7abb0766d6e3f8f2b986759ecef264945cf2f16dc07597ab52974876917ea959

General

Target

3bd7c50c46d41b763a3dfe154866b4b0N.exe
Size

38KB
MD5

3bd7c50c46d41b763a3dfe154866b4b0
SHA1

6034dee7c16925e86738e1323fcadc6ca083b9d2
SHA256

7abb0766d6e3f8f2b986759ecef264945cf2f16dc07597ab52974876917ea959
SHA512

242f38c9213c5bd94ce82cfc542ef5500c7aadfe1cd5e58b2e37aa0a979b91cce36c61fb0a7005b1e656a22bf44d1fbb3e6b02af0524757a6c0b13ff49a1463d
SSDEEP

768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cONhn:NWQa2TLEmITcoQxfllfmS1cODn

Score

8^/10

discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
1628	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe
2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x00050000000186b7-4.dat	upx
behavioral1/memory/1628-12-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1628-20-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2476-18-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	3bd7c50c46d41b763a3dfe154866b4b0N.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1932	sc.exe
2092	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bd7c50c46d41b763a3dfe154866b4b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe
1628	smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1932	2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe	31
PID 2476 wrote to memory of 1932	2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe	31
PID 2476 wrote to memory of 1932	2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe	31
PID 2476 wrote to memory of 1932	2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe	31
PID 2476 wrote to memory of 1628	2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe	33
PID 2476 wrote to memory of 1628	2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe	33
PID 2476 wrote to memory of 1628	2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe	33
PID 2476 wrote to memory of 1628	2476	3bd7c50c46d41b763a3dfe154866b4b0N.exe	33
PID 1628 wrote to memory of 2092	1628	smss.exe	34
PID 1628 wrote to memory of 2092	1628	smss.exe	34
PID 1628 wrote to memory of 2092	1628	smss.exe	34
PID 1628 wrote to memory of 2092	1628	smss.exe	34

C:\Users\Admin\AppData\Local\Temp\3bd7c50c46d41b763a3dfe154866b4b0N.exe
"C:\Users\Admin\AppData\Local\Temp\3bd7c50c46d41b763a3dfe154866b4b0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1230\smss.exe

Filesize
38KB

MD5
85abd6173a415802f22d7a2c2a4c32d5

SHA1
ad9cc0832987d083f59be28b7da044a425dec722

SHA256
7875085c8dc70711d3afe2e823492b65d82cefa1ff5abef5868c2352c1e557f0

SHA512
bb30f4d71cfdae1a125296d3f57be6f0d534a73e428d52dbc0805a5e787c66c9aabdc04c0f4eca4a751f153f1372ec67308d88ab2f02f5704a6452b6888f9953

Download Submit
memory/1628-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1628-20-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2476-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2476-10-0x00000000004C0000-0x00000000004E2000-memory.dmp

Filesize
136KB

Download
memory/2476-18-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing