0f248a5a8501101658b0814c410446890c9f72609729ac82d8962ecdafe0caef651c59deae11775e1dfd23a66749b85277fcc43864f2a12fd49b938f13
SSDEEP

1536:3Iq4Ts+P6Y8pEcUo50ACBDzvpjK+SVlAWaYFUIt/Q:QTVP6Y8pfU3DBD6VW1tIt/Q

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe SMSSwj.exe"	3c446290d6fc0a1e0bb0abe68033e070N.exe

Executes dropped EXE 1 IoCs

pid	Process
436	SMSSwj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Service Host = "C:\\Windows\\svchost.exe"	3c446290d6fc0a1e0bb0abe68033e070N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\SMSSwj.exe"	3c446290d6fc0a1e0bb0abe68033e070N.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Cultures 3 Northland Crack.exe	SMSSwj.exe
File created	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Zone Alarm Pro 4.0 Crack.exe	SMSSwj.exe
File created	C:\Windows\svchost.exe	3c446290d6fc0a1e0bb0abe68033e070N.exe
File created	C:\Windows\SMSSwj.exe	SMSSwj.exe
File created	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro v4.0.1 Crack.exe	SMSSwj.exe
File opened for modification	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\DVD X Studios CloneDVD 1.25 Crack.exe	SMSSwj.exe
File created	C:\Windows\SMSSwj.exe	3c446290d6fc0a1e0bb0abe68033e070N.exe
File opened for modification	C:\Windows\svchost.exe	SMSSwj.exe
File opened for modification	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro v4.0.1 Crack.exe	SMSSwj.exe
File opened for modification	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Cultures 3 Northland Crack.exe	SMSSwj.exe
File created	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\DivX Pro 5.1 Crack.exe	SMSSwj.exe
File opened for modification	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Zone Alarm Pro 4.0 Crack.exe	SMSSwj.exe
File opened for modification	C:\Windows\SMSSwj.exe	3c446290d6fc0a1e0bb0abe68033e070N.exe
File opened for modification	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}	SMSSwj.exe
File created	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\DVD X Studios CloneDVD 1.25 Crack.exe	SMSSwj.exe
File opened for modification	C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\DivX Pro 5.1 Crack.exe	SMSSwj.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c446290d6fc0a1e0bb0abe68033e070N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSSwj.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 436	5008	3c446290d6fc0a1e0bb0abe68033e070N.exe	83
PID 5008 wrote to memory of 436	5008	3c446290d6fc0a1e0bb0abe68033e070N.exe	83
PID 5008 wrote to memory of 436	5008	3c446290d6fc0a1e0bb0abe68033e070N.exe	83

C:\Users\Admin\AppData\Local\Temp\3c446290d6fc0a1e0bb0abe68033e070N.exe
"C:\Users\Admin\AppData\Local\Temp\3c446290d6fc0a1e0bb0abe68033e070N.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SMSSwj.exe
  C:\Windows\SMSSwj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SMSSwj.exe

Filesize
74KB

MD5
3c446290d6fc0a1e0bb0abe68033e070

SHA1
a13dc12dcbddb7081cb5a55cbbddaf77f89f4dd2

SHA256
1228fba822a3d86c342197d110d46c6c8a3104d69f577799141255016689cdc8

SHA512
1000da0f248a5a8501101658b0814c410446890c9f72609729ac82d8962ecdafe0caef651c59deae11775e1dfd23a66749b85277fcc43864f2a12fd49b938f13

Download Submit
C:\Windows\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}\BearShare Pro v4.0.1 Crack.exe

Filesize
74KB

MD5
eaf5c6704d475d5b998e9e51467a2a5d

SHA1
a04b1ed93d7002b4cd94c07a3b6a7af3568e71d9

SHA256
035af224dfd2feea81c3f9cf020a8140f2b96d7231402bececcaf71ef6e28810

SHA512
07958bc8d870320833cf2e80f7bf6c2869142a51c900b4fcda137b0d200a166dc67feefd0ca2aea3d75ad72369860060963544091f17a8624ef551b0f89b5d05

Download Submit
memory/436-41-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/436-43-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/436-45-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/436-46-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/436-60-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5008-4-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads