31b06358dd0fcb38be8db06d0bb27f763b4cf8ea0043b0428b768baa1a57af54

Analysis

max time kernel
151s
max time network
37s
platform
windows7_x64
resource
win7v20210408
submitted
31-08-2021 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ssms.exe
Size

155KB
MD5

14a09a48ad23fe0ea5a180bee8cb750a
SHA1

ac3cdd673f5126bc49faa72fb52284f513929db4
SHA256

b14ccb3786af7553f7c251623499a7fe67974dde69d3dffd65733871cddf6b6d
SHA512

3f11e6f0fb03f2857f29f4ba296dd4fdbda93938b1516a80c18d656d67175fec910727ca447c7217e8edf9a160d9c7c02ebd9f35081a0071247d572d960e9734

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 20 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

pid	Process
820	ssms.exe
1620	ssms.exe
1696	ssms.exe
296	ssms.exe
1096	ssms.exe
1508	ssms.exe
1624	ssms.exe
1736	ssms.exe
508	ssms.exe
1988	ssms.exe

Loads dropped DLL 20 IoCs

pid	Process
2024	ssms.exe
2024	ssms.exe
820	ssms.exe
820	ssms.exe
1620	ssms.exe
1620	ssms.exe
1696	ssms.exe
1696	ssms.exe
296	ssms.exe
296	ssms.exe
1096	ssms.exe
1096	ssms.exe
1508	ssms.exe
1508	ssms.exe
1624	ssms.exe
1624	ssms.exe
1736	ssms.exe
1736	ssms.exe
508	ssms.exe
508	ssms.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File created	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe
File opened for modification	C:\Windows\SysWOW64\ssms.exe	ssms.exe

Runs .reg file with regedit 10 IoCs

pid	Process
1972	regedit.exe
1000	regedit.exe
572	regedit.exe
1116	regedit.exe
984	regedit.exe
1852	regedit.exe
1636	regedit.exe
1076	regedit.exe
1252	regedit.exe
824	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1456	2024	ssms.exe	25
PID 2024 wrote to memory of 1456	2024	ssms.exe	25
PID 2024 wrote to memory of 1456	2024	ssms.exe	25
PID 2024 wrote to memory of 1456	2024	ssms.exe	25
PID 1456 wrote to memory of 572	1456	cmd.exe	26
PID 1456 wrote to memory of 572	1456	cmd.exe	26
PID 1456 wrote to memory of 572	1456	cmd.exe	26
PID 1456 wrote to memory of 572	1456	cmd.exe	26
PID 2024 wrote to memory of 820	2024	ssms.exe	27
PID 2024 wrote to memory of 820	2024	ssms.exe	27
PID 2024 wrote to memory of 820	2024	ssms.exe	27
PID 2024 wrote to memory of 820	2024	ssms.exe	27
PID 820 wrote to memory of 1620	820	ssms.exe	32
PID 820 wrote to memory of 1620	820	ssms.exe	32
PID 820 wrote to memory of 1620	820	ssms.exe	32
PID 820 wrote to memory of 1620	820	ssms.exe	32
PID 1620 wrote to memory of 940	1620	ssms.exe	33
PID 1620 wrote to memory of 940	1620	ssms.exe	33
PID 1620 wrote to memory of 940	1620	ssms.exe	33
PID 1620 wrote to memory of 940	1620	ssms.exe	33
PID 940 wrote to memory of 1636	940	cmd.exe	34
PID 940 wrote to memory of 1636	940	cmd.exe	34
PID 940 wrote to memory of 1636	940	cmd.exe	34
PID 940 wrote to memory of 1636	940	cmd.exe	34
PID 1620 wrote to memory of 1696	1620	ssms.exe	35
PID 1620 wrote to memory of 1696	1620	ssms.exe	35
PID 1620 wrote to memory of 1696	1620	ssms.exe	35
PID 1620 wrote to memory of 1696	1620	ssms.exe	35
PID 1696 wrote to memory of 1060	1696	ssms.exe	36
PID 1696 wrote to memory of 1060	1696	ssms.exe	36
PID 1696 wrote to memory of 1060	1696	ssms.exe	36
PID 1696 wrote to memory of 1060	1696	ssms.exe	36
PID 1060 wrote to memory of 1076	1060	cmd.exe	37
PID 1060 wrote to memory of 1076	1060	cmd.exe	37
PID 1060 wrote to memory of 1076	1060	cmd.exe	37
PID 1060 wrote to memory of 1076	1060	cmd.exe	37
PID 1696 wrote to memory of 296	1696	ssms.exe	38
PID 1696 wrote to memory of 296	1696	ssms.exe	38
PID 1696 wrote to memory of 296	1696	ssms.exe	38
PID 1696 wrote to memory of 296	1696	ssms.exe	38
PID 296 wrote to memory of 2004	296	ssms.exe	39
PID 296 wrote to memory of 2004	296	ssms.exe	39
PID 296 wrote to memory of 2004	296	ssms.exe	39
PID 296 wrote to memory of 2004	296	ssms.exe	39
PID 2004 wrote to memory of 1116	2004	cmd.exe	40
PID 2004 wrote to memory of 1116	2004	cmd.exe	40
PID 2004 wrote to memory of 1116	2004	cmd.exe	40
PID 2004 wrote to memory of 1116	2004	cmd.exe	40
PID 296 wrote to memory of 1096	296	ssms.exe	41
PID 296 wrote to memory of 1096	296	ssms.exe	41
PID 296 wrote to memory of 1096	296	ssms.exe	41
PID 296 wrote to memory of 1096	296	ssms.exe	41
PID 1096 wrote to memory of 980	1096	ssms.exe	43
PID 1096 wrote to memory of 980	1096	ssms.exe	43
PID 1096 wrote to memory of 980	1096	ssms.exe	43
PID 1096 wrote to memory of 980	1096	ssms.exe	43
PID 980 wrote to memory of 1252	980	cmd.exe	42
PID 980 wrote to memory of 1252	980	cmd.exe	42
PID 980 wrote to memory of 1252	980	cmd.exe	42
PID 980 wrote to memory of 1252	980	cmd.exe	42
PID 1096 wrote to memory of 1508	1096	ssms.exe	44
PID 1096 wrote to memory of 1508	1096	ssms.exe	44
PID 1096 wrote to memory of 1508	1096	ssms.exe	44
PID 1096 wrote to memory of 1508	1096	ssms.exe	44

