Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe
Resource
win7-20240508-en
General
-
Target
eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe
-
Size
119KB
-
MD5
9afefa16d57d12b2e0ce91648d51f27e
-
SHA1
44058a8d8d28963afb96106fbce5d319dd12dadb
-
SHA256
eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1
-
SHA512
5d7f372ef0857bd9d1d43e2cf3a3cd02a1fd44d5ec312e93196fd5a2a533875f1a8e2e360bf58698ce1546c1d388c2bc38c664ae0f6804fa2db83d65f9f573ce
-
SSDEEP
3072:OE9j8b3ZXgKC1hX//iASOXRJzDOD26j/3Dc69h:OEebiKuX//iZOXRJ3OD26jx3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2820 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1276 sc.exe 1388 sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 2820 smss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1276 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 28 PID 2416 wrote to memory of 1276 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 28 PID 2416 wrote to memory of 1276 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 28 PID 2416 wrote to memory of 1276 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 28 PID 2416 wrote to memory of 2820 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 30 PID 2416 wrote to memory of 2820 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 30 PID 2416 wrote to memory of 2820 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 30 PID 2416 wrote to memory of 2820 2416 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 30 PID 2820 wrote to memory of 1388 2820 smss.exe 31 PID 2820 wrote to memory of 1388 2820 smss.exe 31 PID 2820 wrote to memory of 1388 2820 smss.exe 31 PID 2820 wrote to memory of 1388 2820 smss.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe"C:\Users\Admin\AppData\Local\Temp\eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
PID:1276
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
PID:1388
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD5519473f6f9aebee2622ae35b08df091f
SHA1c483270ce5f629065024e4192aef554c2b0dab26
SHA2564d1a1bb20dad7a2bba7269886ab504976e628a885de2714d27810e05e3ab1790
SHA5124fae93174974f0b3eaf9c3b3525eea81589a215b7ba827687be3fd6a4dfbfcb82c7fa955798b1c730a9f3820677b42bb760bfa1cda66c26b2c8f52118df93c95