Analysis Overview
SHA256
3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dc
Threat Level: Likely malicious
The file 3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
UPX packed file
Launches sc.exe
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 06:34
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 06:34
Reported
2024-11-10 06:36
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Service.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe
"C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3612-0-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Windows\SysWOW64\1230\smss.exe
| MD5 | 96b4ab1ecc0ef0514ffd3bb18e60de84 |
| SHA1 | 6a72a892d4c2a31d8c45ece0d4cc88add9c3bd90 |
| SHA256 | 6a4ffb52c0b9457734db7b430ca7f7e004e6053edf472b56b404341c123b3c5b |
| SHA512 | 1ad0b5f276c042de0c6855090bd9340c7f9b2880416192f013fb492d1d07519276b7c477f7f54f4015bbb457763295ee9b659c74e340960d35623eb2fedfcd4e |
memory/4000-11-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3612-13-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 06:34
Reported
2024-11-10 06:36
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Service.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe
"C:\Users\Admin\AppData\Local\Temp\3d84f35e5e3292790bb447f796196cd62d3ecf8a00f27d0c293835672c2b94dcN.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
Network
Files
memory/3008-0-0x0000000000400000-0x0000000000422000-memory.dmp
\Windows\SysWOW64\1230\smss.exe
| MD5 | f31b1d0d2dabfbf38ed4d2365ff40ed4 |
| SHA1 | 21a49e9cd9367f5d7254d71c125ad54b11630e1b |
| SHA256 | 60e466ba14b73585ed9ed950c389b2b2a03d155235ec9cd1313b9edba763b654 |
| SHA512 | e127516d09bfa9ee868f1a6086fc5735a3ad7dd1b90c3ec609fd26a428c2ec9fbaaf4aed9dc86ff8502b849e4319c978fdc1b434cdc9a4ea97617a622aa6cead |
memory/3008-11-0x00000000003D0000-0x00000000003F2000-memory.dmp
memory/3008-10-0x00000000003D0000-0x00000000003F2000-memory.dmp
memory/596-19-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3008-20-0x0000000000400000-0x0000000000422000-memory.dmp