e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
Size

139KB
MD5

3d17f5f0c6abf27c8971494095eaee2e
SHA1

2df8a34bc47db0de76a58f0bd9c06d384b12381e
SHA256

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621
SHA512

74479e2a7f06e6e07b116db37de4bee8fce6d75114a15e37002a908ff38371411371be8c103257621e619d1c20da5d9ce3938c8038b60ba0bd198f091e623030
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPl:r7YubEwYXRWhpAJUHhzm4hUukS6Kmecf

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

2264 smss.exe
Loads dropped DLL 2 IoCs

Processes:

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe

pid process

2140 e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
2140 e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe

pid	process
2264	smss.exe

pid	process
2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe

Drops file in System32 directory 3 IoCs

Processes:

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exesmss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2296 sc.exe
760 sc.exe
2448 sc.exe
1584 sc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exesmss.exe

pid process

2140 e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
2264 smss.exe

pid	process
2296	sc.exe
760	sc.exe
2448	sc.exe
1584	sc.exe

pid	process
2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
2264	smss.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exesmss.exe

description	pid	process	target process
PID 2140 wrote to memory of 2296	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 2140 wrote to memory of 2296	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 2140 wrote to memory of 2296	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 2140 wrote to memory of 2296	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 2140 wrote to memory of 760	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 2140 wrote to memory of 760	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 2140 wrote to memory of 760	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 2140 wrote to memory of 760	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 2140 wrote to memory of 2264	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	smss.exe
PID 2140 wrote to memory of 2264	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	smss.exe
PID 2140 wrote to memory of 2264	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	smss.exe
PID 2140 wrote to memory of 2264	2140	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	smss.exe
PID 2264 wrote to memory of 2448	2264	smss.exe	sc.exe
PID 2264 wrote to memory of 2448	2264	smss.exe	sc.exe
PID 2264 wrote to memory of 2448	2264	smss.exe	sc.exe
PID 2264 wrote to memory of 2448	2264	smss.exe	sc.exe
PID 2264 wrote to memory of 1584	2264	smss.exe	sc.exe
PID 2264 wrote to memory of 1584	2264	smss.exe	sc.exe
PID 2264 wrote to memory of 1584	2264	smss.exe	sc.exe
PID 2264 wrote to memory of 1584	2264	smss.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
"C:\Users\Admin\AppData\Local\Temp\e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
2⤵
- Launches sc.exe
PID:2296

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
2⤵
- Launches sc.exe
PID:760

C:\Windows\SysWOW64\1230\smss.exe
C:\Windows\system32\1230\smss.exe -d
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
3⤵
- Launches sc.exe
PID:2448

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
3⤵
- Launches sc.exe
PID:1584

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1230\smss.exe
Filesize
139KB

MD5
1eaa58c1ea172b3353b9f8617d8af78c

SHA1
cbaab0bac19a545a071959aeb909a2d4f31a0c8f

SHA256
1b6852d9f856eccba950be843618dc1736d8d343216252f076c86338548fed15

SHA512
54d226a37d20fd4028b4f31691ad2cf55c993436a6701210113a04af48ce497fd78589893ac8e411bd5faff6a8a298a3dbb29f5041c84e182d6ffaff96088e1e

Download Submit