e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:54

Target

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
Size

139KB
MD5

3d17f5f0c6abf27c8971494095eaee2e
SHA1

2df8a34bc47db0de76a58f0bd9c06d384b12381e
SHA256

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621
SHA512

74479e2a7f06e6e07b116db37de4bee8fce6d75114a15e37002a908ff38371411371be8c103257621e619d1c20da5d9ce3938c8038b60ba0bd198f091e623030
SSDEEP

1536:rC2/fYuPfbESFYXRWhpKRycRd57JkIqFHhzm4hWru/BzihhMN45MF5FvHP132xPl:r7YubEwYXRWhpAJUHhzm4hUukS6Kmecf

Score

8^/10

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

2996 smss.exe

pid	process
2996	smss.exe

Drops file in System32 directory 3 IoCs

Processes:

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exesmss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
File opened for modification	C:\Windows\SysWOW64\1230\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Service.exe	smss.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

184 sc.exe
4220 sc.exe
1264 sc.exe
3012 sc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exesmss.exe

pid process

3172 e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
2996 smss.exe

pid	process
3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe
2996	smss.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exesmss.exe

description	pid	process	target process
PID 3172 wrote to memory of 1264	3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 3172 wrote to memory of 1264	3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 3172 wrote to memory of 1264	3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 3172 wrote to memory of 4220	3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 3172 wrote to memory of 4220	3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 3172 wrote to memory of 4220	3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	sc.exe
PID 3172 wrote to memory of 2996	3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	smss.exe
PID 3172 wrote to memory of 2996	3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	smss.exe
PID 3172 wrote to memory of 2996	3172	e52de97c17a2c76adab50cc3d3c2ee8a8f84a97fbeee14471684a9d12559d621.exe	smss.exe
PID 2996 wrote to memory of 3012	2996	smss.exe	sc.exe
PID 2996 wrote to memory of 3012	2996	smss.exe	sc.exe
PID 2996 wrote to memory of 3012	2996	smss.exe	sc.exe
PID 2996 wrote to memory of 184	2996	smss.exe	sc.exe
PID 2996 wrote to memory of 184	2996	smss.exe	sc.exe
PID 2996 wrote to memory of 184	2996	smss.exe	sc.exe

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
2⤵
- Launches sc.exe
PID:1264

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
2⤵
- Launches sc.exe
PID:4220

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop SharedAccess
3⤵
- Launches sc.exe
PID:3012

C:\Windows\SysWOW64\sc.exe
C:\Windows\system32\sc.exe stop wscsvc
3⤵
- Launches sc.exe
PID:184

C:\Windows\SysWOW64\1230\smss.exe
Filesize
139KB

MD5
ec32f5f58f74b7dc734374787276b51f

SHA1
1f659957d5456338330cd708ee1da1192a24f187

SHA256
932085397b0f1b6b831420f09786c98a7576fcaa5d4c6836a123a2c9925a719d

SHA512
a99ea7ebd070b691c52c1a08e30d02090193032840f0cefc07727ca376da4d8668a90d96a6c185d1659d6cb498fdc347cd5db822225e31d453b0f295afc93b22

Download Submit