fa87a20cc3613200f68e069ebf03bf841a54e1aafe43141eac8c5090b7cdb336

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

023dfc651cef63a08cb8f0aacdeaa978.exe
Size

1.9MB
MD5

023dfc651cef63a08cb8f0aacdeaa978
SHA1

d6c2560b87e619083ac070efc8d56addc7267423
SHA256

fa87a20cc3613200f68e069ebf03bf841a54e1aafe43141eac8c5090b7cdb336
SHA512

abf794a1387a3685108aa130982a3a90ab0ca69fadffe83d277da77579790295765cd849b13f087c967ba5872ad5bb59b15bc45c8e91d4b20aad1b2436cb9cfd
SSDEEP

12288:C7qYxucwN74XguniSTsrHGyKWUxUHeC7/wazIQNcF8r/X0SCuOiA6:CSc9XguniGiNhsCIQu8rcSClN6

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	023dfc651cef63a08cb8f0aacdeaa978.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	023dfc651cef63a08cb8f0aacdeaa978.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	023dfc651cef63a08cb8f0aacdeaa978.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	023dfc651cef63a08cb8f0aacdeaa978.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	023dfc651cef63a08cb8f0aacdeaa978.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	023dfc651cef63a08cb8f0aacdeaa978.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

Executes dropped EXE 2 IoCs

pid	Process
2280	fservice.exe
2788	services.exe

Loads dropped DLL 5 IoCs

pid	Process
2788	services.exe
2788	services.exe
2788	services.exe
2280	fservice.exe
1588	023dfc651cef63a08cb8f0aacdeaa978.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	023dfc651cef63a08cb8f0aacdeaa978.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fservice.exe	023dfc651cef63a08cb8f0aacdeaa978.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	023dfc651cef63a08cb8f0aacdeaa978.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	023dfc651cef63a08cb8f0aacdeaa978.exe
File opened for modification	C:\Windows\system\sservice.exe	023dfc651cef63a08cb8f0aacdeaa978.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	services.exe
2788	services.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2280	1588	023dfc651cef63a08cb8f0aacdeaa978.exe	88
PID 1588 wrote to memory of 2280	1588	023dfc651cef63a08cb8f0aacdeaa978.exe	88
PID 1588 wrote to memory of 2280	1588	023dfc651cef63a08cb8f0aacdeaa978.exe	88
PID 2280 wrote to memory of 2788	2280	fservice.exe	89
PID 2280 wrote to memory of 2788	2280	fservice.exe	89
PID 2280 wrote to memory of 2788	2280	fservice.exe	89
PID 1588 wrote to memory of 3232	1588	023dfc651cef63a08cb8f0aacdeaa978.exe	92
PID 1588 wrote to memory of 3232	1588	023dfc651cef63a08cb8f0aacdeaa978.exe	92
PID 1588 wrote to memory of 3232	1588	023dfc651cef63a08cb8f0aacdeaa978.exe	92

C:\Users\Admin\AppData\Local\Temp\023dfc651cef63a08cb8f0aacdeaa978.exe
"C:\Users\Admin\AppData\Local\Temp\023dfc651cef63a08cb8f0aacdeaa978.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\023dfc651cef63a08cb8f0aacdeaa978.exe.bat
  2⤵
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\023dfc651cef63a08cb8f0aacdeaa978.exe.bat

Filesize
133B

MD5
02b0813cf26393dfbbece112bbbd85bf

SHA1
7cc14e0894ad8c4f472cd079e8bb2095d502d85c

SHA256
24e227827ef00fd406f4cca8fd18080dc793148f9723a737e634b5425a52a3e2

SHA512
32f01a45dd6b02a322fe1c4175bdd70e05066b577413a3dceb75958d283a1ca5d33956335ea55b8a80de744fb24b95d6fb04c15a43f18e1b2fa7a67778d1a252

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
1005KB

MD5
42a19618bb3acc704bd6e44bfa02621a

SHA1
b213e6c992171f0670b61e000446c09e751a61e3

SHA256
213cbd1d3225d0ed2b870bf9a6d4a2e7c30f2b00fe429ef306822cddaa1bd035

SHA512
da2876054310d20ad09a4b4b94812a8c95f3778fd20d338c4d42989eac83f173e85b9338d59476e9ff6882e9c55d262a62695ecea1c6a8abadfabe78d862c1d1

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
997KB

MD5
e26d161f6b90bd7aedca2cb5fc90e57f

SHA1
9887a11cf71f0c4d9f44e383dc0b18de5d9f4581

SHA256
0168c65725c7177073a50d7216707e7ca847a75c5806e25221be5b84127fb50c

SHA512
f01573f3cadb16d907fb9fb21db3730691e9a182533c3a39f4fd98a787940a984e3e4d3ce42e655d5e8302b9e0f67dc24643bc43f0d406a60205a468c18d50b8

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
830KB

MD5
06d7baddb2e83cbc97fdacef08a9aada

SHA1
7e1d9edbbf8bb512dc1b159600ea3abcd9448edf

SHA256
16bd91903f1bb8c249220dd1fc2588f0117561e5a7ace3299001c29b8e945a44

SHA512
c047a0807937b3c2d7b4c78a47b700c8745c73c6a6ba5dd0ffb81a5599509189570890a9821b3350d25ccd38f2032d5cb796c7348cccc13933f07a1a10b0a2ea

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
43e7d9b875c921ba6be38d45540fb9dd

SHA1
f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

SHA256
f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

SHA512
2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

Download Submit
C:\Windows\services.exe

Filesize
669KB

MD5
7ad681039f48f0eeb139520116c7d130

SHA1
886a38c4120be57ef7950bcf7157a43cce0422ef

SHA256
cb04f5e2ad598d79a8131ac5da6f2f53e507207bad41e17372a89a202494f164

SHA512
6aad739173dfd9b1ae628631c043c22ee625688a492bc23b127927edf70000586ea426d087c4ecd1b7be5d4fccf3e54ff186786e445846b40ac2a567d309e880

Download Submit
C:\Windows\services.exe

Filesize
662KB

MD5
9ae57e83084a09cd2e1c163d5d778d14

SHA1
b555d699e273b8070438e588132f009af6c15c96

SHA256
72378a54fa2f3546a1254bea5a82d393e5cdf4b12a14286ab0c89b5414e79d96

SHA512
96c3e316467858588d02a9105771432af4b4bf76aefd3cfa8f2deceea74901d6ef6be65c62782d4f4747d9f923fb33c9a3a9d41286579ebfb84c352a79c0924c

Download Submit
C:\Windows\system\sservice.exe

Filesize
481KB

MD5
f020295692b43db205179f7bdf16c275

SHA1
9d488fd3efd235b1e701a0c26cc925641d2194de

SHA256
4e2cb3b885e8c95e8268c49494c738700e92f292e548efae01b3a64d5a1e8f02

SHA512
ed8bc1716e7746184145256a36d2ea815556d87949d22d71f7aff6543fbec87fd0f0f517292a89f90d93a72651f330d20872adbe099e6ff4c45bc2bbd2425768

Download Submit
memory/1588-34-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1588-0-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2280-8-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2280-31-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/2788-17-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2788-36-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/2788-38-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads