1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Size

387KB
MD5

ae73d5d569ce0096900057dcea037a46
SHA1

eca059df4afc373ba77bd10e63acd20a5c741777
SHA256

1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7
SHA512

a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe
SSDEEP

12288:3Y6mMyF1raIs8XheouovrDDscHAFHHBPcIlY:ryXrmj4PtAFHGIy

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

Executes dropped EXE 2 IoCs

pid	Process
2016	fservice.exe
2544	services.exe

Loads dropped DLL 4 IoCs

pid	Process
2808	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
2808	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
2544	services.exe
2544	services.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	212.156.4.20

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\wininv.dll	services.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	services.exe
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
File opened for modification	C:\Windows\system\sservice.exe	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
2808	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
2016	fservice.exe
2016	fservice.exe
2016	fservice.exe
2016	fservice.exe
2016	fservice.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe
2544	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2016	fservice.exe
Token: SeIncBasePriorityPrivilege	2544	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2808	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
2016	fservice.exe
2544	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2544	services.exe
2544	services.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2016	2808	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe	28
PID 2808 wrote to memory of 2016	2808	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe	28
PID 2808 wrote to memory of 2016	2808	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe	28
PID 2808 wrote to memory of 2016	2808	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe	28
PID 2016 wrote to memory of 2544	2016	fservice.exe	31
PID 2016 wrote to memory of 2544	2016	fservice.exe	31
PID 2016 wrote to memory of 2544	2016	fservice.exe	31
PID 2016 wrote to memory of 2544	2016	fservice.exe	31
PID 2544 wrote to memory of 3068	2544	services.exe	35
PID 2544 wrote to memory of 3068	2544	services.exe	35
PID 2544 wrote to memory of 3068	2544	services.exe	35
PID 2544 wrote to memory of 3068	2544	services.exe	35
PID 2544 wrote to memory of 2236	2544	services.exe	33
PID 2544 wrote to memory of 2236	2544	services.exe	33
PID 2544 wrote to memory of 2236	2544	services.exe	33
PID 2544 wrote to memory of 2236	2544	services.exe	33
PID 3068 wrote to memory of 1044	3068	NET.exe	37
PID 3068 wrote to memory of 1044	3068	NET.exe	37
PID 3068 wrote to memory of 1044	3068	NET.exe	37
PID 3068 wrote to memory of 1044	3068	NET.exe	37
PID 2236 wrote to memory of 1544	2236	NET.exe	36
PID 2236 wrote to memory of 1544	2236	NET.exe	36
PID 2236 wrote to memory of 1544	2236	NET.exe	36
PID 2236 wrote to memory of 1544	2236	NET.exe	36

C:\Users\Admin\AppData\Local\Temp\NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:1544
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SharedAccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SharedAccess
        5⤵
        
        PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\services.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\services.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\system\sservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
\Windows\SysWOW64\wininv.dll

Filesize
24KB

MD5
f44e9190900ae1ff43d951dc12691e6c

SHA1
b17cb75f21486fdf0fff99c0313a7156a62653b8

SHA256
1feb2aea58b433b163612d51f454862d9e2921624be878cb26d8609e2c6d1cc0

SHA512
8d3c0fe7ccd4cae8bafedf08b92c6fd344a008063c9511def1c5399583336a2034543db15e75fdc42c16e70d14055263aac06240b457b57bd859520b4f3ba714

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
6ebe4162566888dc0050afc8bacde715

SHA1
e592f0e306eec69b4114228d15cdf3cb57b253af

SHA256
ce7cbb099826c1d946c4bcb97cd2f43a5d34a8e16fd8b181be993702b2dd3452

SHA512
74f33f9d48b1622d0c8ddedb5bc9d9f30c37197b06f4bc0acccff0e272a1ea08d657eee3f0f532a2461d936e40af245594826e60e3874c09bbb835efeedcae65

Download Submit
memory/2016-31-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2016-33-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2016-37-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2016-15-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2016-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2544-38-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2544-49-0x0000000075650000-0x0000000075659000-memory.dmp

Filesize
36KB

Download
memory/2544-42-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2544-54-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2544-53-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2544-52-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2544-48-0x0000000075500000-0x000000007553B000-memory.dmp

Filesize
236KB

Download
memory/2544-46-0x0000000076280000-0x00000000762AA000-memory.dmp

Filesize
168KB

Download
memory/2544-47-0x00000000777C0000-0x000000007788C000-memory.dmp

Filesize
816KB

Download
memory/2544-50-0x0000000076690000-0x0000000076780000-memory.dmp

Filesize
960KB

Download
memory/2544-32-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2808-13-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2808-20-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2808-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2808-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download