81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd

Analysis

max time kernel
131s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
Size

138KB
MD5

58b9169440a6b13ad0883200a49ed35a
SHA1

0df5d7faee37b8cadc09fc1fde95cd9780958709
SHA256

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd
SHA512

be538d9825779b006a7d45ccd70c55b75ef41a9bcd55086e23550e842cdf6ca1258e3ed97c3c12b38b4f9c18f7b789d5e814033c6a76b78158484543d031f463
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPS:r7YubEwYXRWhpAJUHhzm4hUukS6Kmeco

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

2728 smss.exe

pid	process
2728	smss.exe

Drops file in System32 directory 3 IoCs

Processes:

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exesmss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1988 sc.exe
3616 sc.exe
3972 sc.exe
4408 sc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exesmss.exe

pid process

3524 81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
2728 smss.exe

pid	process
1988	sc.exe
3616	sc.exe
3972	sc.exe
4408	sc.exe

pid	process
3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
2728	smss.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exesmss.exe

description	pid	process	target process
PID 3524 wrote to memory of 1988	3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 3524 wrote to memory of 1988	3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 3524 wrote to memory of 1988	3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 3524 wrote to memory of 3616	3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 3524 wrote to memory of 3616	3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 3524 wrote to memory of 3616	3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	sc.exe
PID 3524 wrote to memory of 2728	3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	smss.exe
PID 3524 wrote to memory of 2728	3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	smss.exe
PID 3524 wrote to memory of 2728	3524	81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe	smss.exe
PID 2728 wrote to memory of 3972	2728	smss.exe	sc.exe
PID 2728 wrote to memory of 3972	2728	smss.exe	sc.exe
PID 2728 wrote to memory of 3972	2728	smss.exe	sc.exe
PID 2728 wrote to memory of 4408	2728	smss.exe	sc.exe
PID 2728 wrote to memory of 4408	2728	smss.exe	sc.exe
PID 2728 wrote to memory of 4408	2728	smss.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe
"C:\Users\Admin\AppData\Local\Temp\81f6d733aceb61d4b0a5232bf0a08dadebddd56e0473caf72f24d623c563c7cd.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
2⤵
- Launches sc.exe
PID:1988

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
2⤵
- Launches sc.exe
PID:3616

C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
3⤵
- Launches sc.exe
PID:3972

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
3⤵
- Launches sc.exe
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe

Filesize
138KB

MD5
1831da23a502c68dd808bdb08d1b1ddd

SHA1
2c54489580879eb01971d707a9d46a9cb1ebecb1

SHA256
9f043c61e7e18098266430a54ed5336a5827bb2fc13f356a06a0fc8609326b94

SHA512
868d77f24094f328ad1403b7fe0ce00547feacabea7e96abe5452ee13fd19d8ac575c8193dc16726f251ca38190254c97318c73da1054a43041f24909de0dde5

Download Submit