9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 18:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Size

342KB
MD5

8e20a07d18bf563615b7438c221b2230
SHA1

49933a8b92c158c6eeb051a5cac665a1ee1a886d
SHA256

9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30
SHA512

6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa
SSDEEP

6144:T6gJbaRkNJvY2k0bsRkcQRkfIwps+69yV9Goa0ixEHzBmcrBlVZU+uhXX7:5bm8qN0bFciRwf69GxiKTBvVZkhn7

Score

10^/10

aspackv2 persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000022e13-140.dat	aspack_v212_v242

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Executes dropped EXE 2 IoCs

pid	Process
5044	fservice.exe
888	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4988-132-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/files/0x0006000000022e12-134.dat	upx
behavioral2/files/0x0006000000022e12-135.dat	upx
behavioral2/files/0x0006000000022e13-136.dat	upx
behavioral2/files/0x0007000000022e0d-138.dat	upx
behavioral2/files/0x0007000000022e0d-139.dat	upx
behavioral2/memory/5044-148-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/888-152-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/5044-153-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/4988-160-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/888-163-0x0000000000400000-0x00000000005F9000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
888	services.exe
888	services.exe
888	services.exe
5044	fservice.exe
4988	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fservice.exe	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
File opened for modification	C:\Windows\system\sservice.exe	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe
888	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
888	services.exe
888	services.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 5044	4988	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	80
PID 4988 wrote to memory of 5044	4988	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	80
PID 4988 wrote to memory of 5044	4988	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	80
PID 5044 wrote to memory of 888	5044	fservice.exe	81
PID 5044 wrote to memory of 888	5044	fservice.exe	81
PID 5044 wrote to memory of 888	5044	fservice.exe	81
PID 888 wrote to memory of 2100	888	services.exe	87
PID 888 wrote to memory of 2100	888	services.exe	87
PID 888 wrote to memory of 2100	888	services.exe	87
PID 888 wrote to memory of 1304	888	services.exe	86
PID 888 wrote to memory of 1304	888	services.exe	86
PID 888 wrote to memory of 1304	888	services.exe	86
PID 888 wrote to memory of 1408	888	services.exe	82
PID 888 wrote to memory of 1408	888	services.exe	82
PID 888 wrote to memory of 1408	888	services.exe	82
PID 1408 wrote to memory of 4696	1408	NET.exe	89
PID 1408 wrote to memory of 4696	1408	NET.exe	89
PID 1408 wrote to memory of 4696	1408	NET.exe	89
PID 1304 wrote to memory of 4756	1304	NET.exe	88
PID 1304 wrote to memory of 4756	1304	NET.exe	88
PID 1304 wrote to memory of 4756	1304	NET.exe	88
PID 2100 wrote to memory of 1664	2100	NET.exe	90
PID 2100 wrote to memory of 1664	2100	NET.exe	90
PID 2100 wrote to memory of 1664	2100	NET.exe	90
PID 4988 wrote to memory of 4324	4988	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	91
PID 4988 wrote to memory of 4324	4988	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	91
PID 4988 wrote to memory of 4324	4988	9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe	91

C:\Users\Admin\AppData\Local\Temp\9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe
"C:\Users\Admin\AppData\Local\Temp\9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:4696
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP srservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        5⤵
        
        PID:4756
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SharedAccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SharedAccess
        5⤵
        
        PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe.bat
  2⤵
  PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30.exe.bat

Filesize
133B

MD5
d1272622af621c1061d811153c1dc969

SHA1
85eef0d1bf66fd31b332877c0796227c311af5dc

SHA256
10c6b61cbbf17f737e8a4358d8114b5f6128c0e361523a0f97e0ed4e8183e10b

SHA512
09132170769cb076f48fc6cd1353e56ed361e5a7f6575f24dc7a99876a41dd50799af7380a2f0f7f8f23db1d044d4b1319a22a2245bcf02598bf22f06579cf5f

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
20KB

MD5
904f3b552d0b762edb4520163d12d3cf

SHA1
5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a

SHA256
6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874

SHA512
14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
20KB

MD5
904f3b552d0b762edb4520163d12d3cf

SHA1
5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a

SHA256
6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874

SHA512
14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
20KB

MD5
904f3b552d0b762edb4520163d12d3cf

SHA1
5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a

SHA256
6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874

SHA512
14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
20KB

MD5
904f3b552d0b762edb4520163d12d3cf

SHA1
5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a

SHA256
6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874

SHA512
14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
20KB

MD5
904f3b552d0b762edb4520163d12d3cf

SHA1
5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a

SHA256
6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874

SHA512
14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
16KB

MD5
d910659cca6a1650c10ff263c8a10fe7

SHA1
d38dbccb50b63430a51d8f6df2a6c4d23677cff0

SHA256
5b308dfdd00dadc887a56f90e05ebfa9963be0c463d524e2ddd8680cb810d2d8

SHA512
30c2e455478d270fc1800d251e36014f16c5e7dd9e67c1c1b0f5d4e6070fbd2875c6706efff710b83897704cefb10c7ce1b5c993548568c1f142e5b5c8d44df4

Download Submit
C:\Windows\services.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
C:\Windows\services.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
C:\Windows\system\sservice.exe

Filesize
342KB

MD5
8e20a07d18bf563615b7438c221b2230

SHA1
49933a8b92c158c6eeb051a5cac665a1ee1a886d

SHA256
9d52e69acf03ecee891d4176b975bebd07495e68876e49bbba949aa8a476be30

SHA512
6f7a729778e277b92620eb66b5b0006549a374d2c70fabf9d0e1b389f151de3e0c946bf50e33eefeef1bbf47ca945394d6a0d9b1d7f724e68f28e25b56537caa

Download Submit
memory/888-152-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/888-163-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/888-156-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/888-157-0x0000000003920000-0x0000000003928000-memory.dmp

Filesize
32KB

Download
memory/4988-132-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/4988-158-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4988-160-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/4988-161-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/5044-153-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/5044-149-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/5044-148-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download