C:\Users\Admin\AppData\Local\Temp\ssms.exe
"C:\Users\Admin\AppData\Local\Temp\ssms.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:572
- C:\Windows\SysWOW64\ssms.exe
  C:\Windows\system32\ssms.exe 472 "C:\Users\Admin\AppData\Local\Temp\ssms.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\ssms.exe
    C:\Windows\system32\ssms.exe 544 "C:\Windows\SysWOW64\ssms.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1636
  - - C:\Windows\SysWOW64\ssms.exe
      C:\Windows\system32\ssms.exe 552 "C:\Windows\SysWOW64\ssms.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1076
    - - C:\Windows\SysWOW64\ssms.exe
        
        C:\Windows\system32\ssms.exe 548 "C:\Windows\SysWOW64\ssms.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:296
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1116
      - C:\Windows\SysWOW64\ssms.exe
        
        C:\Windows\system32\ssms.exe 556 "C:\Windows\SysWOW64\ssms.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\ssms.exe
        
        C:\Windows\system32\ssms.exe 560 "C:\Windows\SysWOW64\ssms.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        8⤵
        
        PID:516
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:984
        
        C:\Windows\SysWOW64\ssms.exe
        
        C:\Windows\system32\ssms.exe 568 "C:\Windows\SysWOW64\ssms.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        9⤵
        
        PID:696
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1852
        
        C:\Windows\SysWOW64\ssms.exe
        
        C:\Windows\system32\ssms.exe 564 "C:\Windows\SysWOW64\ssms.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        10⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:824
        
        C:\Windows\SysWOW64\ssms.exe
        
        C:\Windows\system32\ssms.exe 576 "C:\Windows\SysWOW64\ssms.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        11⤵
        
        PID:428
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1972
        
        C:\Windows\SysWOW64\ssms.exe
        
        C:\Windows\system32\ssms.exe 572 "C:\Windows\SysWOW64\ssms.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        12⤵
        
        PID:936
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1000

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
1⤵
- Modifies security service
- Runs .reg file with regedit
PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-61-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download