Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:33
Behavioral task
behavioral1
Sample
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe
Resource
win7-20241010-en
General
-
Target
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe
-
Size
38KB
-
MD5
4f8028dc129f973f48ee4ba325e3a9b1
-
SHA1
e65538fe7d987e275e3ef10bbe0b882fa48dc7a0
-
SHA256
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43
-
SHA512
7013f6f563ed7d8291a35293905fb64237d36828212b5c62a425fbc38d8a17471c98ed83c27ec7cbfa18925f5f289a6932765d6871cc0da94dc45ac9214ac1b5
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOGue:NWQa2TLEmITcoQxfllfmS1cOC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
smss.exepid process 1072 smss.exe -
Drops file in System32 directory 3 IoCs
Processes:
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exesmss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\1230\smss.exe ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
Processes:
resource yara_rule behavioral2/memory/4156-0-0x0000000000400000-0x0000000000422000-memory.dmp upx C:\Windows\SysWOW64\1230\smss.exe upx behavioral2/memory/1072-11-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/4156-13-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2724 sc.exe 2820 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exesc.exesmss.exesc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exesmss.exepid process 4156 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe 1072 smss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exesmss.exedescription pid process target process PID 4156 wrote to memory of 2724 4156 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe sc.exe PID 4156 wrote to memory of 2724 4156 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe sc.exe PID 4156 wrote to memory of 2724 4156 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe sc.exe PID 4156 wrote to memory of 1072 4156 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe smss.exe PID 4156 wrote to memory of 1072 4156 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe smss.exe PID 4156 wrote to memory of 1072 4156 ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe smss.exe PID 1072 wrote to memory of 2820 1072 smss.exe sc.exe PID 1072 wrote to memory of 2820 1072 smss.exe sc.exe PID 1072 wrote to memory of 2820 1072 smss.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe"C:\Users\Admin\AppData\Local\Temp\ab182aba91222ca2cb5ffe22d83450cfaa9fe0847e068d0bf9f514ff5b641e43.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5f55ddeb5332b0f2fc69f9a92dfb09791
SHA101838a8d253067d5143fd756c8839f17340a46c0
SHA256a08af6e3404d464e93e93204531cd8cb7d3a2ff4d6b6c4e9cbe39a760081ae1c
SHA51207c78514127339da46ba0bea4486d2a0026cbf375968f5b56ae32eda7e2ae4b8e278b2d97d5bd9aa5aaa366ab636079ed3b0d9c7537ec5a7ef90009969b5df81