Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:33
Behavioral task
behavioral1
Sample
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe
Resource
win7-20241010-en
General
-
Target
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe
-
Size
38KB
-
MD5
4f8028dc129f973f48ee4ba325e3a9b1
-
SHA1
e65538fe7d987e275e3ef10bbe0b882fa48dc7a0
-
SHA256
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43
-
SHA512
7013f6f563ed7d8291a35293905fb64237d36828212b5c62a425fbc38d8a17471c98ed83c27ec7cbfa18925f5f289a6932765d6871cc0da94dc45ac9214ac1b5
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOGue:NWQa2TLEmITcoQxfllfmS1cOC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
smss.exepid process 1668 smss.exe -
Loads dropped DLL 2 IoCs
Processes:
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exepid process 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe -
Drops file in System32 directory 3 IoCs
Processes:
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exesmss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\1230\smss.exe ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Processes:
resource yara_rule behavioral1/memory/1668-20-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/3032-18-0x0000000000400000-0x0000000000422000-memory.dmp upx C:\Windows\SysWOW64\1230\smss.exe upx behavioral1/memory/1668-12-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/3032-10-0x0000000000340000-0x0000000000362000-memory.dmp upx behavioral1/memory/3032-0-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1976 sc.exe 3028 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exesc.exesmss.exesc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exesmss.exepid process 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe 1668 smss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exesmss.exedescription pid process target process PID 3032 wrote to memory of 3028 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe sc.exe PID 3032 wrote to memory of 3028 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe sc.exe PID 3032 wrote to memory of 3028 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe sc.exe PID 3032 wrote to memory of 3028 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe sc.exe PID 3032 wrote to memory of 1668 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe smss.exe PID 3032 wrote to memory of 1668 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe smss.exe PID 3032 wrote to memory of 1668 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe smss.exe PID 3032 wrote to memory of 1668 3032 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe smss.exe PID 1668 wrote to memory of 1976 1668 smss.exe sc.exe PID 1668 wrote to memory of 1976 1668 smss.exe sc.exe PID 1668 wrote to memory of 1976 1668 smss.exe sc.exe PID 1668 wrote to memory of 1976 1668 smss.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe"C:\Users\Admin\AppData\Local\Temp\ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD582afab0b8a96e1153304e6ad01b3b47d
SHA118967fccd12572d86f568ee4330c9a05083dd26f
SHA256fca2e73f1f46ac944fa1535182e68e08025a7996b8fce5539a30a7b634959664
SHA512c1ce15ef70439023b2b64e52276c700340bd193687c4e842470791ea2eee32f705e347e4492135fdd41706895d5fb7051d4688b53fe30aa7c5761492528421fa