Analysis
-
max time kernel
45s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 10:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1743425a049c54fd167710d3086d2d89.exe
Resource
win7-20231215-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
1743425a049c54fd167710d3086d2d89.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
1743425a049c54fd167710d3086d2d89.exe
-
Size
27KB
-
MD5
1743425a049c54fd167710d3086d2d89
-
SHA1
6c048666dda20a16e173242ccee872669d063c31
-
SHA256
9d798ac5ca5db0dea0d4dfca69afa019009ad2e54fc2fb9a753074cb4cccb9a3
-
SHA512
451539922aca40e1b0eb8a943ed9ed608a7748fb1a0948ecbb2231952686e352dd6df2d841de181e5e564d689a65f61eb5c675f84a8e9ca927f281ce70d6eabd
-
SSDEEP
384:6bAMu9pFT5SlKyx5R4oEI3bedaBAWoWwyPydhQAi1WUhKZAgDdjY6cOvK6:6bxuRTolKyxrx8a2NpoMFUWUheR3w6
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\winlogon32.exe" 1743425a049c54fd167710d3086d2d89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\winlogon32.exe" smss32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1743425a049c54fd167710d3086d2d89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss32.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1764 smss32.exe -
Loads dropped DLL 2 IoCs
pid Process 2480 1743425a049c54fd167710d3086d2d89.exe 2480 1743425a049c54fd167710d3086d2d89.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe" 1743425a049c54fd167710d3086d2d89.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe" 1743425a049c54fd167710d3086d2d89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe" smss32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss32.exe = "C:\\Windows\\system32\\smss32.exe" smss32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1743425a049c54fd167710d3086d2d89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss32.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\smss32.exe 1743425a049c54fd167710d3086d2d89.exe File opened for modification C:\Windows\SysWOW64\smss32.exe 1743425a049c54fd167710d3086d2d89.exe File created C:\Windows\SysWOW64\smss32.exe smss32.exe File created C:\Windows\SysWOW64\41.exe smss32.exe File created C:\Windows\SysWOW64\winlogon32.exe 1743425a049c54fd167710d3086d2d89.exe File opened for modification C:\Windows\SysWOW64\winlogon32.exe smss32.exe File opened for modification C:\Windows\SysWOW64\warnings.html smss32.exe File created C:\Windows\SysWOW64\helpers32.dll smss32.exe File created C:\Windows\SysWOW64\ES17.exe smss32.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\PhishingFilter 1743425a049c54fd167710d3086d2d89.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\PhishingFilter smss32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter 1743425a049c54fd167710d3086d2d89.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0" 1743425a049c54fd167710d3086d2d89.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" 1743425a049c54fd167710d3086d2d89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" 1743425a049c54fd167710d3086d2d89.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter smss32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0" smss32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" smss32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" smss32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe 1764 smss32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1764 smss32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1764 smss32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2480 wrote to memory of 1764 2480 1743425a049c54fd167710d3086d2d89.exe 17 PID 2480 wrote to memory of 1764 2480 1743425a049c54fd167710d3086d2d89.exe 17 PID 2480 wrote to memory of 1764 2480 1743425a049c54fd167710d3086d2d89.exe 17 PID 2480 wrote to memory of 1764 2480 1743425a049c54fd167710d3086d2d89.exe 17 PID 1764 wrote to memory of 2780 1764 smss32.exe 16 PID 1764 wrote to memory of 2780 1764 smss32.exe 16 PID 1764 wrote to memory of 2780 1764 smss32.exe 16 PID 1764 wrote to memory of 2780 1764 smss32.exe 16 PID 1764 wrote to memory of 2780 1764 smss32.exe 16 PID 1764 wrote to memory of 2780 1764 smss32.exe 16 PID 1764 wrote to memory of 2780 1764 smss32.exe 16 -
System policy modification 1 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop = "1" 1743425a049c54fd167710d3086d2d89.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop smss32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper = "1" smss32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 1743425a049c54fd167710d3086d2d89.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer smss32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop = "1" smss32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 1743425a049c54fd167710d3086d2d89.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop 1743425a049c54fd167710d3086d2d89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper = "1" 1743425a049c54fd167710d3086d2d89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges = "1" smss32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1743425a049c54fd167710d3086d2d89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges = "1" 1743425a049c54fd167710d3086d2d89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1743425a049c54fd167710d3086d2d89.exe"C:\Users\Admin\AppData\Local\Temp\1743425a049c54fd167710d3086d2d89.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2480 -
C:\Windows\SysWOW64\smss32.exeC:\Windows\system32\smss32.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1764
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\system32\helpers32.dll1⤵PID:2780
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1