Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe
Resource
win7-20240903-en
General
-
Target
ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe
-
Size
139KB
-
MD5
dbe0ffcbe606ee49243b0092d57bf320
-
SHA1
e349c4e5e2c5f8ad5bea4ac1d1a1e288ec3dee5a
-
SHA256
ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99b
-
SHA512
a3908ac45e86f9764e42807d13f972d0ff9d177831f5fd34e534bf82aa2d4fbce72ac8517ad126d0be7e2e7f1d605f15a12593a582ae16d698e3f36458eb7ffd
-
SSDEEP
1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPk:r7YubEwYXRWhpAJUHhzm4hUukS6Kmecy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3964 smss.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1624 sc.exe 4648 sc.exe 3112 sc.exe 2972 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 3964 smss.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1624 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 83 PID 2004 wrote to memory of 1624 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 83 PID 2004 wrote to memory of 1624 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 83 PID 2004 wrote to memory of 4648 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 86 PID 2004 wrote to memory of 4648 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 86 PID 2004 wrote to memory of 4648 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 86 PID 2004 wrote to memory of 3964 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 88 PID 2004 wrote to memory of 3964 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 88 PID 2004 wrote to memory of 3964 2004 ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe 88 PID 3964 wrote to memory of 3112 3964 smss.exe 89 PID 3964 wrote to memory of 3112 3964 smss.exe 89 PID 3964 wrote to memory of 3112 3964 smss.exe 89 PID 3964 wrote to memory of 2972 3964 smss.exe 91 PID 3964 wrote to memory of 2972 3964 smss.exe 91 PID 3964 wrote to memory of 2972 3964 smss.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe"C:\Users\Admin\AppData\Local\Temp\ccb6dd3ab068fec6f8716c0cb62d9fed347538995486497c5c2ef088efb0a99bN.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1624
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4648
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop SharedAccess3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3112
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5fb5db98f18a508f68a640174ac549319
SHA12209a54c21af3150f468e51a4f7c93b8ba8ee167
SHA256097b33faba2c4d87f346a99d21e0232fd737dedebfe5691500b620962dfa8d63
SHA512caf5814caa9c92b116bf0c5da7409375e69e2ccd3ff09029cae98cb3a50760167fbd1d9c35c222b9b4b733c2da9acfb92713ee41f508189dc3bddd4b02646df6