826b3c31fa4fbabff4b855581f10967609d14f2884c9bb01e5f3e9109f508202

General

Target

b74d45be6e6989c94a1a1c88c9a02810N.exe
Size

38KB
MD5

b74d45be6e6989c94a1a1c88c9a02810
SHA1

9330c6720b0baa107e11fc9d8905c8ea23fc794d
SHA256

826b3c31fa4fbabff4b855581f10967609d14f2884c9bb01e5f3e9109f508202
SHA512

0b306961bd485c41eb1003028198ed901df3375126b5cb5ede66dad78dbd5db6eb2a42fb24a5d19f812d174e8184ad4704cf09876a983761c7a2bbbb856abd78
SSDEEP

768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOGa:NWQa2TLEmITcoQxfllfmS1cOv

Score

8^/10

discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
1788	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	b74d45be6e6989c94a1a1c88c9a02810N.exe
2408	b74d45be6e6989c94a1a1c88c9a02810N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-1-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x0008000000016c03-4.dat	upx
behavioral1/memory/2408-18-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1788-20-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2408-11-0x0000000000280000-0x00000000002A2000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	b74d45be6e6989c94a1a1c88c9a02810N.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2276	sc.exe
876	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b74d45be6e6989c94a1a1c88c9a02810N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2408	b74d45be6e6989c94a1a1c88c9a02810N.exe
1788	smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 876	2408	b74d45be6e6989c94a1a1c88c9a02810N.exe	28
PID 2408 wrote to memory of 876	2408	b74d45be6e6989c94a1a1c88c9a02810N.exe	28
PID 2408 wrote to memory of 876	2408	b74d45be6e6989c94a1a1c88c9a02810N.exe	28
PID 2408 wrote to memory of 876	2408	b74d45be6e6989c94a1a1c88c9a02810N.exe	28
PID 2408 wrote to memory of 1788	2408	b74d45be6e6989c94a1a1c88c9a02810N.exe	30
PID 2408 wrote to memory of 1788	2408	b74d45be6e6989c94a1a1c88c9a02810N.exe	30
PID 2408 wrote to memory of 1788	2408	b74d45be6e6989c94a1a1c88c9a02810N.exe	30
PID 2408 wrote to memory of 1788	2408	b74d45be6e6989c94a1a1c88c9a02810N.exe	30
PID 1788 wrote to memory of 2276	1788	smss.exe	31
PID 1788 wrote to memory of 2276	1788	smss.exe	31
PID 1788 wrote to memory of 2276	1788	smss.exe	31
PID 1788 wrote to memory of 2276	1788	smss.exe	31

C:\Users\Admin\AppData\Local\Temp\b74d45be6e6989c94a1a1c88c9a02810N.exe
"C:\Users\Admin\AppData\Local\Temp\b74d45be6e6989c94a1a1c88c9a02810N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:876
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1230\smss.exe

Filesize
38KB

MD5
c5716b3b55cb090db6b04dd78179f650

SHA1
f7318086c66cc0ac10599b2511cbecfb5f8b0ddb

SHA256
448fa22bff912ef378eabeca00f0e490793dd8b39dc6f4284faa0e799ecef536

SHA512
7563c1a4deeabb33c3705acfaa41ae770a93cfcd10b60c20439396851ddebc3aa62c4bcc7d74e70ff9052e180ea3b9ef670613b31e16f7092606b23cb4659ad9

Download Submit
memory/1788-20-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2408-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2408-12-0x0000000000280000-0x00000000002A2000-memory.dmp

Filesize
136KB

Download
memory/2408-18-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2408-11-0x0000000000280000-0x00000000002A2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing