Analysis
-
max time kernel
248s -
max time network
234s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-11-2022 15:33
General
-
Target
server.exe
-
Size
342KB
-
MD5
dd7a7bdffc40007a2e9a77de930b2ab2
-
SHA1
6088343b8765d896bb8ec465e25b1cecca5f8c67
-
SHA256
f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
-
SHA512
f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
SSDEEP
6144:4Rqmpp+amNOGokzLyM9tsLAitQo6tzOKkzIt8gKyfjxfR9D2j4yYWYbCyx:8qmpplpGoGL3etQoMiXM8gxf/Sj4yix
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 5 IoCs
-
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Drops file in System32 directory 7 IoCs
-
Drops file in Windows directory 7 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exeC:\Windows\services.exe -XP3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\ExitOptimize.ppsx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\fservice.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
C:\Windows\SysWOW64\fservice.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\winkey.dllFilesize
13KB
MD5b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA25645d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066
-
C:\Windows\services.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
C:\Windows\services.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
C:\Windows\system\sservice.exeFilesize
342KB
MD5dd7a7bdffc40007a2e9a77de930b2ab2
SHA16088343b8765d896bb8ec465e25b1cecca5f8c67
SHA256f1d4cf0fec6a19910599f985043e6699ec763c58330d66e86bdce4b12fc82407
SHA512f130953f19e91c8871ce93fb85a0bd062e7fbbdc3742dc5f9be9e373dd66c54ace542189f21ba9b3c93a55a77e83e328b7d95279457fbf95ebd8dfe9993fbcae
-
memory/1092-152-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-156-0x00007FF8CF0D0000-0x00007FF8CF0E0000-memory.dmpFilesize
64KB
-
memory/1092-163-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-162-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-161-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-160-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-157-0x00007FF8CF0D0000-0x00007FF8CF0E0000-memory.dmpFilesize
64KB
-
memory/1092-155-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-151-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-153-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/1092-154-0x00007FF8D11D0000-0x00007FF8D11E0000-memory.dmpFilesize
64KB
-
memory/2652-133-0x0000000000000000-mapping.dmp
-
memory/2652-146-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/3692-143-0x0000000003921000-0x0000000003925000-memory.dmpFilesize
16KB
-
memory/3692-158-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/3692-147-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/3692-148-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/3692-137-0x0000000000000000-mapping.dmp
-
memory/5000-132-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/5000-150-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB