1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

Analysis

max time kernel
170s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 10:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Size

387KB
MD5

ae73d5d569ce0096900057dcea037a46
SHA1

eca059df4afc373ba77bd10e63acd20a5c741777
SHA256

1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7
SHA512

a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe
SSDEEP

12288:3Y6mMyF1raIs8XheouovrDDscHAFHHBPcIlY:ryXrmj4PtAFHGIy

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe

Executes dropped EXE 2 IoCs

pid	Process
1748	fservice.exe
1992	services.exe

Loads dropped DLL 3 IoCs

pid	Process
1992	services.exe
1992	services.exe
1992	services.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	212.156.4.20

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\wininv.dll	services.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
File opened for modification	C:\Windows\system\sservice.exe	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4652	5096	WerFault.exe	84
4960	1748	WerFault.exe	90
4844	1992	WerFault.exe	101

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
5096	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
5096	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
5096	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
1748	fservice.exe
1748	fservice.exe
1748	fservice.exe
1748	fservice.exe
1748	fservice.exe
1748	fservice.exe
1748	fservice.exe
1748	fservice.exe
1748	fservice.exe
1748	fservice.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe
1992	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1748	fservice.exe
Token: SeIncBasePriorityPrivilege	1992	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5096	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
1748	fservice.exe
1992	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1992	services.exe
1992	services.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1748	5096	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe	90
PID 5096 wrote to memory of 1748	5096	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe	90
PID 5096 wrote to memory of 1748	5096	NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe	90
PID 1748 wrote to memory of 1992	1748	fservice.exe	101
PID 1748 wrote to memory of 1992	1748	fservice.exe	101
PID 1748 wrote to memory of 1992	1748	fservice.exe	101
PID 1992 wrote to memory of 3628	1992	services.exe	111
PID 1992 wrote to memory of 3628	1992	services.exe	111
PID 1992 wrote to memory of 3628	1992	services.exe	111
PID 1992 wrote to memory of 8	1992	services.exe	112
PID 1992 wrote to memory of 8	1992	services.exe	112
PID 1992 wrote to memory of 8	1992	services.exe	112
PID 8 wrote to memory of 220	8	NET.exe	115
PID 8 wrote to memory of 220	8	NET.exe	115
PID 8 wrote to memory of 220	8	NET.exe	115
PID 3628 wrote to memory of 3984	3628	NET.exe	116
PID 3628 wrote to memory of 3984	3628	NET.exe	116
PID 3628 wrote to memory of 3984	3628	NET.exe	116

C:\Users\Admin\AppData\Local\Temp\NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ae73d5d569ce0096900057dcea037a46_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 228
  2⤵
  - Program crash
  PID:4652
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 220
    3⤵
    - Program crash
    PID:4960
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 220
      4⤵
      Program crash
      PID:4844
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SharedAccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SharedAccess
        5⤵
        
        PID:3984
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5096 -ip 5096
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1748 -ip 1748
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1992 -ip 1992
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\SysWOW64\wininv.dll

Filesize
24KB

MD5
f44e9190900ae1ff43d951dc12691e6c

SHA1
b17cb75f21486fdf0fff99c0313a7156a62653b8

SHA256
1feb2aea58b433b163612d51f454862d9e2921624be878cb26d8609e2c6d1cc0

SHA512
8d3c0fe7ccd4cae8bafedf08b92c6fd344a008063c9511def1c5399583336a2034543db15e75fdc42c16e70d14055263aac06240b457b57bd859520b4f3ba714

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
6ebe4162566888dc0050afc8bacde715

SHA1
e592f0e306eec69b4114228d15cdf3cb57b253af

SHA256
ce7cbb099826c1d946c4bcb97cd2f43a5d34a8e16fd8b181be993702b2dd3452

SHA512
74f33f9d48b1622d0c8ddedb5bc9d9f30c37197b06f4bc0acccff0e272a1ea08d657eee3f0f532a2461d936e40af245594826e60e3874c09bbb835efeedcae65

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
6ebe4162566888dc0050afc8bacde715

SHA1
e592f0e306eec69b4114228d15cdf3cb57b253af

SHA256
ce7cbb099826c1d946c4bcb97cd2f43a5d34a8e16fd8b181be993702b2dd3452

SHA512
74f33f9d48b1622d0c8ddedb5bc9d9f30c37197b06f4bc0acccff0e272a1ea08d657eee3f0f532a2461d936e40af245594826e60e3874c09bbb835efeedcae65

Download Submit
C:\Windows\services.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\services.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
C:\Windows\system\sservice.exe

Filesize
387KB

MD5
ae73d5d569ce0096900057dcea037a46

SHA1
eca059df4afc373ba77bd10e63acd20a5c741777

SHA256
1d2a9b2ae1ca557fcedf03b279f17415123599255e1599037a1814479eccabb7

SHA512
a5396404f82c20f91803435a79f4d29c1791889de1d1af8c91aabaa1f26a980882929ca8d64125f6ab6cf59c88c0b5ddd0c0897343be1fdae44800d99f30eabe

Download Submit
memory/1748-32-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1748-16-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1748-10-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1748-25-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1748-26-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1992-33-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1992-27-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1992-44-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1992-45-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1992-46-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-0-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/5096-15-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/5096-9-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/5096-8-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download