Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 21:56
Behavioral task
behavioral1
Sample
4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe
Resource
win7-20240903-en
General
-
Target
4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe
-
Size
38KB
-
MD5
9dd5b2cc5e4e3f6f57fd53c233642cd1
-
SHA1
a0593f2a8dcaff05e3d5812047e25ab6dd0cfb89
-
SHA256
4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251
-
SHA512
f0bd598cab4de8510df05676bccf87bd911eebfe05d926eb658529a0f9def041260a79940d765044969b24e04614b9623b0e0d8e699b5dec90b47bc07966cbfe
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOGuU:NWQa2TLEmITcoQxfllfmS1cOg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3104 smss.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
resource yara_rule behavioral2/memory/1920-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/files/0x000b000000023b76-5.dat upx behavioral2/memory/1920-11-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/3104-13-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2236 sc.exe 4588 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1920 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 3104 smss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2236 1920 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 83 PID 1920 wrote to memory of 2236 1920 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 83 PID 1920 wrote to memory of 2236 1920 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 83 PID 1920 wrote to memory of 3104 1920 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 85 PID 1920 wrote to memory of 3104 1920 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 85 PID 1920 wrote to memory of 3104 1920 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe 85 PID 3104 wrote to memory of 4588 3104 smss.exe 86 PID 3104 wrote to memory of 4588 3104 smss.exe 86 PID 3104 wrote to memory of 4588 3104 smss.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5b3d3815eab1a084ba566c1ccc74a72de
SHA16bc0725cc2353ad97417b026362f3a24e5fb745f
SHA2563cb3bf7a6184d3f0038cef5cdedd26c990b06763c49c1196b018b2195fcad84c
SHA51271406398db01c01ee276be096c22be38af3ac810d1ea06a9ed099be82cbc537c1f6264a273c583541609d5917b0d72df262bcdac18c7df56e05d249ec1b26b2c