334de1d5c8bbdf92028be5824d1464f727436d58f9e8ced1c1ac824743686093

Analysis

max time kernel
87s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c8a4b9585343d742758a6ae32c3739a.exe
Size

1.9MB
MD5

0c8a4b9585343d742758a6ae32c3739a
SHA1

e209ae2cf7c780c8e36ac18fbacb13d583bfe12d
SHA256

334de1d5c8bbdf92028be5824d1464f727436d58f9e8ced1c1ac824743686093
SHA512

bf127855dd52fee4ea3496e617b8e716ae7b773aaa9c702f8a326f7c3a72dec672b9f859f5c876145f68998f37dae8afad7ec1e425ed2e0932ad1e209ec675e0
SSDEEP

12288:RFfwcHcu8pMkZ3Fn9d+Vd3SUZ+7EeI1x7f7V3+hT6DaRWz58kc+1xy8SyGO4A:RJcu8pl9d+VdCUhN1SsNK+1pSyH4A

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	0c8a4b9585343d742758a6ae32c3739a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0c8a4b9585343d742758a6ae32c3739a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	0c8a4b9585343d742758a6ae32c3739a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	0c8a4b9585343d742758a6ae32c3739a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	0c8a4b9585343d742758a6ae32c3739a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	0c8a4b9585343d742758a6ae32c3739a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023210-19.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
5044	fservice.exe
4936	services.exe

Loads dropped DLL 5 IoCs

pid	Process
4936	services.exe
4936	services.exe
4936	services.exe
5044	fservice.exe
2544	0c8a4b9585343d742758a6ae32c3739a.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	0c8a4b9585343d742758a6ae32c3739a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fservice.exe	0c8a4b9585343d742758a6ae32c3739a.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	0c8a4b9585343d742758a6ae32c3739a.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	0c8a4b9585343d742758a6ae32c3739a.exe
File opened for modification	C:\Windows\system\sservice.exe	0c8a4b9585343d742758a6ae32c3739a.exe
File created	C:\Windows\services.exe	fservice.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe
4936	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4936	services.exe
4936	services.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 5044	2544	0c8a4b9585343d742758a6ae32c3739a.exe	32
PID 2544 wrote to memory of 5044	2544	0c8a4b9585343d742758a6ae32c3739a.exe	32
PID 2544 wrote to memory of 5044	2544	0c8a4b9585343d742758a6ae32c3739a.exe	32
PID 5044 wrote to memory of 4936	5044	fservice.exe	19
PID 5044 wrote to memory of 4936	5044	fservice.exe	19
PID 5044 wrote to memory of 4936	5044	fservice.exe	19
PID 4936 wrote to memory of 2916	4936	services.exe	30
PID 4936 wrote to memory of 2916	4936	services.exe	30
PID 4936 wrote to memory of 2916	4936	services.exe	30
PID 4936 wrote to memory of 2624	4936	services.exe	29
PID 4936 wrote to memory of 2624	4936	services.exe	29
PID 4936 wrote to memory of 2624	4936	services.exe	29
PID 2916 wrote to memory of 2052	2916	NET.exe	27
PID 2916 wrote to memory of 2052	2916	NET.exe	27
PID 2916 wrote to memory of 2052	2916	NET.exe	27
PID 2624 wrote to memory of 2604	2624	NET.exe	26
PID 2624 wrote to memory of 2604	2624	NET.exe	26
PID 2624 wrote to memory of 2604	2624	NET.exe	26
PID 2544 wrote to memory of 4372	2544	0c8a4b9585343d742758a6ae32c3739a.exe	25
PID 2544 wrote to memory of 4372	2544	0c8a4b9585343d742758a6ae32c3739a.exe	25
PID 2544 wrote to memory of 4372	2544	0c8a4b9585343d742758a6ae32c3739a.exe	25

C:\Users\Admin\AppData\Local\Temp\0c8a4b9585343d742758a6ae32c3739a.exe
"C:\Users\Admin\AppData\Local\Temp\0c8a4b9585343d742758a6ae32c3739a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\0c8a4b9585343d742758a6ae32c3739a.exe.bat
  2⤵
  PID:4372
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5044

