2de55f60d3815a84a49ca77e377539cb2c13d23be6a873b5d3897f60c5e81e5b

Analysis

max time kernel
102s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f61a96c699b217ecd4f8aad6fec54e10N.exe
Size

139KB
MD5

f61a96c699b217ecd4f8aad6fec54e10
SHA1

0978f4becfdc96fa331fbe04ecf851f3bdb5f85a
SHA256

2de55f60d3815a84a49ca77e377539cb2c13d23be6a873b5d3897f60c5e81e5b
SHA512

6de0a1ddac15591dadc2b1c2ea1d7240ea9709244d4951004916697aeb32ca49db9a47b14447c39afa1444c23d0032b5d64efcb90dc819fdb9be60455a0c90f5
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPT:r7YubEwYXRWhpAJUHhzm4hUukS6Kmecl

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
4396	smss.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	f61a96c699b217ecd4f8aad6fec54e10N.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4552	sc.exe
5084	sc.exe
4544	sc.exe
2104	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f61a96c699b217ecd4f8aad6fec54e10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2976	f61a96c699b217ecd4f8aad6fec54e10N.exe
4396	smss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 4544	2976	f61a96c699b217ecd4f8aad6fec54e10N.exe	84
PID 2976 wrote to memory of 4544	2976	f61a96c699b217ecd4f8aad6fec54e10N.exe	84
PID 2976 wrote to memory of 4544	2976	f61a96c699b217ecd4f8aad6fec54e10N.exe	84
PID 2976 wrote to memory of 2104	2976	f61a96c699b217ecd4f8aad6fec54e10N.exe	86
PID 2976 wrote to memory of 2104	2976	f61a96c699b217ecd4f8aad6fec54e10N.exe	86
PID 2976 wrote to memory of 2104	2976	f61a96c699b217ecd4f8aad6fec54e10N.exe	86
PID 2976 wrote to memory of 4396	2976	f61a96c699b217ecd4f8aad6fec54e10N.exe	88
PID 2976 wrote to memory of 4396	2976	f61a96c699b217ecd4f8aad6fec54e10N.exe	88
PID 2976 wrote to memory of 4396	2976	f61a96c699b217ecd4f8aad6fec54e10N.exe	88
PID 4396 wrote to memory of 4552	4396	smss.exe	89
PID 4396 wrote to memory of 4552	4396	smss.exe	89
PID 4396 wrote to memory of 4552	4396	smss.exe	89
PID 4396 wrote to memory of 5084	4396	smss.exe	91
PID 4396 wrote to memory of 5084	4396	smss.exe	91
PID 4396 wrote to memory of 5084	4396	smss.exe	91

C:\Users\Admin\AppData\Local\Temp\f61a96c699b217ecd4f8aad6fec54e10N.exe
"C:\Users\Admin\AppData\Local\Temp\f61a96c699b217ecd4f8aad6fec54e10N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop SharedAccess
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4544
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop SharedAccess
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4552
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe

Filesize
139KB

MD5
7034062911dfa2941a54a937ee783550

SHA1
ab58474a0c4af0e5b33468658d025b075f66be11

SHA256
8e60c619974a3f6e99d63996d7a5cf135e77c959213ebe182fbe943f5053de96

SHA512
4b17c981f6317fdea7abdf1f5a3d0b671c018ab7e421c86454e7a72cc367bc46ea00edf7c0d308b12a63442d838c973516d65cc4abeb5b8694d03cc954982985

Download Submit