Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 13:35
Behavioral task
behavioral1
Sample
0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe
Resource
win7-20241010-en
General
-
Target
0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe
-
Size
39KB
-
MD5
6087125b05689d9e72cedd8cf69c1590
-
SHA1
6a33b75e55eb9c96cc79a62507b7fc1be695c13d
-
SHA256
0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369
-
SHA512
8312e8147f50a329c44d9d9e2629238ec7414efddf95218b25ac4dbdacd21a72581dd795a9789fcd927f2e6db790524d70a66c237040d2fc4c1d823732f1badd
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOGuF:NWQa2TLEmITcoQxfllfmS1cOp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5004 smss.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe -
resource yara_rule behavioral2/memory/2612-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/files/0x000a000000023b9a-5.dat upx behavioral2/memory/5004-7-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/5004-14-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/2612-13-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4804 sc.exe 2860 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2612 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 5004 smss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2612 wrote to memory of 4804 2612 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 83 PID 2612 wrote to memory of 4804 2612 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 83 PID 2612 wrote to memory of 4804 2612 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 83 PID 2612 wrote to memory of 5004 2612 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 85 PID 2612 wrote to memory of 5004 2612 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 85 PID 2612 wrote to memory of 5004 2612 0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe 85 PID 5004 wrote to memory of 2860 5004 smss.exe 86 PID 5004 wrote to memory of 2860 5004 smss.exe 86 PID 5004 wrote to memory of 2860 5004 smss.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe"C:\Users\Admin\AppData\Local\Temp\0b93e2ecbc6852ff97390a605f7f96c28d1295effb47db5374d9ee2bbcd00369N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4804
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5cb6f96e866ca64abdd6bde7f7f03c5a4
SHA1a333effdd2e3394d7955795999e6ba45d979438e
SHA25678ce1cdd5517b603473ed997d85e1e47cdd71d7cb0df2f12f4466972777357f9
SHA5128f82b9bf0472506335ba07881a64275a1fc2ec275a5e7f2544044301660e9dff2ab17709f7f39d5ebf4293bd9fa738dbf32810fcb48f63de073d8f2db5f4b05a