fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

Analysis

max time kernel
201s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
Size

501KB
MD5

7ea9290c902c31ee231c03e9089bdc76
SHA1

f75c08c945455e86f8d7cc94d1592287ae740f2e
SHA256

fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae
SHA512

2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114
SSDEEP

6144:Mg0dFN9ODM1AMvZKXJUX6NgI+mW6D6RZc1geYEY:+8Mvw+qemWZy1gmY

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = ",C:\\Program Files\\Windows NT\\SERVICES.EXE,"	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe

Executes dropped EXE 2 IoCs

pid	Process
3844	SERVICES.EXE
3620	SERVICES.EXE

Loads dropped DLL 2 IoCs

pid	Process
3620	SERVICES.EXE
3620	SERVICES.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ACE.dll	SERVICES.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 3624	1848	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	84
PID 3844 set thread context of 3620	3844	SERVICES.EXE	89

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\SERVICES.EXE	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
File opened for modification	C:\Program Files\Windows NT\SERVICES.EXE	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3620	SERVICES.EXE
3620	SERVICES.EXE
3620	SERVICES.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3624	1848	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	84
PID 1848 wrote to memory of 3624	1848	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	84
PID 1848 wrote to memory of 3624	1848	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	84
PID 1848 wrote to memory of 3624	1848	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	84
PID 1848 wrote to memory of 3624	1848	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	84
PID 3624 wrote to memory of 3980	3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	86
PID 3624 wrote to memory of 3980	3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	86
PID 3624 wrote to memory of 3980	3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	86
PID 3624 wrote to memory of 3844	3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	87
PID 3624 wrote to memory of 3844	3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	87
PID 3624 wrote to memory of 3844	3624	fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe	87
PID 3844 wrote to memory of 3620	3844	SERVICES.EXE	89
PID 3844 wrote to memory of 3620	3844	SERVICES.EXE	89
PID 3844 wrote to memory of 3620	3844	SERVICES.EXE	89
PID 3844 wrote to memory of 3620	3844	SERVICES.EXE	89
PID 3844 wrote to memory of 3620	3844	SERVICES.EXE	89

C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
"C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
  C:\Users\Admin\AppData\Local\Temp\fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$cEB1.tmp.bat
    3⤵
    PID:3980
- - C:\Program Files\Windows NT\SERVICES.EXE
    "C:\Program Files\Windows NT\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Program Files\Windows NT\SERVICES.EXE
      "C:\Program Files\Windows NT\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\SERVICES.EXE

Filesize
501KB

MD5
7ea9290c902c31ee231c03e9089bdc76

SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e

SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114

Download Submit
C:\Program Files\Windows NT\SERVICES.EXE

Filesize
501KB

MD5
7ea9290c902c31ee231c03e9089bdc76

SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e

SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114

Download Submit
C:\Program Files\Windows NT\SERVICES.EXE

Filesize
501KB

MD5
7ea9290c902c31ee231c03e9089bdc76

SHA1
f75c08c945455e86f8d7cc94d1592287ae740f2e

SHA256
fb9b2ec8da4124756d61cb41240364f8fa16717c843a3ca1cd4a2cd0c59a02ae

SHA512
2b99c951e3614e3cc191217bb91cb9048c074ceda47842e705314f4709a14ee46bd4226e4ab107778d6012a60dc9e83527f3fc9b5aa90bf39bcea7bf953bc114

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$cEB1.tmp.bat

Filesize
296B

MD5
1e471860367540f32a784f471ffc55bc

SHA1
73a27c31b7aabe4241b95a19fd453111853ff68d

SHA256
3aaba41928821ff04730f8787625091172dc3082a7e1e1dba9590da0f4e5771d

SHA512
3a714abc78d8ed52b00ec6fa52cb70e6eb2d7c55ed33cfd421fd2c3c384c42e8098e1e38ebe1f2add51b38899a0cd5d420f91023dbb7dd936f2719b2d8a34e20

Download Submit
C:\Windows\SysWOW64\ACE.dll

Filesize
70KB

MD5
bec1bc3ae3dfa57d45626ae5ccf357c1

SHA1
463139746a9a323247faf088385b26201532cf8f

SHA256
7e5799aa61a8ca6e6543ff8fee1a656ea96f20cddf55c44c41b38c82d441d1cc

SHA512
779cf97ede0ae05aee90fefde5290b9dd45867499a21ee9d0f3830dc692cb9fa90712201f602883d9053d955de7c6f78ce10cd3d295d63cefcf3aa5e45862d96

Download Submit
C:\Windows\SysWOW64\ACE.dll

Filesize
70KB

MD5
bec1bc3ae3dfa57d45626ae5ccf357c1

SHA1
463139746a9a323247faf088385b26201532cf8f

SHA256
7e5799aa61a8ca6e6543ff8fee1a656ea96f20cddf55c44c41b38c82d441d1cc

SHA512
779cf97ede0ae05aee90fefde5290b9dd45867499a21ee9d0f3830dc692cb9fa90712201f602883d9053d955de7c6f78ce10cd3d295d63cefcf3aa5e45862d96

Download Submit
memory/3620-153-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3620-152-0x00000000027E0000-0x000000000282B000-memory.dmp

Filesize
300KB

Download
memory/3620-150-0x00000000027E0000-0x000000000282B000-memory.dmp

Filesize
300KB

Download
memory/3620-147-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-136-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-140-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-134-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download