Analysis
-
max time kernel
15s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
295299302ec143fc2fe88953f8d18f50N.exe
Resource
win7-20240704-en
General
-
Target
295299302ec143fc2fe88953f8d18f50N.exe
-
Size
138KB
-
MD5
295299302ec143fc2fe88953f8d18f50
-
SHA1
a9109560d19576b54f3b91ef3a14dbcf140b9308
-
SHA256
fa388a99f5a0f3e29032a08e856a64fca0948ee0e9c7af6f99f47cd547aa7a88
-
SHA512
8c5d17dda092f6db3e2def15d33ad9be7f138fdbb43f0d53d070f56f67c65722de61669357763620edf6eabc83e9870c19fd03b30d7a19d01979c1871226008a
-
SSDEEP
3072:r7YubEwYXRWhpAJUHhzm4hUukS6KmecVW:oubkXRWhpAuhzm4hLkS6KmNW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2316 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 1864 295299302ec143fc2fe88953f8d18f50N.exe 1864 295299302ec143fc2fe88953f8d18f50N.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 295299302ec143fc2fe88953f8d18f50N.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3060 sc.exe 572 sc.exe 2288 sc.exe 3028 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295299302ec143fc2fe88953f8d18f50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1864 295299302ec143fc2fe88953f8d18f50N.exe 2316 smss.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1864 wrote to memory of 572 1864 295299302ec143fc2fe88953f8d18f50N.exe 31 PID 1864 wrote to memory of 572 1864 295299302ec143fc2fe88953f8d18f50N.exe 31 PID 1864 wrote to memory of 572 1864 295299302ec143fc2fe88953f8d18f50N.exe 31 PID 1864 wrote to memory of 572 1864 295299302ec143fc2fe88953f8d18f50N.exe 31 PID 1864 wrote to memory of 2288 1864 295299302ec143fc2fe88953f8d18f50N.exe 33 PID 1864 wrote to memory of 2288 1864 295299302ec143fc2fe88953f8d18f50N.exe 33 PID 1864 wrote to memory of 2288 1864 295299302ec143fc2fe88953f8d18f50N.exe 33 PID 1864 wrote to memory of 2288 1864 295299302ec143fc2fe88953f8d18f50N.exe 33 PID 1864 wrote to memory of 2316 1864 295299302ec143fc2fe88953f8d18f50N.exe 35 PID 1864 wrote to memory of 2316 1864 295299302ec143fc2fe88953f8d18f50N.exe 35 PID 1864 wrote to memory of 2316 1864 295299302ec143fc2fe88953f8d18f50N.exe 35 PID 1864 wrote to memory of 2316 1864 295299302ec143fc2fe88953f8d18f50N.exe 35 PID 2316 wrote to memory of 3028 2316 smss.exe 36 PID 2316 wrote to memory of 3028 2316 smss.exe 36 PID 2316 wrote to memory of 3028 2316 smss.exe 36 PID 2316 wrote to memory of 3028 2316 smss.exe 36 PID 2316 wrote to memory of 3060 2316 smss.exe 38 PID 2316 wrote to memory of 3060 2316 smss.exe 38 PID 2316 wrote to memory of 3060 2316 smss.exe 38 PID 2316 wrote to memory of 3060 2316 smss.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\295299302ec143fc2fe88953f8d18f50N.exe"C:\Users\Admin\AppData\Local\Temp\295299302ec143fc2fe88953f8d18f50N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:572
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2288
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3060
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD5886cccf7e9cca0f84e8e81e5f8ced78b
SHA110a3521729b49b856ca7406e4cd3acb70c8eedc7
SHA2564f79092eeabc02553bec6b1fbc46a0a7202df301b92b715b109c175c78296b95
SHA5125f27a5c7ec7b02da0a9b454a6b1b0345b304623cf0c41ed6acbb85a5b2fce9878c927aebc8b5faf45793eb40299c38a72fabc80cfafcc105f2337dfe0d70d6ee