Analysis
-
max time kernel
248s -
max time network
234s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 15:33
Behavioral task
behavioral1
Sample
server.exe
Resource
win10v2004-20220812-en
General
-
Target
server.exe
-
Size
342KB
-
MD5
dd7a7bdffc40007a2e9a77de930b2ab2
-
SHA1
6088343b8765d896bb8ec465e25b1cecca5f8c67
-
SHA256
f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
-
SHA512
f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
SSDEEP
6144:4Rqmpp+amNOGokzLyM9tsLAitQo6tzOKkzIt8gKyfjxfR9D2j4yYWYbCyx:8qmpplpGoGL3etQoMiXM8gxf/Sj4yix
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
server.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\winkey.dll aspack_v212_v242 -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
server.exeservices.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe -
Executes dropped EXE 2 IoCs
Processes:
fservice.exeservices.exepid process 2652 fservice.exe 3692 services.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
Processes:
server.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ server.exe -
Processes:
resource yara_rule behavioral1/memory/5000-132-0x0000000000400000-0x00000000005FC000-memory.dmp upx C:\Windows\SysWOW64\fservice.exe upx C:\Windows\SysWOW64\fservice.exe upx C:\Windows\system\sservice.exe upx C:\Windows\services.exe upx C:\Windows\services.exe upx behavioral1/memory/2652-146-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/3692-147-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/5000-150-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/3692-158-0x0000000000400000-0x00000000005FC000-memory.dmp upx -
Loads dropped DLL 5 IoCs
Processes:
services.exefservice.exeserver.exepid process 3692 services.exe 3692 services.exe 3692 services.exe 2652 fservice.exe 5000 server.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 95.0.242.21 Destination IP 155.223.2.2 Destination IP 151.164.23.201 Destination IP 193.255.49.56 -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
server.exeservices.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
Processes:
fservice.exeservices.exeserver.exedescription ioc process File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe server.exe File opened for modification C:\Windows\SysWOW64\fservice.exe server.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe -
Drops file in Windows directory 7 IoCs
Processes:
server.exefservice.exeservices.exedescription ioc process File opened for modification C:\Windows\system\sservice.exe server.exe File created C:\Windows\services.exe fservice.exe File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe server.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 1092 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
services.exePOWERPNT.EXEpid process 3692 services.exe 3692 services.exe 1092 POWERPNT.EXE 1092 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
server.exefservice.exedescription pid process target process PID 5000 wrote to memory of 2652 5000 server.exe fservice.exe PID 5000 wrote to memory of 2652 5000 server.exe fservice.exe PID 5000 wrote to memory of 2652 5000 server.exe fservice.exe PID 2652 wrote to memory of 3692 2652 fservice.exe services.exe PID 2652 wrote to memory of 3692 2652 fservice.exe services.exe PID 2652 wrote to memory of 3692 2652 fservice.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\services.exeC:\Windows\services.exe -XP3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3692
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\ExitOptimize.ppsx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\fservice.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
C:\Windows\SysWOW64\fservice.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\winkey.dllFilesize
13KB
MD5b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA25645d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066
-
C:\Windows\services.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
C:\Windows\services.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
C:\Windows\system\sservice.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
memory/1092-152-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-156-0x00007FF8CF0D0000-0x00007FF8CF0E0000-memory.dmpFilesize
64KB
-
memory/1092-163-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-162-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-161-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-160-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-157-0x00007FF8CF0D0000-0x00007FF8CF0E0000-memory.dmpFilesize
64KB
-
memory/1092-155-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-151-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-153-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-154-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/2652-133-0x0000000000000000-mapping.dmp
-
memory/2652-146-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/3692-143-0x0000000003921000-0x0000000003925000-memory.dmpFilesize
16KB
-
memory/3692-158-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/3692-147-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/3692-148-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/3692-137-0x0000000000000000-mapping.dmp
-
memory/5000-132-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/5000-150-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB