Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/02/2024, 14:58
Static task
static1
Behavioral task
behavioral1
Sample
6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe
Resource
win10v2004-20231215-en
General
-
Target
6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe
-
Size
100KB
-
MD5
86134e6029ca8ef5671ddd6611b8c554
-
SHA1
045007b8b8c25bf082b1026fca6a95196d4432c9
-
SHA256
6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19
-
SHA512
29ae3afed735143bd66e87f5cd36b964c38541191e1761feaeff16488225ce2e14b6e307bb1d31563bbdd7fd10b405e4ed22185f19e00dc8dea51f3d0f2d8923
-
SSDEEP
768:W7nkhCphZkSwprRN8tdhin4ak/4LojJRisR5bGJEY8ogXKCC6FQxBDGO+T5/Qcw9:+pbQrTCaU4miBEZoa8y4BgucZu
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2432 smss.exe 2576 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2920 cmd.exe 2920 cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\smss.exe 6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe File created C:\Windows\system\smss.exe 6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 880 wrote to memory of 2920 880 6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe 28 PID 880 wrote to memory of 2920 880 6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe 28 PID 880 wrote to memory of 2920 880 6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe 28 PID 880 wrote to memory of 2920 880 6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe 28 PID 2920 wrote to memory of 2432 2920 cmd.exe 30 PID 2920 wrote to memory of 2432 2920 cmd.exe 30 PID 2920 wrote to memory of 2432 2920 cmd.exe 30 PID 2920 wrote to memory of 2432 2920 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe"C:\Users\Admin\AppData\Local\Temp\6edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system\smss.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system\smss.exeC:\Windows\system\smss.exe3⤵
- Executes dropped EXE
PID:2432
-
-
-
C:\Windows\system\smss.exeC:\Windows\system\smss.exe1⤵
- Executes dropped EXE
PID:2576
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD586134e6029ca8ef5671ddd6611b8c554
SHA1045007b8b8c25bf082b1026fca6a95196d4432c9
SHA2566edab3de0a372dc72fdc2c79bc1eefaf0a93968715417b5dab666375852aee19
SHA51229ae3afed735143bd66e87f5cd36b964c38541191e1761feaeff16488225ce2e14b6e307bb1d31563bbdd7fd10b405e4ed22185f19e00dc8dea51f3d0f2d8923