Analysis Overview
SHA256
c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c
Threat Level: Likely malicious
The file c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c was found to be: Likely malicious.
Malicious Activity Summary
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 08:57
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 08:57
Reported
2024-11-17 09:00
Platform
win7-20240903-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Service.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe
"C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
Network
Files
memory/2364-0-0x0000000000400000-0x0000000000422000-memory.dmp
\Windows\SysWOW64\1230\smss.exe
| MD5 | c902ce5af13b5a0882daa5081fd01b33 |
| SHA1 | 4aad53421aa023a560f953e61f4581a9e69bb2ca |
| SHA256 | dd99010dbbd86d8a443f85c9aa5a6a980500c26c2b1b0ea451c244a9d3cb2988 |
| SHA512 | 66cec42c9ab64342237fbd1830f74e47e4f8b3e6822f7438feaa16c832038b9eb09a5a72620a673d60b9ac5e02ebeca74133334c316f3c6cd983e62da0f91593 |
memory/2328-11-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2328-19-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2364-17-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 08:57
Reported
2024-11-17 09:00
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\1230\smss.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Service.exe | C:\Windows\SysWOW64\1230\smss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\1230\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe
"C:\Users\Admin\AppData\Local\Temp\c14851d4a265b540e06fe62512b23177397c7163c953383c3ac4ee42258e2d8c.exe"
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1472-0-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Windows\SysWOW64\1230\smss.exe
| MD5 | b6b650558e239e67bed82f1ca6f1273a |
| SHA1 | 4bfbe1bc06ba13f4c0256264bb84ca56626df4e8 |
| SHA256 | 8849c824e3a435f6863af631ed2ba12efa72810878089ef36a7123a27dc0db6f |
| SHA512 | f3a8a6338df8dcdf60a5f6e8397685433b3752cc072d1bec05d666a6afa63d8df02524326ed69d7841318b6985f5b8b5b8b69844141b00bc3a63c416e590be94 |
memory/1472-10-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1944-12-0x0000000000400000-0x0000000000422000-memory.dmp