Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe
Resource
win7-20240903-en
General
-
Target
ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe
-
Size
139KB
-
MD5
dbe0ffcbe606ee49243b0092d57bf320
-
SHA1
e349c4e5e2c5f8ad5bea4ac1d1a1e288ec3dee5a
-
SHA256
ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99b
-
SHA512
a3908ac45e86f9764e42807d13f972d0ff9d177831f5fd34e534bf82aa2d4fbce72ac8517ad126d0be7e2e7f1d605f15a12593a582ae16d698e3f36458eb7ffd
-
SSDEEP
1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPk:r7YubEwYXRWhpAJUHhzm4hUukS6Kmecy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2220 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2360 sc.exe 2512 sc.exe 2900 sc.exe 2696 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 2220 smss.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2360 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 30 PID 2168 wrote to memory of 2360 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 30 PID 2168 wrote to memory of 2360 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 30 PID 2168 wrote to memory of 2360 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 30 PID 2168 wrote to memory of 2512 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 31 PID 2168 wrote to memory of 2512 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 31 PID 2168 wrote to memory of 2512 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 31 PID 2168 wrote to memory of 2512 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 31 PID 2168 wrote to memory of 2220 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 34 PID 2168 wrote to memory of 2220 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 34 PID 2168 wrote to memory of 2220 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 34 PID 2168 wrote to memory of 2220 2168 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 34 PID 2220 wrote to memory of 2900 2220 smss.exe 35 PID 2220 wrote to memory of 2900 2220 smss.exe 35 PID 2220 wrote to memory of 2900 2220 smss.exe 35 PID 2220 wrote to memory of 2900 2220 smss.exe 35 PID 2220 wrote to memory of 2696 2220 smss.exe 37 PID 2220 wrote to memory of 2696 2220 smss.exe 37 PID 2220 wrote to memory of 2696 2220 smss.exe 37 PID 2220 wrote to memory of 2696 2220 smss.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe"C:\Users\Admin\AppData\Local\Temp\ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2360
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2512
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5e27ad002701b1e6283b6bb434940f7b2
SHA15a18385185b89838c041a6df8a7264bfaed0f292
SHA2562e6ea3ea6538a5a19b70f8a19962f316a77952336989287ab826b462a6062681
SHA512a7c50e4488e59b1f4c3edbc73114ce557d21bccfdd1762914cbe855d7714e906ede2f7854dd90a6b55f298b4ba02bba5d67ae1c7f0ba29aa915f77ac705486e4