4df1202ec465fcaed47609c3b8de8bf123f04782829b08d06ccc2007be73bd3f

General

Target

f787ee064ef7bde38f4a64b4f61a0240N.exe
Size

38KB
MD5

f787ee064ef7bde38f4a64b4f61a0240
SHA1

9cfdd7b8ac467b687ca8b28a5125b41dd46a3f7f
SHA256

4df1202ec465fcaed47609c3b8de8bf123f04782829b08d06ccc2007be73bd3f
SHA512

9c1751f760b6ff1932080cc423029db1ce70302e86ba133e13c99ba70aff3d5fb3a8e84c66afa2f665e0eba5aca9faa309958ed4be2b2efb911224693ccbe567
SSDEEP

768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cONg:NWQa2TLEmITcoQxfllfmS1cOm

Score

8^/10

discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
1880	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
904	f787ee064ef7bde38f4a64b4f61a0240N.exe
904	f787ee064ef7bde38f4a64b4f61a0240N.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/904-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x00060000000194d4-4.dat	upx
behavioral1/memory/1880-19-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/904-21-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1880-13-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	f787ee064ef7bde38f4a64b4f61a0240N.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3056	sc.exe
2704	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f787ee064ef7bde38f4a64b4f61a0240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
904	f787ee064ef7bde38f4a64b4f61a0240N.exe
1880	smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 3056	904	f787ee064ef7bde38f4a64b4f61a0240N.exe	30
PID 904 wrote to memory of 3056	904	f787ee064ef7bde38f4a64b4f61a0240N.exe	30
PID 904 wrote to memory of 3056	904	f787ee064ef7bde38f4a64b4f61a0240N.exe	30
PID 904 wrote to memory of 3056	904	f787ee064ef7bde38f4a64b4f61a0240N.exe	30
PID 904 wrote to memory of 1880	904	f787ee064ef7bde38f4a64b4f61a0240N.exe	32
PID 904 wrote to memory of 1880	904	f787ee064ef7bde38f4a64b4f61a0240N.exe	32
PID 904 wrote to memory of 1880	904	f787ee064ef7bde38f4a64b4f61a0240N.exe	32
PID 904 wrote to memory of 1880	904	f787ee064ef7bde38f4a64b4f61a0240N.exe	32
PID 1880 wrote to memory of 2704	1880	smss.exe	33
PID 1880 wrote to memory of 2704	1880	smss.exe	33
PID 1880 wrote to memory of 2704	1880	smss.exe	33
PID 1880 wrote to memory of 2704	1880	smss.exe	33

C:\Users\Admin\AppData\Local\Temp\f787ee064ef7bde38f4a64b4f61a0240N.exe
"C:\Users\Admin\AppData\Local\Temp\f787ee064ef7bde38f4a64b4f61a0240N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1230\smss.exe

Filesize
38KB

MD5
64843e8b2c8a8a71c4d13778e061d4fa

SHA1
cb5c75418f71b321547ab60ccaaca214c0256cbf

SHA256
ea991a08f551c1110ccdc7ba0b1f023d67a1b3f6163b3f22da6d7ded617c6b5f

SHA512
2e953285192917488f66a4eb45ecf31eb5c0bae7dce0fc8ba1f48b7ed5a6e19975792dc061ea76ab423a54cd6927b143781faebc84982f2d366da1d5ece85983

Download Submit
memory/904-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/904-21-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/904-12-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/904-11-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/1880-19-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1880-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing