Analysis Overview
SHA256
4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251
Threat Level: Likely malicious
The file 4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251 was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 21:56
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 21:56
Reported
2024-11-10 21:59
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Service.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe
"C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
Network
Files
memory/2500-0-0x0000000000400000-0x0000000000422000-memory.dmp
\Windows\SysWOW64\1230\smss.exe
| MD5 | f27c6d2ab9d6c286a5c6631c36ed829a |
| SHA1 | d0f9f77b5599b482f83c71f9a51f9656f4e18425 |
| SHA256 | c3325f5f991dceb1864c6cd22cfec2b743408968c27888f866369fb11483f90e |
| SHA512 | ac29e89443680476a5736059cc6fcc786bbf66f658a5faca79abeb38986bd099e2074a308534ee42ac3d9a5c409959599ecfa62998dbf4bbf504465646c2de21 |
memory/2500-16-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2016-18-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 21:56
Reported
2024-11-10 21:59
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Service.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe
"C:\Users\Admin\AppData\Local\Temp\4126ef4945c09f2089a5eaba00d1373016726d5b8f2a53a56b4aec4a95fb7251.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/1920-0-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Windows\SysWOW64\1230\smss.exe
| MD5 | b3d3815eab1a084ba566c1ccc74a72de |
| SHA1 | 6bc0725cc2353ad97417b026362f3a24e5fb745f |
| SHA256 | 3cb3bf7a6184d3f0038cef5cdedd26c990b06763c49c1196b018b2195fcad84c |
| SHA512 | 71406398db01c01ee276be096c22be38af3ac810d1ea06a9ed099be82cbc537c1f6264a273c583541609d5917b0d72df262bcdac18c7df56e05d249ec1b26b2c |
memory/1920-11-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3104-13-0x0000000000400000-0x0000000000422000-memory.dmp