Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 21:56
Behavioral task
behavioral1
Sample
4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe
Resource
win7-20240903-en
General
-
Target
4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe
-
Size
38KB
-
MD5
9dd5b2cc5e4e3f6f57fd53c233642cd1
-
SHA1
a0593f2a8dcaff05e3d5812047e25ab6dd0cfb89
-
SHA256
4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251
-
SHA512
f0bd598cab4de8510df05676bccf87bd911eebfe05d926eb658529a0f9def041260a79940d765044969b24e04614b9623b0e0d8e699b5dec90b47bc07966cbfe
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOGuU:NWQa2TLEmITcoQxfllfmS1cOg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2016 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
resource yara_rule behavioral1/memory/2500-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/files/0x0008000000016c81-4.dat upx behavioral1/memory/2500-16-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2016-18-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2116 sc.exe 2316 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 2016 smss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2116 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 30 PID 2500 wrote to memory of 2116 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 30 PID 2500 wrote to memory of 2116 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 30 PID 2500 wrote to memory of 2116 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 30 PID 2500 wrote to memory of 2016 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 32 PID 2500 wrote to memory of 2016 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 32 PID 2500 wrote to memory of 2016 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 32 PID 2500 wrote to memory of 2016 2500 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 32 PID 2016 wrote to memory of 2316 2016 smss.exe 33 PID 2016 wrote to memory of 2316 2016 smss.exe 33 PID 2016 wrote to memory of 2316 2016 smss.exe 33 PID 2016 wrote to memory of 2316 2016 smss.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2116
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2316
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5f27c6d2ab9d6c286a5c6631c36ed829a
SHA1d0f9f77b5599b482f83c71f9a51f9656f4e18425
SHA256c3325f5f991dceb1864c6cd22cfec2b743408968c27888f866369fb11483f90e
SHA512ac29e89443680476a5736059cc6fcc786bbf66f658a5faca79abeb38986bd099e2074a308534ee42ac3d9a5c409959599ecfa62998dbf4bbf504465646c2de21