e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143

Analysis

max time kernel
185s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
Size

341KB
MD5

09dfb451463f58ca7de4535a5156c470
SHA1

d899b724a6e0813c52a4b52c78016152e828e245
SHA256

e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143
SHA512

59cb4e34ba039980d925438aaac0d8ec06db26c4a8cd5f55dc2a4b4a4c0616582088ac5540683ceffe6bb0e650ebeb6a9a8bb8e3c0ff881498a711f00af970f6
SSDEEP

6144:M36i6htdvIydnCseroPQKvU9wPhFOXQsZrPTeoHm0HhDtdT22CpuvNJSE7V1XDhj:y6/DdQHroPTAwpwXQsBPTeoG0HhDtdCq

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe

Executes dropped EXE 2 IoCs

pid	Process
4116	fservice.exe
4140	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4792-132-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral2/files/0x0007000000022e5e-134.dat	upx
behavioral2/files/0x0007000000022e5e-135.dat	upx
behavioral2/files/0x0006000000022e64-136.dat	upx
behavioral2/files/0x0006000000022e65-138.dat	upx
behavioral2/files/0x0006000000022e65-139.dat	upx
behavioral2/memory/4116-140-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral2/memory/4140-142-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral2/memory/4116-153-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral2/memory/4792-155-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral2/memory/4140-157-0x0000000000400000-0x00000000005FF000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
4140	services.exe
4140	services.exe
4140	services.exe
4116	fservice.exe
4792	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sservice.exe	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe
4140	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4140	services.exe
4140	services.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 4116	4792	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe	80
PID 4792 wrote to memory of 4116	4792	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe	80
PID 4792 wrote to memory of 4116	4792	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe	80
PID 4116 wrote to memory of 4140	4116	fservice.exe	81
PID 4116 wrote to memory of 4140	4116	fservice.exe	81
PID 4116 wrote to memory of 4140	4116	fservice.exe	81
PID 4140 wrote to memory of 1708	4140	services.exe	82
PID 4140 wrote to memory of 1708	4140	services.exe	82
PID 4140 wrote to memory of 1708	4140	services.exe	82
PID 4140 wrote to memory of 1296	4140	services.exe	83
PID 4140 wrote to memory of 1296	4140	services.exe	83
PID 4140 wrote to memory of 1296	4140	services.exe	83
PID 1296 wrote to memory of 2716	1296	NET.exe	86
PID 1296 wrote to memory of 2716	1296	NET.exe	86
PID 1296 wrote to memory of 2716	1296	NET.exe	86
PID 1708 wrote to memory of 2244	1708	NET.exe	87
PID 1708 wrote to memory of 2244	1708	NET.exe	87
PID 1708 wrote to memory of 2244	1708	NET.exe	87
PID 4792 wrote to memory of 4528	4792	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe	88
PID 4792 wrote to memory of 4528	4792	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe	88
PID 4792 wrote to memory of 4528	4792	e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe	88

C:\Users\Admin\AppData\Local\Temp\e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe
"C:\Users\Admin\AppData\Local\Temp\e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP srservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        5⤵
        
        PID:2244
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe.bat
  2⤵
  PID:4528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143.exe.bat

Filesize
133B

MD5
092fdee4fb781b9948f8ef5292c38085

SHA1
b7396e588de670f5b7dbd69106f48544ab10006d

SHA256
20510a54c99c6ba49c90cf9ced37ee454f276514a3258cd48d1ad620cabf1bf4

SHA512
26577a82f56ddec479c1ac6854f36494280b7a463c78d5e911faa6049fc152ae9f52f7b9144a93b9c26daefdf24009f209e6200a26d9b639a7d862dd059844af

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
341KB

MD5
09dfb451463f58ca7de4535a5156c470

SHA1
d899b724a6e0813c52a4b52c78016152e828e245

SHA256
e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143

SHA512
59cb4e34ba039980d925438aaac0d8ec06db26c4a8cd5f55dc2a4b4a4c0616582088ac5540683ceffe6bb0e650ebeb6a9a8bb8e3c0ff881498a711f00af970f6

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
341KB

MD5
09dfb451463f58ca7de4535a5156c470

SHA1
d899b724a6e0813c52a4b52c78016152e828e245

SHA256
e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143

SHA512
59cb4e34ba039980d925438aaac0d8ec06db26c4a8cd5f55dc2a4b4a4c0616582088ac5540683ceffe6bb0e650ebeb6a9a8bb8e3c0ff881498a711f00af970f6

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
43e7d9b875c921ba6be38d45540fb9dd

SHA1
f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

SHA256
f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

SHA512
2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

Download Submit
C:\Windows\services.exe

Filesize
341KB

MD5
09dfb451463f58ca7de4535a5156c470

SHA1
d899b724a6e0813c52a4b52c78016152e828e245

SHA256
e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143

SHA512
59cb4e34ba039980d925438aaac0d8ec06db26c4a8cd5f55dc2a4b4a4c0616582088ac5540683ceffe6bb0e650ebeb6a9a8bb8e3c0ff881498a711f00af970f6

Download Submit
C:\Windows\services.exe

Filesize
341KB

MD5
09dfb451463f58ca7de4535a5156c470

SHA1
d899b724a6e0813c52a4b52c78016152e828e245

SHA256
e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143

SHA512
59cb4e34ba039980d925438aaac0d8ec06db26c4a8cd5f55dc2a4b4a4c0616582088ac5540683ceffe6bb0e650ebeb6a9a8bb8e3c0ff881498a711f00af970f6

Download Submit
C:\Windows\system\sservice.exe

Filesize
341KB

MD5
09dfb451463f58ca7de4535a5156c470

SHA1
d899b724a6e0813c52a4b52c78016152e828e245

SHA256
e35d7ba1a5027c89c357e18304ff88d4f2c8d548b8711fa1107118b1deee8143

SHA512
59cb4e34ba039980d925438aaac0d8ec06db26c4a8cd5f55dc2a4b4a4c0616582088ac5540683ceffe6bb0e650ebeb6a9a8bb8e3c0ff881498a711f00af970f6

Download Submit
memory/1296-144-0x0000000000000000-mapping.dmp

Download
memory/1708-143-0x0000000000000000-mapping.dmp

Download
memory/2244-151-0x0000000000000000-mapping.dmp

Download
memory/2716-148-0x0000000000000000-mapping.dmp

Download
memory/4116-140-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/4116-153-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/4116-133-0x0000000000000000-mapping.dmp

Download
memory/4140-147-0x0000000002D81000-0x0000000002D85000-memory.dmp

Filesize
16KB

Download
memory/4140-137-0x0000000000000000-mapping.dmp

Download
memory/4140-142-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/4140-157-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/4528-152-0x0000000000000000-mapping.dmp

Download
memory/4792-132-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/4792-155-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download