fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

Analysis

max time kernel
195s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
Size

501KB
MD5

7ea9290c902c31ee231c03e9089bdc76
SHA1

f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256

fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA512

2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
SSDEEP

6144:Mg0dFN9ODM1AMvZKXJUX6NgI+mW6D6RZc1geYEY:+8Mvw+qemWZy1gmY

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Program Files\\Windows NT\\SERVICES.EXE,"	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe

Executes dropped EXE 2 IoCs

pid	Process
588	SERVICES.EXE
1520	SERVICES.EXE

Deletes itself 1 IoCs

pid	Process
568	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
588	SERVICES.EXE
1520	SERVICES.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ACE.dll	SERVICES.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 548	956	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	28
PID 588 set thread context of 1520	588	SERVICES.EXE	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\SERVICES.EXE	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
File opened for modification	C:\Program Files\Windows NT\SERVICES.EXE	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1520	SERVICES.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 548	956	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	28
PID 956 wrote to memory of 548	956	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	28
PID 956 wrote to memory of 548	956	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	28
PID 956 wrote to memory of 548	956	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	28
PID 956 wrote to memory of 548	956	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	28
PID 956 wrote to memory of 548	956	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	28
PID 548 wrote to memory of 568	548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	29
PID 548 wrote to memory of 568	548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	29
PID 548 wrote to memory of 568	548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	29
PID 548 wrote to memory of 568	548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	29
PID 548 wrote to memory of 588	548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	31
PID 548 wrote to memory of 588	548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	31
PID 548 wrote to memory of 588	548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	31
PID 548 wrote to memory of 588	548	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	31
PID 588 wrote to memory of 1520	588	SERVICES.EXE	32
PID 588 wrote to memory of 1520	588	SERVICES.EXE	32
PID 588 wrote to memory of 1520	588	SERVICES.EXE	32
PID 588 wrote to memory of 1520	588	SERVICES.EXE	32
PID 588 wrote to memory of 1520	588	SERVICES.EXE	32
PID 588 wrote to memory of 1520	588	SERVICES.EXE	32

C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
"C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
  C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$c281.tmp.bat
    3⤵
    - Deletes itself
    PID:568
- - C:\Program Files\Windows NT\SERVICES.EXE
    "C:\Program Files\Windows NT\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Program Files\Windows NT\SERVICES.EXE
      "C:\Program Files\Windows NT\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\SERVICES.EXE

Filesize
501KB

MD5
7ea9290c902c31ee231c03e9089bdc76

SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e

SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114

Download Submit
C:\Program Files\Windows NT\SERVICES.EXE

Filesize
501KB

MD5
7ea9290c902c31ee231c03e9089bdc76

SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e

SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114

Download Submit
C:\Program Files\Windows NT\SERVICES.EXE

Filesize
501KB

MD5
7ea9290c902c31ee231c03e9089bdc76

SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e

SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$c281.tmp.bat

Filesize
296B

MD5
d3cd86c606a5432e0c3e65c75eb85bb0

SHA1
72ca1aadb7451c025affdf685d6cd00041131242

SHA256
45591d3e42c65cc53d47531b582e6a1533adf833114b630d8c8ec604da5ed5e5

SHA512
d1ad1c066aa3d9104a37159732020e03a3a893706c6c7a0f890554cbbdf0b65050bfef54c421888cfe420e2f60f40bc7abc67b47d6a638b28fe586175bc1b648

Download Submit
\Program Files\Windows NT\SERVICES.EXE

Filesize
501KB

MD5
7ea9290c902c31ee231c03e9089bdc76

SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e

SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114

Download Submit
\Program Files\Windows NT\SERVICES.EXE

Filesize
501KB

MD5
7ea9290c902c31ee231c03e9089bdc76

SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e

SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114

Download Submit
\Program Files\Windows NT\SERVICES.EXE

Filesize
501KB

MD5
7ea9290c902c31ee231c03e9089bdc76

SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e

SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114

Download Submit
\Windows\SysWOW64\ACE.dll

Filesize
70KB

MD5
bec1bc3ae3dfa57d45626ae5ccf357c1

SHA1
463139746a9a323247faf088385b26201532cf8f

SHA256
7e5799aa61a8ca6e6543ff8fee1a656ea96f20cddf55c44c41b38c82d441d1cc

SHA512
779cf97ede0ae05aee90fefde5290b9dd45867499a21ee9d0f3830dc692cb9fa90712201f602883d9053d955de7c6f78ce10cd3d295d63cefcf3aa5e45862d96

Download Submit
memory/548-54-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/548-57-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/548-56-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/548-63-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1520-73-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1520-74-0x0000000000500000-0x000000000054B000-memory.dmp

Filesize
300KB

Download