Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 23:44
Static task
static1
Behavioral task
behavioral1
Sample
81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
Resource
win7-20240419-en
General
-
Target
81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
-
Size
138KB
-
MD5
58b9169440a6b13ad0883200a49ed35a
-
SHA1
0df5d7faee37b8cadc09fc1fde95cd9780958709
-
SHA256
81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd
-
SHA512
be538d9825779b006a7d45ccd70c55b75ef41a9bcd55086e23550e842cdf6ca1258e3ed97c3c12b38b4f9c18f7b789d5e814033c6a76b78158484543d031f463
-
SSDEEP
1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPS:r7YubEwYXRWhpAJUHhzm4hUukS6Kmeco
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
smss.exepid process 2780 smss.exe -
Loads dropped DLL 2 IoCs
Processes:
81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exepid process 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe -
Drops file in System32 directory 3 IoCs
Processes:
81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exesmss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1284 sc.exe 2968 sc.exe 2844 sc.exe 1668 sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exesmss.exepid process 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe 2780 smss.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exesmss.exedescription pid process target process PID 2100 wrote to memory of 1668 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe sc.exe PID 2100 wrote to memory of 1668 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe sc.exe PID 2100 wrote to memory of 1668 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe sc.exe PID 2100 wrote to memory of 1668 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe sc.exe PID 2100 wrote to memory of 1284 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe sc.exe PID 2100 wrote to memory of 1284 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe sc.exe PID 2100 wrote to memory of 1284 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe sc.exe PID 2100 wrote to memory of 1284 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe sc.exe PID 2100 wrote to memory of 2780 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe smss.exe PID 2100 wrote to memory of 2780 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe smss.exe PID 2100 wrote to memory of 2780 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe smss.exe PID 2100 wrote to memory of 2780 2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe smss.exe PID 2780 wrote to memory of 2968 2780 smss.exe sc.exe PID 2780 wrote to memory of 2968 2780 smss.exe sc.exe PID 2780 wrote to memory of 2968 2780 smss.exe sc.exe PID 2780 wrote to memory of 2968 2780 smss.exe sc.exe PID 2780 wrote to memory of 2844 2780 smss.exe sc.exe PID 2780 wrote to memory of 2844 2780 smss.exe sc.exe PID 2780 wrote to memory of 2844 2780 smss.exe sc.exe PID 2780 wrote to memory of 2844 2780 smss.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe"C:\Users\Admin\AppData\Local\Temp\81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\1230\smss.exeFilesize
138KB
MD52007273c532b64c2a9a817a9fac9c6eb
SHA1b6572b88cd9946a13e93a0756e3f642ce6b173ba
SHA256a45746249feff67e38be583d1ad5da88035a7715d8b4044dc859c895f54bc8f8
SHA512a2fcc59aa29d35c8c81891783f94daeb8299214589deab2e7edeb82c76fad7a388c719f75fb89499a2f6cf66ed7bf187009afbbde8cdbe995a58fba649d66a9c