Analysis
-
max time kernel
201s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 17:14
Static task
static1
Behavioral task
behavioral1
Sample
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
Resource
win10v2004-20221111-en
General
-
Target
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
-
Size
501KB
-
MD5
7ea9290c902c31ee231c03e9089bdc76
-
SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e
-
SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
-
SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
SSDEEP
6144:Mg0dFN9ODM1AMvZKXJUX6NgI+mW6D6RZc1geYEY:+8Mvw+qemWZy1gmY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = ",C:\\Program Files\\Windows NT\\SERVICES.EXE," fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe -
Executes dropped EXE 2 IoCs
pid Process 3844 SERVICES.EXE 3620 SERVICES.EXE -
Loads dropped DLL 2 IoCs
pid Process 3620 SERVICES.EXE 3620 SERVICES.EXE -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ACE.dll SERVICES.EXE -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1848 set thread context of 3624 1848 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 84 PID 3844 set thread context of 3620 3844 SERVICES.EXE 89 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows NT\SERVICES.EXE fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe File opened for modification C:\Program Files\Windows NT\SERVICES.EXE fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3620 SERVICES.EXE 3620 SERVICES.EXE 3620 SERVICES.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1848 wrote to memory of 3624 1848 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 84 PID 1848 wrote to memory of 3624 1848 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 84 PID 1848 wrote to memory of 3624 1848 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 84 PID 1848 wrote to memory of 3624 1848 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 84 PID 1848 wrote to memory of 3624 1848 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 84 PID 3624 wrote to memory of 3980 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 86 PID 3624 wrote to memory of 3980 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 86 PID 3624 wrote to memory of 3980 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 86 PID 3624 wrote to memory of 3844 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 87 PID 3624 wrote to memory of 3844 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 87 PID 3624 wrote to memory of 3844 3624 fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe 87 PID 3844 wrote to memory of 3620 3844 SERVICES.EXE 89 PID 3844 wrote to memory of 3620 3844 SERVICES.EXE 89 PID 3844 wrote to memory of 3620 3844 SERVICES.EXE 89 PID 3844 wrote to memory of 3620 3844 SERVICES.EXE 89 PID 3844 wrote to memory of 3620 3844 SERVICES.EXE 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe"C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exeC:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe2⤵
- Modifies WinLogon for persistence
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$cEB1.tmp.bat3⤵PID:3980
-
-
C:\Program Files\Windows NT\SERVICES.EXE"C:\Program Files\Windows NT\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Program Files\Windows NT\SERVICES.EXE"C:\Program Files\Windows NT\SERVICES.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3620
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
501KB
MD57ea9290c902c31ee231c03e9089bdc76
SHA1f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA5122b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
Filesize
501KB
MD57ea9290c902c31ee231c03e9089bdc76
SHA1f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA5122b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
Filesize
501KB
MD57ea9290c902c31ee231c03e9089bdc76
SHA1f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA5122b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
-
Filesize
296B
MD51e471860367540f32a784f471ffc55bc
SHA173a27c31b7aabe4241b95a19fd453111853ff68d
SHA2563aaba41928821ff04730f8787625091172dc3082a7e1e1dba9590da0f4e5771d
SHA5123a714abc78d8ed52b00ec6fa52cb70e6eb2d7c55ed33cfd421fd2c3c384c42e8098e1e38ebe1f2add51b38899a0cd5d420f91023dbb7dd936f2719b2d8a34e20
-
Filesize
70KB
MD5bec1bc3ae3dfa57d45626ae5ccf357c1
SHA1463139746a9a323247faf088385b26201532cf8f
SHA2567e5799aa61a8ca6e6543ff8fee1a656ea96f20cddf55c44c41b38c82d441d1cc
SHA512779cf97ede0ae05aee90fefde5290b9dd45867499a21ee9d0f3830dc692cb9fa90712201f602883d9053d955de7c6f78ce10cd3d295d63cefcf3aa5e45862d96
-
Filesize
70KB
MD5bec1bc3ae3dfa57d45626ae5ccf357c1
SHA1463139746a9a323247faf088385b26201532cf8f
SHA2567e5799aa61a8ca6e6543ff8fee1a656ea96f20cddf55c44c41b38c82d441d1cc
SHA512779cf97ede0ae05aee90fefde5290b9dd45867499a21ee9d0f3830dc692cb9fa90712201f602883d9053d955de7c6f78ce10cd3d295d63cefcf3aa5e45862d96