Analysis
-
max time kernel
78s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 13:35
Behavioral task
behavioral1
Sample
0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe
Resource
win7-20241010-en
General
-
Target
0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe
-
Size
39KB
-
MD5
6087125b05689d9e72cedd8cf69c1590
-
SHA1
6a33b75e55eb9c96cc79a62507b7fc1be695c13d
-
SHA256
0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369
-
SHA512
8312e8147f50a329c44d9d9e2629238ec7414efddf95218b25ac4dbdacd21a72581dd795a9789fcd927f2e6db790524d70a66c237040d2fc4c1d823732f1badd
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOGuF:NWQa2TLEmITcoQxfllfmS1cOp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2744 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
resource yara_rule behavioral1/memory/2872-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/files/0x0008000000016d70-4.dat upx behavioral1/memory/2744-13-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2872-19-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2744-21-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2896 sc.exe 2752 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 2744 smss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2896 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 30 PID 2872 wrote to memory of 2896 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 30 PID 2872 wrote to memory of 2896 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 30 PID 2872 wrote to memory of 2896 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 30 PID 2872 wrote to memory of 2744 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 32 PID 2872 wrote to memory of 2744 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 32 PID 2872 wrote to memory of 2744 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 32 PID 2872 wrote to memory of 2744 2872 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 32 PID 2744 wrote to memory of 2752 2744 smss.exe 33 PID 2744 wrote to memory of 2752 2744 smss.exe 33 PID 2744 wrote to memory of 2752 2744 smss.exe 33 PID 2744 wrote to memory of 2752 2744 smss.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe"C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5a6c080a7ee452327034346750b5f4cea
SHA17a081ee5307d671efefcd6ed16877c134ed8e403
SHA256988bce3b4913512a60280efdccbc14e85d9df87f1b1ce9809ffe788582c23253
SHA512229595b4c2cc1b805e91e963778c46922f8538a57b8b7790ca612d36e46ff04b417d80f644e145546fa93b6dc690921c8b1e4dbd2734298eb35dddc31c89cac2