7e10c70d624716adf62ad8b5ae5ba640b33481871ebbfecf3d29122a1b43ce99

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b742a6f0f65da9a3b554128dc5c5bac0N.exe
Size

139KB
MD5

b742a6f0f65da9a3b554128dc5c5bac0
SHA1

f2d4915dd2fadff3a0a5b08d0e05c8ceb4836ede
SHA256

7e10c70d624716adf62ad8b5ae5ba640b33481871ebbfecf3d29122a1b43ce99
SHA512

b6180d2ff53104a7207e2c91bcbeafd37c3cd0455c96ec956e4c3d7a2eaf3ebb13728e44f759849ff5f61efc675b8c121169236651ebd2292f6c66d13f801a78
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xP/:r7YubEwYXRWhpAJUHhzm4hUukS6KmecJ

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
8	smss.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	b742a6f0f65da9a3b554128dc5c5bac0N.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2240	sc.exe
1280	sc.exe
4736	sc.exe
4644	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b742a6f0f65da9a3b554128dc5c5bac0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe
8	smss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2240	2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe	83
PID 2452 wrote to memory of 2240	2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe	83
PID 2452 wrote to memory of 2240	2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe	83
PID 2452 wrote to memory of 1280	2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe	85
PID 2452 wrote to memory of 1280	2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe	85
PID 2452 wrote to memory of 1280	2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe	85
PID 2452 wrote to memory of 8	2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe	87
PID 2452 wrote to memory of 8	2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe	87
PID 2452 wrote to memory of 8	2452	b742a6f0f65da9a3b554128dc5c5bac0N.exe	87
PID 8 wrote to memory of 4736	8	smss.exe	88
PID 8 wrote to memory of 4736	8	smss.exe	88
PID 8 wrote to memory of 4736	8	smss.exe	88
PID 8 wrote to memory of 4644	8	smss.exe	90
PID 8 wrote to memory of 4644	8	smss.exe	90
PID 8 wrote to memory of 4644	8	smss.exe	90

C:\Users\Admin\AppData\Local\Temp\b742a6f0f65da9a3b554128dc5c5bac0N.exe
"C:\Users\Admin\AppData\Local\Temp\b742a6f0f65da9a3b554128dc5c5bac0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop SharedAccess
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1280
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop SharedAccess
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4736
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe

Filesize
139KB

MD5
2e830b99b40a8429662bd74fa36b61cb

SHA1
50d3cd0fe27995c341752cf93bc57e8d4b48ebc4

SHA256
16d855f0cb7652437fe9280b2d54db243d5af238bc98ad91febf9775382b8817

SHA512
a061f28133500eb0a781f9635039d931e189624bfdf4b22abd33125b5f91b92de5554ab8519209578d2f6d160a64768cc90bba979460cf90914f5792475f4e50

Download Submit