9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec

General

Target

9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe
Size

38KB
MD5

b6d7801c402a0b30436c83d80e078950
SHA1

f8fc2caf49fa0cda9c208d2998ab2bb929955600
SHA256

9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec
SHA512

2a9834245e79912ed886844f4422d90293b1b468e41c452f0303617a6dd16790389c4b8eb229d1ee22e0c2908ef08a9d5b35fd507882163d67d2d3066b89938a
SSDEEP

768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOV:NWQa2TLEmITcoQxfllfmS1cOV

Score

8^/10

discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

2468 smss.exe

pid	process
2468	smss.exe

Loads dropped DLL 2 IoCs

Processes:

9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe

pid	process
560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe
560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/560-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
C:\Windows\SysWOW64\1230\smss.exe	upx
behavioral1/memory/2468-15-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/560-19-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2468-21-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exesmss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

3020 sc.exe
2824 sc.exe

pid	process
3020	sc.exe
2824	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exesmss.exesc.exesc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exesmss.exe

pid process

560 9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe
2468 smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exesmss.exe

description	pid	process	target process
PID 560 wrote to memory of 3020	560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe	sc.exe
PID 560 wrote to memory of 3020	560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe	sc.exe
PID 560 wrote to memory of 3020	560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe	sc.exe
PID 560 wrote to memory of 3020	560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe	sc.exe
PID 560 wrote to memory of 2468	560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe	smss.exe
PID 560 wrote to memory of 2468	560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe	smss.exe
PID 560 wrote to memory of 2468	560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe	smss.exe
PID 560 wrote to memory of 2468	560	9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe	smss.exe
PID 2468 wrote to memory of 2824	2468	smss.exe	sc.exe
PID 2468 wrote to memory of 2824	2468	smss.exe	sc.exe
PID 2468 wrote to memory of 2824	2468	smss.exe	sc.exe
PID 2468 wrote to memory of 2824	2468	smss.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe
"C:\Users\Admin\AppData\Local\Temp\9ff43958d0c9e1db3be8d08e3932e09bf528cc481fa9bdb5989d8d064a8ad9ec.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3020

C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2824

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe
Filesize
38KB

MD5
3239f5e764c1e67e74707f5941e8cc08

SHA1
f70d25256ee24044bb93b7898f81ca2f094da053

SHA256
ce3ac0bc94d4cdb1ba4b04e33de9c906d740192ce0cc2dc3f51032b20aac2ed6

SHA512
d005b71c06857547383af0be269730aee4aeee998654292648f1bdd6bb129460bcc500ae11cb85563002baea67668a17b39c6b7fb0556a221befd2af52e95778

Download Submit
memory/560-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/560-14-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/560-13-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/560-19-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2468-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2468-21-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads