Analysis
-
max time kernel
195s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 17:14
Static task
static1
Behavioral task
behavioral1
Sample
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
Resource
win10v2004-20221111-en
General
-
Target
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
-
Size
501KB
-
MD5
7ea9290c902c31ee231c03e9089bdc76
-
SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e
-
SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
-
SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
SSDEEP
6144:Mg0dFN9ODM1AMvZKXJUX6NgI+mW6D6RZc1geYEY:+8Mvw+qemWZy1gmY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Program Files\\Windows NT\\SERVICES.EXE," fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe -
Executes dropped EXE 2 IoCs
pid Process 588 SERVICES.EXE 1520 SERVICES.EXE -
Deletes itself 1 IoCs
pid Process 568 cmd.exe -
Loads dropped DLL 4 IoCs
pid Process 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 588 SERVICES.EXE 1520 SERVICES.EXE -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ACE.dll SERVICES.EXE -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 956 set thread context of 548 956 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 28 PID 588 set thread context of 1520 588 SERVICES.EXE 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows NT\SERVICES.EXE fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe File opened for modification C:\Program Files\Windows NT\SERVICES.EXE fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1520 SERVICES.EXE 1520 SERVICES.EXE 1520 SERVICES.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 956 wrote to memory of 548 956 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 28 PID 956 wrote to memory of 548 956 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 28 PID 956 wrote to memory of 548 956 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 28 PID 956 wrote to memory of 548 956 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 28 PID 956 wrote to memory of 548 956 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 28 PID 956 wrote to memory of 548 956 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 28 PID 548 wrote to memory of 568 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 29 PID 548 wrote to memory of 568 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 29 PID 548 wrote to memory of 568 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 29 PID 548 wrote to memory of 568 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 29 PID 548 wrote to memory of 588 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 31 PID 548 wrote to memory of 588 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 31 PID 548 wrote to memory of 588 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 31 PID 548 wrote to memory of 588 548 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 31 PID 588 wrote to memory of 1520 588 SERVICES.EXE 32 PID 588 wrote to memory of 1520 588 SERVICES.EXE 32 PID 588 wrote to memory of 1520 588 SERVICES.EXE 32 PID 588 wrote to memory of 1520 588 SERVICES.EXE 32 PID 588 wrote to memory of 1520 588 SERVICES.EXE 32 PID 588 wrote to memory of 1520 588 SERVICES.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe"C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exeC:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$c281.tmp.bat3⤵
- Deletes itself
PID:568
-
-
C:\Program Files\Windows NT\SERVICES.EXE"C:\Program Files\Windows NT\SERVICES.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Program Files\Windows NT\SERVICES.EXE"C:\Program Files\Windows NT\SERVICES.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
501KB
MD57ea9290c902c31ee231c03e9089bdc76
SHA1f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA5122b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
Filesize
501KB
MD57ea9290c902c31ee231c03e9089bdc76
SHA1f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA5122b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
Filesize
501KB
MD57ea9290c902c31ee231c03e9089bdc76
SHA1f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA5122b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
Filesize
296B
MD5d3cd86c606a5432e0c3e65c75eb85bb0
SHA172ca1aadb7451c025affdf685d6cd00041131242
SHA25645591d3e42c65cc53d47531b582e6a1533adf833114b630d8c8ec604da5ed5e5
SHA512d1ad1c066aa3d9104a37159732020e03a3a893706c6c7a0f890554cbbdf0b65050bfef54c421888cfe420e2f60f40bc7abc67b47d6a638b28fe586175bc1b648
-
Filesize
501KB
MD57ea9290c902c31ee231c03e9089bdc76
SHA1f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA5122b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
Filesize
501KB
MD57ea9290c902c31ee231c03e9089bdc76
SHA1f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA5122b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
Filesize
501KB
MD57ea9290c902c31ee231c03e9089bdc76
SHA1f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA5122b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
Filesize
70KB
MD5bec1bc3ae3dfa57d45626ae5ccf357c1
SHA1463139746a9a323247faf088385b26201532cf8f
SHA2567e5799aa61a8ca6e6543ff8fee1a656ea96f20cddf55c44c41b38c82d441d1cc
SHA512779cf97ede0ae05aee90fefde5290b9dd45867499a21ee9d0f3830dc692cb9fa90712201f602883d9053d955de7c6f78ce10cd3d295d63cefcf3aa5e45862d96