Overview

overview

10

Static

static

8

c46805d51b...0b.exe

windows7-x64

10

c46805d51b...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    183s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2022, 18:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b.exe

  • Size

    342KB

  • MD5

    0bf09fb0d1755a016eede7ac78b1d94b

  • SHA1

    1fc39f7cf35a1c17f06b1e5709423b51c3520594

  • SHA256

    c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b

  • SHA512

    120d11133bea049fb9e9916a199ef6eadfb828f8f420d068c5a8a3ada16c8faa82abbe344fa1f45a38dae9b25d1369e3fc2a53f1323fc5aea283b885d121577b

  • SSDEEP

    6144:ARqmpp+amNOGokzLyM9tsLAitQo6tzOKkzIt8gKyfjxfR9D2j4yOWYbCyQ:UqmpplpGoGL3etQoMiXM8gxf/Sj4y0Q

Score
10/10
aspackv2persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b.exe
    "C:\Users\Admin\AppData\Local\Temp\c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\fservice.exe
      C:\Windows\system32\fservice.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Windows\services.exe
        C:\Windows\services.exe -XP
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Windows\SysWOW64\NET.exe
          NET STOP srservice
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4356
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 STOP srservice
            5⤵
              PID:4504
          • C:\Windows\SysWOW64\NET.exe
            NET STOP navapsvc
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3776
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 STOP navapsvc
              5⤵
                PID:4040
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b.exe.bat
          2⤵
            PID:4328

        Network

        • flag-us
          DNS
          176.122.125.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          176.122.125.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
          Remote address:
          8.8.8.8:53
          Request
          0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
          IN PTR
          Response
        • flag-us
          DNS
          aku.edu.tr
          services.exe
          Remote address:
          8.8.8.8:53
          Request
          aku.edu.tr
          IN A
          Response
          aku.edu.tr
          IN A
          193.255.49.56
        • flag-us
          DNS
          atauni.edu.tr
          services.exe
          Remote address:
          8.8.8.8:53
          Request
          atauni.edu.tr
          IN A
          Response
          atauni.edu.tr
          IN A
          95.0.242.21
        • flag-us
          DNS
          ege.edu.tr
          services.exe
          Remote address:
          8.8.8.8:53
          Request
          ege.edu.tr
          IN A
          Response
          ege.edu.tr
          IN A
          155.223.2.2
        • flag-unknown
          DNS
          hotmail.com
          services.exe
          Remote address:
          235.4.158.100:53
          Request
          hotmail.com
          IN MX
        • 93.184.220.29:80
          322 B
           7
        • 93.184.221.240:80
          322 B
           7
        • 93.184.221.240:80
          322 B
           7
        • 93.184.221.240:80
          322 B
           7
        • 104.80.225.205:443
          322 B
           7
        • 93.184.221.240:80
          322 B
           7
        • 93.184.221.240:80
          260 B
           5
        • 8.8.8.8:53
          services.exe
          260 B
           5
        • 151.164.23.201:53
          services.exe
          260 B
           5
        • 93.184.221.240:80
          260 B
           5
        • 193.255.49.56:53
          aku.edu.tr
          services.exe
          260 B
           5
        • 93.184.221.240:80
          260 B
           5
        • 95.0.242.21:53
          atauni.edu.tr
          services.exe
          260 B
           200 B
           5
          5
        • 155.223.2.2:53
          ege.edu.tr
          services.exe
          190 B
           92 B
           4
          2
        • 20.189.173.2:443
          322 B
           7
        • 93.184.220.29:80
          260 B
           5
        • 8.8.8.8:53
          176.122.125.40.in-addr.arpa
          dns
          73 B
           159 B
           1
          1

          DNS Request

          176.122.125.40.in-addr.arpa

        • 8.8.8.8:53
          0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
          dns
          118 B
           204 B
           1
          1

          DNS Request

          0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

        • 8.8.8.8:53
          aku.edu.tr
          dns
          services.exe
          56 B
           72 B
           1
          1

          DNS Request

          aku.edu.tr

          DNS Response

          193.255.49.56

        • 8.8.8.8:53
          atauni.edu.tr
          dns
          services.exe
          59 B
           75 B
           1
          1

          DNS Request

          atauni.edu.tr

          DNS Response

          95.0.242.21

        • 8.8.8.8:53
          ege.edu.tr
          dns
          services.exe
          56 B
           72 B
           1
          1

          DNS Request

          ege.edu.tr

          DNS Response

          155.223.2.2

        • 235.4.158.100:53
          hotmail.com
          dns
          services.exe
          57 B
           1

          DNS Request

          hotmail.com

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b.exe.bat
          Filesize

          133B

          MD5

          050f243b8ea1f3bbcdd73d4743acc398

          SHA1

          b6c0d2b3e04f5acfde0a8501c7dfb566ba38de8c

          SHA256

          c9bfcbd8923a793f943efecdd20ac8648ec13ea1026420fdc8ba3a14535f584e

          SHA512

          2d9a0107d9b1446f099e56027541973cc8f3255d7aa16ff14d94791b5577a12c281934d7696b1e975de9394b6821cd7a434d7d9c9cbd72825ef3208c98bad41d

