9a468c067d267c82c34fcf04696b1d9958cbd995f5977a64489f712d348e9fa2

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6868977740f7ca1fa867b9a57a6d4690.exe
Size

133KB
MD5

6868977740f7ca1fa867b9a57a6d4690
SHA1

c65dd2b0d329ab6acf6fd074168ad066b9c40a9e
SHA256

9a468c067d267c82c34fcf04696b1d9958cbd995f5977a64489f712d348e9fa2
SHA512

b5432d49093b608cef1b86b35923b96181f4006a9219d2deee9a50d5b1f2d4f0e5e7c1e4277c09cd651b4dec2f53edd6d81643352f4c57f19e6a71360d76b3c3
SSDEEP

3072:DNE9j8b3ZXgKC1hX//iASOXRJzDOD26jKNmmuc0:hEebiKuX//iZOXRJ3OD26jR

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
3576	smss.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4068-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000022d53-5.dat	upx
behavioral2/files/0x0007000000022d53-6.dat	upx
behavioral2/memory/3576-10-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4068-11-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	NEAS.6868977740f7ca1fa867b9a57a6d4690.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3376	sc.exe
4456	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4068	NEAS.6868977740f7ca1fa867b9a57a6d4690.exe
3576	smss.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 3376	4068	NEAS.6868977740f7ca1fa867b9a57a6d4690.exe	84
PID 4068 wrote to memory of 3376	4068	NEAS.6868977740f7ca1fa867b9a57a6d4690.exe	84
PID 4068 wrote to memory of 3376	4068	NEAS.6868977740f7ca1fa867b9a57a6d4690.exe	84
PID 4068 wrote to memory of 3576	4068	NEAS.6868977740f7ca1fa867b9a57a6d4690.exe	86
PID 4068 wrote to memory of 3576	4068	NEAS.6868977740f7ca1fa867b9a57a6d4690.exe	86
PID 4068 wrote to memory of 3576	4068	NEAS.6868977740f7ca1fa867b9a57a6d4690.exe	86
PID 3576 wrote to memory of 4456	3576	smss.exe	87
PID 3576 wrote to memory of 4456	3576	smss.exe	87
PID 3576 wrote to memory of 4456	3576	smss.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.6868977740f7ca1fa867b9a57a6d4690.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6868977740f7ca1fa867b9a57a6d4690.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  PID:3376
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe

Filesize
133KB

MD5
e01afab66f39b4804c04a47fb59d93ab

SHA1
d069e4fcd99fdb09a2765e48581a4eb497158845

SHA256
75b5ce18c6b81e71be7632edd92cbb1063d21b328ebd91f751326c34c6aa5f38

SHA512
ccd3a93fb060632225c1362a9b508bda2d37bfe23cec0ede60fdaa98a01059140fc3ce1716909d2624360b82c0ba846ac06426aa26c23139b2a2aea0c1db2524

Download Submit
C:\Windows\SysWOW64\1230\smss.exe

Filesize
133KB

MD5
e01afab66f39b4804c04a47fb59d93ab

SHA1
d069e4fcd99fdb09a2765e48581a4eb497158845

SHA256
75b5ce18c6b81e71be7632edd92cbb1063d21b328ebd91f751326c34c6aa5f38

SHA512
ccd3a93fb060632225c1362a9b508bda2d37bfe23cec0ede60fdaa98a01059140fc3ce1716909d2624360b82c0ba846ac06426aa26c23139b2a2aea0c1db2524

Download Submit
memory/3576-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4068-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4068-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download