Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:57
Behavioral task
behavioral1
Sample
c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe
Resource
win7-20240903-en
General
-
Target
c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe
-
Size
39KB
-
MD5
1109272cb76cc0a40a38378d607896e3
-
SHA1
d91dab4c8fb0df4cd40db7660d4411a5b0cc2eb4
-
SHA256
c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c
-
SHA512
28cb43c498fafd3c53b4ff44c180a1ec97e8be659138d927bc34660d4b5dc2bd2144ca37417b900dc633f54629a5d483a9525754658896e9c0b49b47324ee693
-
SSDEEP
768:Nzj1JegVa3Gry+uELEmITCs/NUZ6nZdYbCLECkrQoP9fmF2f1cOGujw:NWQa2TLEmITcoQxfllfmS1cOvw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1944 smss.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1230\smss.exe c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe File opened for modification C:\Windows\SysWOW64\1230\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\Service.exe smss.exe -
resource yara_rule behavioral2/memory/1472-0-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/files/0x0008000000023ca7-5.dat upx behavioral2/memory/1472-10-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/1944-12-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3120 sc.exe 1584 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1472 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 1944 smss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1584 1472 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 83 PID 1472 wrote to memory of 1584 1472 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 83 PID 1472 wrote to memory of 1584 1472 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 83 PID 1472 wrote to memory of 1944 1472 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 85 PID 1472 wrote to memory of 1944 1472 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 85 PID 1472 wrote to memory of 1944 1472 c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe 85 PID 1944 wrote to memory of 3120 1944 smss.exe 86 PID 1944 wrote to memory of 3120 1944 smss.exe 86 PID 1944 wrote to memory of 3120 1944 smss.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe"C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1584
-
-
C:\Windows\SysWOW64\1230\smss.exeC:\Windows\system32\1230\smss.exe -d2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe stop wscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5b6b650558e239e67bed82f1ca6f1273a
SHA14bfbe1bc06ba13f4c0256264bb84ca56626df4e8
SHA2568849c824e3a435f6863af631ed2ba12efa72810878089ef36a7123a27dc0db6f
SHA512f3a8a6338df8dcdf60a5f6e8397685433b3752cc072d1bec05d666a6afa63d8df02524326ed69d7841318b6985f5b8b5b8b69844141b00bc3a63c416e590be94