C:\Windows\services.exe
C:\Windows\services.exe -XP
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\NET.exe
  NET STOP navapsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- C:\Windows\SysWOW64\NET.exe
  NET STOP srservice
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP navapsvc
1⤵
PID:2604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c8a4b9585343d742758a6ae32c3739a.exe.bat

Filesize
133B

MD5
183bc952982ee3a973b844b55fb72d51

SHA1
625d6742dfae6def7d8b62a0b86b7aa18ed4706d

SHA256
516f9ad5f244b5f96f19807df4d0db5557cba36fbf4e7925a9486791eb3806fc

SHA512
6aca759304480101a64188922bf1971c05b1f76772dcd90fa5d27f92470563fbbb813e97a575364121563ac0292ffd427b4bc20b1a94a0680150fda0424bb930

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
215KB

MD5
aee6fa906a3462b0e0f0f0fbd2fda939

SHA1
d1d4f0d646ceca59c7c154072147d0ab83134d52

SHA256
cdd20ef865ef75cff4c8f26b4353e4b9fc1ef0615fbdf001c3fbdbda5dfeba25

SHA512
524835d7e1208c67e24c44c0bf26ee1b4fd9fce4f3c9c5c06d6192af3e14cfac749868be9f52c25dda69c4d3fc76d3a3d2959f2c73c00c9fae1e0ea400854b85

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
105KB

MD5
48cd60db581625ea898f44d54943bfc9

SHA1
e05634aa2fa75206bfb03541a66419e7b29762f0

SHA256
d0e72fa7b23a31840d70a988ebef61da14923442587503536093494c1fbeb20a

SHA512
ab94d5c743722ccaaa99d0442b6d5d096ac1ceaed0024c932a19fdcac5dffe2f7e440015b07c15acc5988ceea69e89d1bfb45b7be23938c9f8585be5584e11c9

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
149KB

MD5
fb9d58d29f951eaabd0a4ad1757b3c66

SHA1
917411cf35d97e87d6b7d57ec463c75005781e72

SHA256
82484caa995c52ad0c40fb69c7398bf06c237882386a59cffc105b2bb43189cd

SHA512
bb5a58c0ff0207905ea013be21793b35c17df11837ccf573d1cc5db998662044166f5fde6059cbcba8de86583b2b6efa4fb0b920a41b7559820236a0fad36d60

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
C:\Windows\services.exe

Filesize
87KB

MD5
56a797e6eb469d08315bbbe4c2fc7716

SHA1
4b6e4fbc0a4e0c5dac177544ddfe7b87b911f61c

SHA256
c5dd803ea0126c7be825f31826baec8163515aa38201ac5c40bc0f2ce31f539a

SHA512
8080822e0ad5231798e789a1367070a65d2390dacc010e48743ae4286dfee11597ded43b0013cf51c8ff29ab2fc822169be170a884d93d5faf43d8564dfc6eef

Download Submit
C:\Windows\services.exe

Filesize
101KB

MD5
fa02b19dbd6b38b43de24d533cf68997

SHA1
61ced1fc3297f9d12ccef0bebfd92f94bba8641f

SHA256
34529d7564e087d32131b9e5e06547aca775f5bfe8c4d06f05b11d7c489cd6d8

SHA512
7b171d2807f96bdd757c22e4e4378cd40666139e0442e928518e5830b7d300182b8d92990a9d6cdee010cae63b929857401d6cfe948ddc2a33b43b1e092ded1f

Download Submit
C:\Windows\system\sservice.exe

Filesize
207KB

MD5
675d99beb7167250d15b04ab2058781b

SHA1
817603884e3c15f6863989d9be70e9e31353055e

SHA256
b7226a5803e63ef61b347f531658b8f818b8009a7db6aeb89892fbee4e428407

SHA512
0a95a3b1af94467f43e799ad8ac3ba904835bbdb1c9a98f40022010958984210a67bb541767d91cf7757099086c8b25d0c37eeea5fb8f6de99b1649ab34af825

Download Submit
memory/2544-35-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2544-0-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4936-46-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-64-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-44-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-22-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/4936-37-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-41-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4936-39-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-42-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-17-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4936-62-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-50-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-48-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-52-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-54-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-56-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-58-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-60-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/5044-8-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/5044-33-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download