Edit tour
Windows
Analysis Report
SmartDeploy.exe
Overview
General Information
| Sample name: | SmartDeploy.exe |
| Analysis ID: | 1586407 |
| MD5: | 6ec7109891d3e7807651ffaefc36eb7a |
| SHA1: | 77d129e6607c57121f2363189f672d9b07485642 |
| SHA256: | 25a076dd061d646ce750f597553c034a12d314776384834b34fbc7f4ecd2cd9f |
| Infos: |  |
 | |
Detection
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a new user with administrator rights
Creates an undocumented autostart registry key
Disables UAC (registry)
Modifies the windows firewall
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to create new users
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Add User to Local Administrators Group
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: New User Created Via Net.EXE
Too many similar processes found
Uses 32bit PE files
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses reg.exe to modify the Windows registry
Classification
- System is w10x64
SmartDeploy.exe (PID: 6932 cmdline: "C:\Users\ user\Deskt op\SmartDe ploy.exe" MD5: 6EC7109891D3E7807651FFAEFC36EB7A) 
conhost.exe (PID: 6956 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 5216 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7100 cmdline:
C:\Windows \system32\ cmd.exe /c net user /add Compr ise S@mtwo 345 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 6188 cmdline:
C:\Windows \system32\ cmd.exe /c net local group user s Comprise /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 648 cmdline:
C:\Windows \system32\ cmd.exe /c net local group admi nistrators Comprise /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 1216 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\PrintUI .exe /dl / n "Send To OneNote 2 013" /q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
printui.exe (PID: 5788 cmdline: C:\Windows \system32\ PrintUI.ex e /dl /n " Send To On eNote 2013 " /q MD5: D39EFE3FAAF079EAD278F86FB1FCA8C0) - cmd.exe (PID: 3236 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\PrintUI .exe /dl / n "Fax" /q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - printui.exe (PID: 4228 cmdline:
C:\Windows \system32\ PrintUI.ex e /dl /n " Fax" /q MD5: D39EFE3FAAF079EAD278F86FB1FCA8C0) - cmd.exe (PID: 6048 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\net.exe Stop SPOO LER MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 7088 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\net.exe START SPO OLER MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 5788 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\netsh a dvfirewall firewall add rule n ame="SAM R ule In" di r=in actio n=allow pr otocol=TCP localport =2002 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - netsh.exe (PID: 1216 cmdline:
C:\Windows \system32\ netsh advf irewall fi rewall add rule name ="SAM Rule In" dir=i n action=a llow proto col=TCP lo calport=20 02 MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - cmd.exe (PID: 3720 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\netsh a dvfirewall firewall add rule n ame="SAM R ule Out" d ir=out act ion=allow protocol=T CP localpo rt=2002 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - netsh.exe (PID: 4508 cmdline:
C:\Windows \system32\ netsh advf irewall fi rewall add rule name ="SAM Rule Out" dir= out action =allow pro tocol=TCP localport= 2002 MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - cmd.exe (PID: 2204 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\reg ADD HKLM\Soft ware\Micro soft\Windo ws\Current Version\Po licies\Sys tem /v Ena bleLUA /t REG_DWORD /d 0x0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 7080 cmdline:
C:\Windows \system32\ reg ADD HK LM\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\System /v Enable LUA /t REG _DWORD /d 0x0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 6332 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\reg ADD HKLM\SOFT WARE\Micro soft\Windo ws\Current Version\Po licies\Sys tem /v Ena bleLUA /t REG_DWORD /d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 4136 cmdline:
C:\Windows \system32\ reg ADD HK LM\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Polic ies\System /v Enable LUA /t REG _DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 6268 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11" /t /e /g Users:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 1620 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11" /t /e /g Use rs:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 1216 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ Configurat ion" /t /e /g Users: f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 3236 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\Con figuration " /t /e /g Users:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 2740 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ images" /t /e /g Use rs:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 5432 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\ima ges" /t /e /g Users: f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 1800 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ Jobs" /t / e /g Every one:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 1368 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\Job s" /t /e / g Everyone :f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 4904 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ Languages" /t /e /g Users:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 2740 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\Lan guages" /t /e /g Use rs:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 2256 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ logs" /t / e /g Every one:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 1216 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\log s" /t /e / g Everyone :f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 6268 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ Themes" /t /e /g Eve ryone:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 1620 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\The mes" /t /e /g Everyo ne:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 3872 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ tmpDownloa d" /t /e / g Everyone :f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 1368 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\tmp Download" /t /e /g E veryone:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 3052 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ Update" /t /e /g Eve ryone:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 3068 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\Upd ate" /t /e /g Everyo ne:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 7100 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ Computers" /t /e /g Everyone:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 1368 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\Com puters" /t /e /g Eve ryone:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 1216 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Program Files (x8 6)\SAM 11\ Users" /t /e /g Ever yone:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 6268 cmdline:
C:\Windows \system32\ cacls "C:\ Program Fi les (x86)\ SAM 11\Use rs" /t /e /g Everyon e:f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 3260 cmdline:
C:\Windows \system32\ cmd.exe /c %SystemRo ot%\system 32\cacls " C:\Windows \System32\ spool\PRIN TERS" /t / e /g Every one:f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cacls.exe (PID: 1368 cmdline:
C:\Windows \system32\ cacls "C:\ Windows\Sy stem32\spo ol\PRINTER S" /t /e / g Everyone :f MD5: 00BAAE10C69DAD58F169A3ED638D6C59) - cmd.exe (PID: 1620 cmdline:
C:\Windows \system32\ cmd.exe /c C:\Progra m Files (x 86)\SAM 11 \SetEdgePo licies.reg MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
spoolsv.exe (PID: 7116 cmdline: C:\Windows \System32\ spoolsv.ex e MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
- svchost.exe (PID: 5848 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Perez Diego (@darkquassar), oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): | ||
| Source: | Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Source: | Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: vburov: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00405630 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | ||
| Source: | Code function: | 0_2_00404900 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00415C60 | |
| Source: | Code function: | 0_2_00414E40 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00404F10 | |
| Source: | Code function: | 0_2_00402E50 | |
| Source: | Code function: | 0_2_00404F10 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||