Analysis

  • max time kernel
    97s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2024, 08:37 UTC

General

  • Target

    6ed170485ca598ccc31781416a315710N.exe

  • Size

    143KB

  • MD5

    6ed170485ca598ccc31781416a315710

  • SHA1

    30a23edde75f13b2ed791631ff52d6e2d2bdcf5a

  • SHA256

    6728579691845cd78ae57de1680e291fc58a46d88cfc40563755b92562b154b3

  • SHA512

    aa06fe153905a90784b1bf07c1eb19bf0f9360bbeaa19309b81a663769dedeff83590a93bd6003520d90d9fe8cb61e07d92712e7a4f37b62a3716e5188ce510c

  • SSDEEP

    3072:3LVoDvPd+A4WhkhXDl+i1lApwH08TdTIIIIIIIIIIIIIIIIIIfIIIIyIIIITIIIe:ZopGGgbiwU8JC

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies system executable filetype association 2 TTPs 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 62 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 44 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ed170485ca598ccc31781416a315710N.exe
    "C:\Users\Admin\AppData\Local\Temp\6ed170485ca598ccc31781416a315710N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SMSScl.exe
      "C:\Windows\SMSScl.exe" -xInstallOurNiceServicesYes
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2852
  • C:\Windows\SMSScl.exe
    C:\Windows\SMSScl.exe -xStartOurNiceServicesYes
    1⤵
    • Modifies WinLogon for persistence
    • Executes dropped EXE
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SMSScl.exe

    Filesize

    143KB

    MD5

    6ed170485ca598ccc31781416a315710

    SHA1

    30a23edde75f13b2ed791631ff52d6e2d2bdcf5a

    SHA256

    6728579691845cd78ae57de1680e291fc58a46d88cfc40563755b92562b154b3

    SHA512

    aa06fe153905a90784b1bf07c1eb19bf0f9360bbeaa19309b81a663769dedeff83590a93bd6003520d90d9fe8cb61e07d92712e7a4f37b62a3716e5188ce510c

  • C:\Windows\Temp\evmYIVPs.FqP\message.htm

    Filesize

    197KB

    MD5

    4ff73f8120f8e5d78cc5a075d6a55ad1

    SHA1

    8f4f173fcad198bba5870c1bb98a0a81e89a8c39

    SHA256

    ee17c1d219fe30aca4d310ef38560210670c3dae4591a9780fb5e5cffc91cbb0

    SHA512

    993b6d75a34c82baba7ee06b6fa97e43f28f2a6d80945dcfd9df5410ef7fa8ca948cf587f15396226e31eb0f74b88cad3a9c19975acd295d03f4988e21215e69

  • C:\Windows\message.dat

    Filesize

    196KB

    MD5

    2d474bca2fc964de26736039d1cca15b

    SHA1

    73f7f9eb1a05e9a3fd01a4cf176eee780ca7b179

    SHA256

    8cea1ec7b5fe2c875b74f7088ae59079db2781cd14e4822842825e16b29547e0

    SHA512

    fe3e0987edd55d68b0203c9f11d7b0a2e5ef3ecd1ddacdc0bce186e287fc21ff75c5404c0a71083b87fe92bf6de97d8c957f4792d35105d8490fcdf6fc3b8ff3

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.