79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf

General

Target

79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe
Size

136KB
MD5

d2d25fa0c2462543bb7dd86ee89231ad
SHA1

0c4a54ea532f63323b043eef518632a04dc38945
SHA256

79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf
SHA512

f2780d8c7ecf8a60dae388f3867d8ec649143c878af824e232235ac059311809adb178c5d99e547098aad89434e5dd6c92ccbc9774cc569c552d1297a59930f1
SSDEEP

3072:yMjI0bOcUUqmrwvkRJJcbQMbjDhhTbz6rHdCl18QbIdMyU939BCDSANzj/W:yMMMBtbJcbQMbxh/zWAmEIZMtBCDSAN

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1048	smss.exe
1292	winsccoo.exe
1572	smss.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/276-54-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/276-58-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/files/0x000a00000001231e-59.dat	upx
behavioral1/memory/1292-60-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1292-65-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/276-66-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	smss.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\smss.exe	79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe
File created	C:\Windows\winsccoo.exe	79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe
File created	C:\Windows\smss.exe	winsccoo.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	smss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\WpadDecisionTime = 0078413191ccd801	smss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\6e-89-29-0b-ef-3b	smss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-89-29-0b-ef-3b\WpadDecisionTime = 0078413191ccd801	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-89-29-0b-ef-3b\WpadDecision = "0"	smss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	smss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\WpadDecisionReason = "1"	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\WpadDecision = "0"	smss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	smss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	smss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	smss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	smss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	smss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	smss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	smss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}	smss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A6E584D-80D2-4A61-9921-68D8E30B4145}\WpadNetworkName = "Network 3"	smss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-89-29-0b-ef-3b	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-89-29-0b-ef-3b\WpadDecisionReason = "1"	smss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	smss.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	smss.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
276	79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 276 wrote to memory of 1048	276	79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe	28
PID 276 wrote to memory of 1048	276	79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe	28
PID 276 wrote to memory of 1048	276	79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe	28
PID 276 wrote to memory of 1048	276	79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe	28
PID 1292 wrote to memory of 1572	1292	winsccoo.exe	32
PID 1292 wrote to memory of 1572	1292	winsccoo.exe	32
PID 1292 wrote to memory of 1572	1292	winsccoo.exe	32
PID 1292 wrote to memory of 1572	1292	winsccoo.exe	32

C:\Users\Admin\AppData\Local\Temp\79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe
"C:\Users\Admin\AppData\Local\Temp\79ebe775dadcbcc4a97d6ffe843af6ebff9249d4e5964e5c58dd691e63d1e8cf.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:276
- C:\Windows\smss.exe
  C:\Windows\smss.exe
  2⤵
  - Executes dropped EXE
  PID:1048

C:\Windows\winsccoo.exe
C:\Windows\winsccoo.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\smss.exe
  C:\Windows\smss.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\smss.exe

Filesize
264KB

MD5
bcf6b5e42641eed002efefb594d3fb3a

SHA1
a0055c296d440ee3ae1cb206c0f526a7817894be

SHA256
ab0d568bc568a705793eca394eaf77625f26a123cc122d59f488ad923c05bbeb

SHA512
3117a82df819c2ee29e3deda388f4d411a24bc2dd4932c8c2967e293d5e5818defaf33c740c6409735386170458354b0bdad3e4bc4b08df438c66b8dd1a41dd4

Download Submit
C:\Windows\smss.exe

Filesize
264KB

MD5
bcf6b5e42641eed002efefb594d3fb3a

SHA1
a0055c296d440ee3ae1cb206c0f526a7817894be

SHA256
ab0d568bc568a705793eca394eaf77625f26a123cc122d59f488ad923c05bbeb

SHA512
3117a82df819c2ee29e3deda388f4d411a24bc2dd4932c8c2967e293d5e5818defaf33c740c6409735386170458354b0bdad3e4bc4b08df438c66b8dd1a41dd4

Download Submit
C:\Windows\smss.exe

Filesize
264KB

MD5
bcf6b5e42641eed002efefb594d3fb3a

SHA1
a0055c296d440ee3ae1cb206c0f526a7817894be

SHA256
ab0d568bc568a705793eca394eaf77625f26a123cc122d59f488ad923c05bbeb

SHA512
3117a82df819c2ee29e3deda388f4d411a24bc2dd4932c8c2967e293d5e5818defaf33c740c6409735386170458354b0bdad3e4bc4b08df438c66b8dd1a41dd4

Download Submit
C:\Windows\winsccoo.exe

Filesize
136KB

MD5
7646aad058875973ec125bc8cbcaa27e

SHA1
90bd8dc0adf8f9e42c7d5e1f05061efaba4ce79e

SHA256
e733739814239cc1b29b7607bb03100bc53e925a14d1e90b4fc9e356c0348ed6

SHA512
0c380337d47de3b3293caa7687b8ddec06c18ee162632355440a605d229ab9ed5fec755bdc2f7609109cfefd0f548bdcb8cb3eb8ed69c95febe649ba092ed949

Download Submit
memory/276-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/276-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/276-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1048-55-0x0000000000000000-mapping.dmp

Download
memory/1048-57-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1292-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1292-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1572-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing