Malware Analysis Report

2025-01-06 08:59

Sample ID 240601-fm311saf9t
Target f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17
SHA256 f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17
Tags
evasion execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17

Threat Level: Likely malicious

The file f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17 was found to be: Likely malicious.

Malicious Activity Summary

evasion execution

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:00

Reported

2024-06-01 05:02

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe C:\Windows\SysWOW64\sc.exe
PID 1760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe C:\Windows\SysWOW64\sc.exe
PID 1760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe C:\Windows\SysWOW64\sc.exe
PID 1760 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe C:\Windows\SysWOW64\sc.exe
PID 1760 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe C:\Windows\SysWOW64\1230\smss.exe
PID 1760 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe C:\Windows\SysWOW64\1230\smss.exe
PID 1760 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe C:\Windows\SysWOW64\1230\smss.exe
PID 1760 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe C:\Windows\SysWOW64\1230\smss.exe
PID 3008 wrote to memory of 2688 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 3008 wrote to memory of 2688 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 3008 wrote to memory of 2688 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe
PID 3008 wrote to memory of 2688 N/A C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe

"C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

Network

N/A

Files

memory/1760-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\SysWOW64\1230\smss.exe

MD5 853d51e4e433780aac0d0298b6d64198
SHA1 74825c337eb65d690c05c99a92ac22e89425d5c9
SHA256 6e32ed8ab45c599bd4d21e10d889180a1910673db1454ba75faf083c7e79ea13
SHA512 16b3bde9a98b485f05caac4f2b953d737d433cb15a1225830c5ada41321284a77cca06699887b8cb11aba462374f5a672e5b5f6d31995b27de9af11d5c2c1e21

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:00

Reported

2024-06-01 05:02

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe"

Signatures

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe N/A
File opened for modification C:\Windows\SysWOW64\1230\smss.exe C:\Windows\SysWOW64\1230\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Service.exe C:\Windows\SysWOW64\1230\smss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe N/A
N/A N/A C:\Windows\SysWOW64\1230\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe

"C:\Users\Admin\AppData\Local\Temp\f04e3e42779b84ca8a2b95945e299f5c80f1c890b2db4ee7703c67c4d93e4f17.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Windows\SysWOW64\1230\smss.exe

C:\Windows\system32\1230\smss.exe -d

C:\Windows\SysWOW64\sc.exe

C:\Windows\system32\sc.exe stop wscsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

memory/2112-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\1230\smss.exe

MD5 133d7cb464d0cb9a96267b799cd0a4cc
SHA1 40947e2b0c1e18b9fad623cbdb931b72ed7a96dc
SHA256 f8c42c6d02bf0f7ae7e8bbbf5db6f1e45d54a3b250dd5b0484d5ec73032a2c95
SHA512 4c8d232fea3058802cf8911947dbdadf328b0ca54c80c3be7e6274cd02b850c0f7665cf251de761fe54f37a94b02902feeab82345612f075a131f5ff4014a57a