81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd

General

Target

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
Size

138KB
MD5

58b9169440a6b13ad0883200a49ed35a
SHA1

0df5d7faee37b8cadc09fc1fde95cd9780958709
SHA256

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd
SHA512

be538d9825779b006a7d45ccd70c55b75ef41a9bcd55086e23550e842cdf6ca1258e3ed97c3c12b38b4f9c18f7b789d5e814033c6a76b78158484543d031f463
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPS:r7YubEwYXRWhpAJUHhzm4hUukS6Kmeco

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

2780 smss.exe

pid	process
2780	smss.exe

Loads dropped DLL 2 IoCs

Processes:

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe

pid	process
2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe

Drops file in System32 directory 3 IoCs

Processes:

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exesmss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1284 sc.exe
2968 sc.exe
2844 sc.exe
1668 sc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exesmss.exe

pid process

2100 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
2780 smss.exe

pid	process
1284	sc.exe
2968	sc.exe
2844	sc.exe
1668	sc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exesmss.exe

description	pid	process	target process
PID 2100 wrote to memory of 1668	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 2100 wrote to memory of 1668	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 2100 wrote to memory of 1668	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 2100 wrote to memory of 1668	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 2100 wrote to memory of 1284	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 2100 wrote to memory of 1284	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 2100 wrote to memory of 1284	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 2100 wrote to memory of 1284	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 2100 wrote to memory of 2780	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	smss.exe
PID 2100 wrote to memory of 2780	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	smss.exe
PID 2100 wrote to memory of 2780	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	smss.exe
PID 2100 wrote to memory of 2780	2100	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	smss.exe
PID 2780 wrote to memory of 2968	2780	smss.exe	sc.exe
PID 2780 wrote to memory of 2968	2780	smss.exe	sc.exe
PID 2780 wrote to memory of 2968	2780	smss.exe	sc.exe
PID 2780 wrote to memory of 2968	2780	smss.exe	sc.exe
PID 2780 wrote to memory of 2844	2780	smss.exe	sc.exe
PID 2780 wrote to memory of 2844	2780	smss.exe	sc.exe
PID 2780 wrote to memory of 2844	2780	smss.exe	sc.exe
PID 2780 wrote to memory of 2844	2780	smss.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
"C:\Users\Admin\AppData\Local\Temp\81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
2⤵
- Launches sc.exe
PID:1668

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
2⤵
- Launches sc.exe
PID:1284

C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
3⤵
- Launches sc.exe
PID:2968

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
3⤵
- Launches sc.exe
PID:2844

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1230\smss.exe
Filesize
138KB

MD5
2007273c532b64c2a9a817a9fac9c6eb

SHA1
b6572b88cd9946a13e93a0756e3f642ce6b173ba

SHA256
a45746249feff67e38be583d1ad5da88035a7715d8b4044dc859c895f54bc8f8

SHA512
a2fcc59aa29d35c8c81891783f94daeb8299214589deab2e7edeb82c76fad7a388c719f75fb89499a2f6cf66ed7bf187009afbbde8cdbe995a58fba649d66a9c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads