Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe
Resource
win7-20240508-en
General
-
Target
eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe
-
Size
119KB
-
MD5
9afefa16d57d12b2e0ce91648d51f27e
-
SHA1
44058a8d8d28963afb96106fbce5d319dd12dadb
-
SHA256
eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1
-
SHA512
5d7f372ef0857bd9d1d43e2cf3a3cd02a1fd44d5ec312e93196fd5a2a533875f1a8e2e360bf58698ce1546c1d388c2bc38c664ae0f6804fa2db83d65f9f573ce
-
SSDEEP
3072:OE9j8b3ZXgKC1hX//iASOXRJzDOD26j/3Dc69h:OEebiKuX//iZOXRJ3OD26jx3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4484 smss.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3712 sc.exe 212 sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3192 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 4484 smss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3192 wrote to memory of 3712 3192 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 82 PID 3192 wrote to memory of 3712 3192 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 82 PID 3192 wrote to memory of 3712 3192 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 82 PID 3192 wrote to memory of 4484 3192 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 84 PID 3192 wrote to memory of 4484 3192 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 84 PID 3192 wrote to memory of 4484 3192 eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe 84 PID 4484 wrote to memory of 212 4484 smss.exe 85 PID 4484 wrote to memory of 212 4484 smss.exe 85 PID 4484 wrote to memory of 212 4484 smss.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe"C:\Users\Admin\AppData\Local\Temp\eb4ff92dabaa1f1c5e4075950976fe2ebbe576d1b670084e31607cfd9f8bfec1.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
PID:3712
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
PID:212
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD5147e14462e61b9bede12daf39f70b17b
SHA1e7cece780acdcc501475bfd6b0f1a8caa28bead8
SHA256b45e02f20e9e87f5e50fd9be7dd998845e92dc9b90ea71e30ba8784b667ed7ba
SHA5129819f38b44abe3638941a3141d4fb8a086c6b9246a333a147cb99a51406560e1d2418049ed34764bae9f559d46e45a7c503b40eb1132b5bb1eed4ad75ee7cebc