          Download Submit

        • C:\Windows\SysWOW64\fservice.exe
          Filesize

          342KB

          MD5

          0bf09fb0d1755a016eede7ac78b1d94b

          SHA1

          1fc39f7cf35a1c17f06b1e5709423b51c3520594

          SHA256

          c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b

          SHA512

          120d11133bea049fb9e9916a199ef6eadfb828f8f420d068c5a8a3ada16c8faa82abbe344fa1f45a38dae9b25d1369e3fc2a53f1323fc5aea283b885d121577b

          Download Submit

        • C:\Windows\SysWOW64\fservice.exe
          Filesize

          342KB

          MD5

          0bf09fb0d1755a016eede7ac78b1d94b

          SHA1

          1fc39f7cf35a1c17f06b1e5709423b51c3520594

          SHA256

          c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b

          SHA512

          120d11133bea049fb9e9916a199ef6eadfb828f8f420d068c5a8a3ada16c8faa82abbe344fa1f45a38dae9b25d1369e3fc2a53f1323fc5aea283b885d121577b

          Download Submit

        • C:\Windows\SysWOW64\reginv.dll
          Filesize

          36KB

          MD5

          562e0d01d6571fa2251a1e9f54c6cc69

          SHA1

          83677ad3bc630aa6327253c7b3deffbd4a8ce905

          SHA256

          c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

          SHA512

          166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

          Download Submit

        • C:\Windows\SysWOW64\reginv.dll
          Filesize

          36KB

          MD5

          562e0d01d6571fa2251a1e9f54c6cc69

          SHA1

          83677ad3bc630aa6327253c7b3deffbd4a8ce905

          SHA256

          c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

          SHA512

          166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

          Download Submit

        • C:\Windows\SysWOW64\reginv.dll
          Filesize

          36KB

          MD5

          562e0d01d6571fa2251a1e9f54c6cc69

          SHA1

          83677ad3bc630aa6327253c7b3deffbd4a8ce905

          SHA256

          c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

          SHA512

          166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

          Download Submit

        • C:\Windows\SysWOW64\reginv.dll
          Filesize

          36KB

          MD5

          562e0d01d6571fa2251a1e9f54c6cc69

          SHA1

          83677ad3bc630aa6327253c7b3deffbd4a8ce905

          SHA256

          c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

          SHA512

          166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

          Download Submit

        • C:\Windows\SysWOW64\reginv.dll
          Filesize

          36KB

          MD5

          562e0d01d6571fa2251a1e9f54c6cc69

          SHA1

          83677ad3bc630aa6327253c7b3deffbd4a8ce905

          SHA256

          c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

          SHA512

          166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

          Download Submit

        • C:\Windows\SysWOW64\winkey.dll
          Filesize

          13KB

          MD5

          b4c72da9fd1a0dcb0698b7da97daa0cd

          SHA1

          b25a79e8ea4c723c58caab83aed6ea48de7ed759

          SHA256

          45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

          SHA512

          f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

          Download Submit

        • C:\Windows\services.exe
          Filesize

          342KB

          MD5

          0bf09fb0d1755a016eede7ac78b1d94b

          SHA1

          1fc39f7cf35a1c17f06b1e5709423b51c3520594

          SHA256

          c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b

          SHA512

          120d11133bea049fb9e9916a199ef6eadfb828f8f420d068c5a8a3ada16c8faa82abbe344fa1f45a38dae9b25d1369e3fc2a53f1323fc5aea283b885d121577b

          Download Submit

        • C:\Windows\services.exe
          Filesize

          342KB

          MD5

          0bf09fb0d1755a016eede7ac78b1d94b

          SHA1

          1fc39f7cf35a1c17f06b1e5709423b51c3520594

          SHA256

          c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b

          SHA512

          120d11133bea049fb9e9916a199ef6eadfb828f8f420d068c5a8a3ada16c8faa82abbe344fa1f45a38dae9b25d1369e3fc2a53f1323fc5aea283b885d121577b

          Download Submit

        • C:\Windows\system\sservice.exe
          Filesize

          342KB

          MD5

          0bf09fb0d1755a016eede7ac78b1d94b

          SHA1

          1fc39f7cf35a1c17f06b1e5709423b51c3520594

          SHA256

          c46805d51bfee760e479a708d5b3a0d1e089396103d01f0693c3fc5edbd9760b

          SHA512

          120d11133bea049fb9e9916a199ef6eadfb828f8f420d068c5a8a3ada16c8faa82abbe344fa1f45a38dae9b25d1369e3fc2a53f1323fc5aea283b885d121577b

          Download Submit

        • memory/2800-132-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2800-157-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2800-133-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3376-142-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3376-155-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3620-144-0x0000000010000000-0x000000001000B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/3620-159-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3620-143-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3620-149-0x0000000002D81000-0x0000000002D85000-memory.dmp

          Filesize

          16KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.