f99c428437782768906e67eb3f85817513c83fc504d6145fac32326a022cf4ec

General

Target

NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe
Size

117KB
MD5

63b30c9b43dbf2d523421350bfec0cd0
SHA1

a1d508b33f18675a36f8d3a93991b5e4a8a988b9
SHA256

f99c428437782768906e67eb3f85817513c83fc504d6145fac32326a022cf4ec
SHA512

6bd7cebb489294e66a34cfb07982b34e36b0dcb20fc9dfc5c31f1ce2cc8c8c15c61171ae7c94aaec504c6e9a0e213fc4d47e18c42afc6e080967393ea95a4f8a
SSDEEP

3072:OE9j8b3ZXgKC1hX//iASOXRJzDOD26j/3Dc3p:OEebiKuX//iZOXRJ3OD26j8p

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2752	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe
1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1944	sc.exe
2708	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe
2752	smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1944	1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe	28
PID 1732 wrote to memory of 1944	1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe	28
PID 1732 wrote to memory of 1944	1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe	28
PID 1732 wrote to memory of 1944	1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe	28
PID 1732 wrote to memory of 2752	1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe	30
PID 1732 wrote to memory of 2752	1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe	30
PID 1732 wrote to memory of 2752	1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe	30
PID 1732 wrote to memory of 2752	1732	NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe	30
PID 2752 wrote to memory of 2708	2752	smss.exe	31
PID 2752 wrote to memory of 2708	2752	smss.exe	31
PID 2752 wrote to memory of 2708	2752	smss.exe	31
PID 2752 wrote to memory of 2708	2752	smss.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.63b30c9b43dbf2d523421350bfec0cd0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  PID:1944
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe

Filesize
117KB

MD5
7499ea138cfdcc3e5f519b0422b4e060

SHA1
c3421f52f01da98d2425aaeb94c6c5836de3501e

SHA256
4f17fcbde2e379afb5cac0a2306af73aca7354f0fa27c01f1479f0eaa7ed20b6

SHA512
3a88ebd2db7a6d85fa437a886dd2abf5bd004d23b6e514a8313ef4564e015c720494e4028d632c89b6bac51ac4c12d88a6abeb901fbb6be2a65d444dcc1cf8e6

Download Submit
C:\Windows\SysWOW64\1230\smss.exe

Filesize
117KB

MD5
7499ea138cfdcc3e5f519b0422b4e060

SHA1
c3421f52f01da98d2425aaeb94c6c5836de3501e

SHA256
4f17fcbde2e379afb5cac0a2306af73aca7354f0fa27c01f1479f0eaa7ed20b6

SHA512
3a88ebd2db7a6d85fa437a886dd2abf5bd004d23b6e514a8313ef4564e015c720494e4028d632c89b6bac51ac4c12d88a6abeb901fbb6be2a65d444dcc1cf8e6

Download Submit
C:\Windows\SysWOW64\1230\smss.exe

Filesize
117KB

MD5
7499ea138cfdcc3e5f519b0422b4e060

SHA1
c3421f52f01da98d2425aaeb94c6c5836de3501e

SHA256
4f17fcbde2e379afb5cac0a2306af73aca7354f0fa27c01f1479f0eaa7ed20b6

SHA512
3a88ebd2db7a6d85fa437a886dd2abf5bd004d23b6e514a8313ef4564e015c720494e4028d632c89b6bac51ac4c12d88a6abeb901fbb6be2a65d444dcc1cf8e6

Download Submit
\Windows\SysWOW64\1230\smss.exe

Filesize
117KB

MD5
7499ea138cfdcc3e5f519b0422b4e060

SHA1
c3421f52f01da98d2425aaeb94c6c5836de3501e

SHA256
4f17fcbde2e379afb5cac0a2306af73aca7354f0fa27c01f1479f0eaa7ed20b6

SHA512
3a88ebd2db7a6d85fa437a886dd2abf5bd004d23b6e514a8313ef4564e015c720494e4028d632c89b6bac51ac4c12d88a6abeb901fbb6be2a65d444dcc1cf8e6

Download Submit
\Windows\SysWOW64\1230\smss.exe

Filesize
117KB

MD5
7499ea138cfdcc3e5f519b0422b4e060

SHA1
c3421f52f01da98d2425aaeb94c6c5836de3501e

SHA256
4f17fcbde2e379afb5cac0a2306af73aca7354f0fa27c01f1479f0eaa7ed20b6

SHA512
3a88ebd2db7a6d85fa437a886dd2abf5bd004d23b6e514a8313ef4564e015c720494e4028d632c89b6bac51ac4c12d88a6abeb901fbb6be2a65d444dcc1cf8e6

Download Submit
memory/1732-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing