Analysis Overview
SHA256
9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30
Threat Level: Likely malicious
The file 9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
UPX packed file
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 06:38
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 06:38
Reported
2024-11-10 06:40
Platform
win7-20240903-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Service.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe
"C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
Network
Files
memory/2420-0-0x0000000000400000-0x0000000000422000-memory.dmp
\Windows\SysWOW64\1230\smss.exe
| MD5 | e1602e62a089421184e1ae7fe7e84f63 |
| SHA1 | 6227665726f81c8577d19e15cbc6ebc36cbd2631 |
| SHA256 | ce5296d6821fa133ea3a2cd0a4e3ccc4218c494bde11739d252098fe5e610c32 |
| SHA512 | f6dcfa59fdaf8e8977b2c0b09d767dcb6d40b86c603a7186da3291f78343f09ee315df11ee169918e0be1a994a1766ce5cc0b91653870f3e8855ea4e193fa960 |
memory/3028-13-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2420-12-0x00000000005C0000-0x00000000005E2000-memory.dmp
memory/2420-11-0x00000000005C0000-0x00000000005E2000-memory.dmp
memory/2420-21-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3028-19-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 06:38
Reported
2024-11-10 06:40
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Service.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe
"C:\Users\Admin\AppData\Local\Temp\9c72ccc729c95f7063844fd4cb70451f48d8ec40e34891017a12bcbf81dafb30N.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3988-0-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Windows\SysWOW64\1230\smss.exe
| MD5 | d9f3a2460c7035d69c1d0f59da5fcfb7 |
| SHA1 | d703ab9d0dd08c4fc732f455c908d0e28c4c8632 |
| SHA256 | 86550bf4d8795871ab7fa596b96f0f50ad0adb07c7468f460ba690b1a35afc2b |
| SHA512 | 1326aa8b556fa6949d68a1632bf5e830b038296264d7589ee9b2edf7da4e7df310a0e31a95451fa94f9943e2ef15cf50189604919be06446aa471ac809671d82 |
memory/3988-11-0x0000000000400000-0x0000000000422000-memory.dmp
memory/548-13-0x0000000000400000-0x0000000000422000-memory.dmp