32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6d

General

Target

32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
Size

38KB
MD5

f149768634bc97725c0bcef7b4976f40
SHA1

ad9193c31cbe5114429130b20e2c016ebd93a852
SHA256

32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6d
SHA512

5bead3cbdde9179107e8bc0a58f1ac40bca508d9f13ab0eb58d84729d262324cbe8ef37dc501bb3be7f12193328e6133391f712d7a98a27a3b44a83f33eafab9
SSDEEP

768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cE4:NWQa2TLEmITcoQxfllfmS1c1

Score

8^/10

discovery evasion execution upx

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2236	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1864-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x00070000000173c8-4.dat	upx
behavioral1/memory/2236-13-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1864-19-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2236-21-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2136	sc.exe
840	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
2236	smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2136	1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe	30
PID 1864 wrote to memory of 2136	1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe	30
PID 1864 wrote to memory of 2136	1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe	30
PID 1864 wrote to memory of 2136	1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe	30
PID 1864 wrote to memory of 2236	1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe	32
PID 1864 wrote to memory of 2236	1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe	32
PID 1864 wrote to memory of 2236	1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe	32
PID 1864 wrote to memory of 2236	1864	32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe	32
PID 2236 wrote to memory of 840	2236	smss.exe	33
PID 2236 wrote to memory of 840	2236	smss.exe	33
PID 2236 wrote to memory of 840	2236	smss.exe	33
PID 2236 wrote to memory of 840	2236	smss.exe	33

C:\Users\Admin\AppData\Local\Temp\32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe
"C:\Users\Admin\AppData\Local\Temp\32a08b587f9ca8638ab8e2ccf72c0763bd45a73c9b32d07066cf62a2e94f1b6dN.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\sc.exe
  C:\Windows\system32\sc.exe stop wscsvc
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Windows\SysWOW64\1230\smss.exe
  C:\Windows\system32\1230\smss.exe -d
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe stop wscsvc
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1230\smss.exe

Filesize
38KB

MD5
51438c92fa6c3cc78e8965b01a6ffa36

SHA1
b0b25d71cbc23894560266da5b0a1031ca307125

SHA256
00fe186f37ca6cb660a77f26204123a3072a3d4ce69cf519d81600ccb4b273e3

SHA512
d3babac8a69fc35ca7cd8c2f7a76ca586b5996bd8fafe0debc7abdaf19ec512c8faf183a3c3b0d730288fea5097c0c8ac7980392267a30c9fcf81be1bb44a916

Download Submit
memory/1864-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1864-12-0x00000000002B0000-0x00000000002D2000-memory.dmp

Filesize
136KB

Download
memory/1864-11-0x00000000002B0000-0x00000000002D2000-memory.dmp

Filesize
136KB

Download
memory/1864-19-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2236-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2236-21-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing