2cbd385499fea091f10d18bdf4ad54794fdf000f5142d8cff8e0b2f748642194

Analysis

max time kernel
85s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 18:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9924ac9846d3370f5262b0e7027b82d0.exe
Size

38KB
MD5

9924ac9846d3370f5262b0e7027b82d0
SHA1

17e6a2cc18138e7eb210878ed16204323d5ce6fe
SHA256

2cbd385499fea091f10d18bdf4ad54794fdf000f5142d8cff8e0b2f748642194
SHA512

e42b7f68a0729a74d4d07924af893617d479dff66c0acd6ba031a041777fd00cb96777f5485a7f69521ecb27ac1031f8df3afc9b2c8d975a61ffe3148746e969
SSDEEP

768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cjSG:NWQa2TLEmITcoQxfllfmS1ct

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2868	smss.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1296-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/files/0x0007000000023229-5.dat	upx
behavioral2/files/0x0007000000023229-6.dat	upx
behavioral2/memory/2868-11-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1296-10-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	NEAS.9924ac9846d3370f5262b0e7027b82d0.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1856	sc.exe
4856	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1296	NEAS.9924ac9846d3370f5262b0e7027b82d0.exe
2868	smss.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1856	1296	NEAS.9924ac9846d3370f5262b0e7027b82d0.exe	85
PID 1296 wrote to memory of 1856	1296	NEAS.9924ac9846d3370f5262b0e7027b82d0.exe	85
PID 1296 wrote to memory of 1856	1296	NEAS.9924ac9846d3370f5262b0e7027b82d0.exe	85
PID 1296 wrote to memory of 2868	1296	NEAS.9924ac9846d3370f5262b0e7027b82d0.exe	86
PID 1296 wrote to memory of 2868	1296	NEAS.9924ac9846d3370f5262b0e7027b82d0.exe	86
PID 1296 wrote to memory of 2868	1296	NEAS.9924ac9846d3370f5262b0e7027b82d0.exe	86
PID 2868 wrote to memory of 4856	2868	smss.exe	87
PID 2868 wrote to memory of 4856	2868	smss.exe	87
PID 2868 wrote to memory of 4856	2868	smss.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.9924ac9846d3370f5262b0e7027b82d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9924ac9846d3370f5262b0e7027b82d0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  PID:1856
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe

Filesize
38KB

MD5
1c780019fa78478632553047ce9de1c9

SHA1
cc1c5fcaa7fda8caa7fc5e7926832b8f896a200c

SHA256
ed3e15f31c246a822d4f68da28237c863f8383315b4b92bc3696226f90769d39

SHA512
6c88179c9544e9f9fb38f33da458f23d3489761bf9bd91f0d41314695da1d7eb758aa818ab032f2e192a556b964945cbd90b612e3aeff16327b4cbedb9ddb450

Download Submit
C:\Windows\SysWOW64\1230\smss.exe

Filesize
38KB

MD5
1c780019fa78478632553047ce9de1c9

SHA1
cc1c5fcaa7fda8caa7fc5e7926832b8f896a200c

SHA256
ed3e15f31c246a822d4f68da28237c863f8383315b4b92bc3696226f90769d39

SHA512
6c88179c9544e9f9fb38f33da458f23d3489761bf9bd91f0d41314695da1d7eb758aa818ab032f2e192a556b964945cbd90b612e3aeff16327b4cbedb9ddb450

Download Submit
memory/1296-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1296-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2868-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download