066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea

Analysis

max time kernel
171s
max time network
113s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 23:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
Size

339KB
MD5

84823a1619590f32b62f93ee900d1f8d
SHA1

4e03c86f6485bfc6e0db5a9fac75ea8d60cee9b5
SHA256

066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea
SHA512

8b99b025fd410b47341b8fb29326ec5f8bd29d6faecdb5c1730f8be8b0878036e887f4f31957313a6f432a53e6f4bd454381556c45007b5ade6df29fe8350567
SSDEEP

6144:qF8jQMQtt0JiWBFSbEbu+jaTvacPbkgo54UCodblRGxc1xDtFWA9rmNlGjnI/:qF8jAtYB22azaLgzaLUcDDWCrmEng

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Executes dropped EXE 2 IoCs

pid	Process
1336	fservice.exe
1052	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/memory/1900-60-0x0000000000400000-0x00000000005FE000-memory.dmp	upx
behavioral1/files/0x000a0000000139f2-62.dat	upx
behavioral1/files/0x000c0000000054a8-61.dat	upx
behavioral1/memory/1336-65-0x0000000000400000-0x00000000005FE000-memory.dmp	upx
behavioral1/files/0x000700000001411f-66.dat	upx
behavioral1/memory/1052-69-0x0000000000400000-0x00000000005FE000-memory.dmp	upx
behavioral1/memory/1052-70-0x0000000000400000-0x00000000005FE000-memory.dmp	upx
behavioral1/files/0x000700000001411f-73.dat	upx
behavioral1/memory/1336-76-0x0000000000400000-0x00000000005FE000-memory.dmp	upx
behavioral1/memory/1900-79-0x0000000000400000-0x00000000005FE000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
980	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
1052	services.exe
1052	services.exe
1336	fservice.exe
1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fservice.exe	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
File opened for modification	C:\Windows\system\sservice.exe	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe
1052	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1052	services.exe
1052	services.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1336	1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe	27
PID 1900 wrote to memory of 1336	1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe	27
PID 1900 wrote to memory of 1336	1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe	27
PID 1900 wrote to memory of 1336	1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe	27
PID 1336 wrote to memory of 1052	1336	fservice.exe	28
PID 1336 wrote to memory of 1052	1336	fservice.exe	28
PID 1336 wrote to memory of 1052	1336	fservice.exe	28
PID 1336 wrote to memory of 1052	1336	fservice.exe	28
PID 1052 wrote to memory of 1728	1052	services.exe	29
PID 1052 wrote to memory of 1728	1052	services.exe	29
PID 1052 wrote to memory of 1728	1052	services.exe	29
PID 1052 wrote to memory of 1728	1052	services.exe	29
PID 1900 wrote to memory of 980	1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe	31
PID 1900 wrote to memory of 980	1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe	31
PID 1900 wrote to memory of 980	1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe	31
PID 1900 wrote to memory of 980	1900	066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe	31
PID 1728 wrote to memory of 1960	1728	NET.exe	33
PID 1728 wrote to memory of 1960	1728	NET.exe	33
PID 1728 wrote to memory of 1960	1728	NET.exe	33
PID 1728 wrote to memory of 1960	1728	NET.exe	33

C:\Users\Admin\AppData\Local\Temp\066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe
"C:\Users\Admin\AppData\Local\Temp\066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe.bat
  2⤵
  - Deletes itself
  PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea.exe.bat

Filesize
133B

MD5
c1977104c0739f5a16712df01583d97d

SHA1
08f955a2821f321e1926537857324def33a285e2

SHA256
76bdeca9661ee78f661cff4d4c5817405c3baf0b048724f4f4cce4d981b1d87b

SHA512
6edfc5794d5691ff3fc6715453f1fd858f3b0e63d809beeb97087ce9ca28a2e8517b1ed8bc6496c746ead9ecb2bded2b25696f41ea06902502705ae99a99a454

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
339KB

MD5
84823a1619590f32b62f93ee900d1f8d

SHA1
4e03c86f6485bfc6e0db5a9fac75ea8d60cee9b5

SHA256
066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea

SHA512
8b99b025fd410b47341b8fb29326ec5f8bd29d6faecdb5c1730f8be8b0878036e887f4f31957313a6f432a53e6f4bd454381556c45007b5ade6df29fe8350567

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
339KB

MD5
84823a1619590f32b62f93ee900d1f8d

SHA1
4e03c86f6485bfc6e0db5a9fac75ea8d60cee9b5

SHA256
066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea

SHA512
8b99b025fd410b47341b8fb29326ec5f8bd29d6faecdb5c1730f8be8b0878036e887f4f31957313a6f432a53e6f4bd454381556c45007b5ade6df29fe8350567

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
C:\Windows\services.exe

Filesize
339KB

MD5
84823a1619590f32b62f93ee900d1f8d

SHA1
4e03c86f6485bfc6e0db5a9fac75ea8d60cee9b5

SHA256
066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea

SHA512
8b99b025fd410b47341b8fb29326ec5f8bd29d6faecdb5c1730f8be8b0878036e887f4f31957313a6f432a53e6f4bd454381556c45007b5ade6df29fe8350567

Download Submit
C:\Windows\services.exe

Filesize
339KB

MD5
84823a1619590f32b62f93ee900d1f8d

SHA1
4e03c86f6485bfc6e0db5a9fac75ea8d60cee9b5

SHA256
066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea

SHA512
8b99b025fd410b47341b8fb29326ec5f8bd29d6faecdb5c1730f8be8b0878036e887f4f31957313a6f432a53e6f4bd454381556c45007b5ade6df29fe8350567

Download Submit
C:\Windows\system\sservice.exe

Filesize
339KB

MD5
84823a1619590f32b62f93ee900d1f8d

SHA1
4e03c86f6485bfc6e0db5a9fac75ea8d60cee9b5

SHA256
066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea

SHA512
8b99b025fd410b47341b8fb29326ec5f8bd29d6faecdb5c1730f8be8b0878036e887f4f31957313a6f432a53e6f4bd454381556c45007b5ade6df29fe8350567

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
339KB

MD5
84823a1619590f32b62f93ee900d1f8d

SHA1
4e03c86f6485bfc6e0db5a9fac75ea8d60cee9b5

SHA256
066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea

SHA512
8b99b025fd410b47341b8fb29326ec5f8bd29d6faecdb5c1730f8be8b0878036e887f4f31957313a6f432a53e6f4bd454381556c45007b5ade6df29fe8350567

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
339KB

MD5
84823a1619590f32b62f93ee900d1f8d

SHA1
4e03c86f6485bfc6e0db5a9fac75ea8d60cee9b5

SHA256
066d9a2346667a1624e55a93d74c0ce95fc6246ee3ed1a81c68e8ea1ee0a75ea

SHA512
8b99b025fd410b47341b8fb29326ec5f8bd29d6faecdb5c1730f8be8b0878036e887f4f31957313a6f432a53e6f4bd454381556c45007b5ade6df29fe8350567

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
43e7d9b875c921ba6be38d45540fb9dd

SHA1
f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

SHA256
f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

SHA512
2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

Download Submit
memory/1052-69-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/1052-70-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/1336-76-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/1336-65-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/1900-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1900-60-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/1900-63-0x0000000003000000-0x00000000031FE000-memory.dmp

Filesize
2.0MB

Download
memory/1900-79-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download