Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 08:57
Behavioral task
behavioral1
Sample
c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe
Resource
win7-20240903-en
General
-
Target
c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe
-
Size
39KB
-
MD5
1109272cb76cc0a40a38378d607896e3
-
SHA1
d91dab4c8fb0df4cd40db7660d4411a5b0cc2eb4
-
SHA256
c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c
-
SHA512
28cb43c498fafd3c53b4ff44c180a1ec97e8be659138d927bc34660d4b5dc2bd2144ca37417b900dc633f54629a5d483a9525754658896e9c0b49b47324ee693
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOGujw:NWQa2TLEmITcoQxfllfmS1cOvw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2328 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
resource yara_rule behavioral1/memory/2364-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/files/0x0008000000019030-4.dat upx behavioral1/memory/2328-11-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2328-19-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2364-17-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2056 sc.exe 3008 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 2328 smss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2056 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 30 PID 2364 wrote to memory of 2056 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 30 PID 2364 wrote to memory of 2056 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 30 PID 2364 wrote to memory of 2056 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 30 PID 2364 wrote to memory of 2328 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 32 PID 2364 wrote to memory of 2328 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 32 PID 2364 wrote to memory of 2328 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 32 PID 2364 wrote to memory of 2328 2364 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 32 PID 2328 wrote to memory of 3008 2328 smss.exe 33 PID 2328 wrote to memory of 3008 2328 smss.exe 33 PID 2328 wrote to memory of 3008 2328 smss.exe 33 PID 2328 wrote to memory of 3008 2328 smss.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe"C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5c902ce5af13b5a0882daa5081fd01b33
SHA14aad53421aa023a560f953e61f4581a9e69bb2ca
SHA256dd99010dbbd86d8a443f85c9aa5a6a980500c26c2b1b0ea451c244a9d3cb2988
SHA51266cec42c9ab64342237fbd1830f74e47e4f8b3e6822f7438feaa16c832038b9eb09a5a72620a673d60b9ac5e02ebeca74133334c316f3c6cd983e62da0f91593