39528a427154aecef4600e402eccaf4e22a225dcb62fb42cf5820a4b9322c817

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2607186f40af391ca3a1a25c1b6ea23f.exe
Size

1.9MB
MD5

2607186f40af391ca3a1a25c1b6ea23f
SHA1

49397a07384995875ededc8c600c54ec9634c660
SHA256

39528a427154aecef4600e402eccaf4e22a225dcb62fb42cf5820a4b9322c817
SHA512

eb8980295eb5cda39ffc09973c9628c8f50fc2c8546b751fd98dbd451d9e2aff432463c1cc3fc337d150b9fdf130001b816bb22ef9dc0d1b966c5d4df06e58f7
SSDEEP

12288:RFfwcHcu8pMkZ3Fn9d+Vd3SUZ+7EeI1x7f7V3+hT6DaRWz58kc+1xy8SyGf4N:RJcu8pl9d+VdCUhN1SsNK+1pSyC4N

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	2607186f40af391ca3a1a25c1b6ea23f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2607186f40af391ca3a1a25c1b6ea23f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	2607186f40af391ca3a1a25c1b6ea23f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	2607186f40af391ca3a1a25c1b6ea23f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	2607186f40af391ca3a1a25c1b6ea23f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	2607186f40af391ca3a1a25c1b6ea23f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0032000000016bf4-24.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	fservice.exe
2696	services.exe

Loads dropped DLL 6 IoCs

pid	Process
860	2607186f40af391ca3a1a25c1b6ea23f.exe
860	2607186f40af391ca3a1a25c1b6ea23f.exe
2696	services.exe
2696	services.exe
1992	fservice.exe
860	2607186f40af391ca3a1a25c1b6ea23f.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	2607186f40af391ca3a1a25c1b6ea23f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fservice.exe	2607186f40af391ca3a1a25c1b6ea23f.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	2607186f40af391ca3a1a25c1b6ea23f.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	2607186f40af391ca3a1a25c1b6ea23f.exe
File opened for modification	C:\Windows\system\sservice.exe	2607186f40af391ca3a1a25c1b6ea23f.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe
2696	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2696	services.exe
2696	services.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1992	860	2607186f40af391ca3a1a25c1b6ea23f.exe	28
PID 860 wrote to memory of 1992	860	2607186f40af391ca3a1a25c1b6ea23f.exe	28
PID 860 wrote to memory of 1992	860	2607186f40af391ca3a1a25c1b6ea23f.exe	28
PID 860 wrote to memory of 1992	860	2607186f40af391ca3a1a25c1b6ea23f.exe	28
PID 1992 wrote to memory of 2696	1992	fservice.exe	29
PID 1992 wrote to memory of 2696	1992	fservice.exe	29
PID 1992 wrote to memory of 2696	1992	fservice.exe	29
PID 1992 wrote to memory of 2696	1992	fservice.exe	29
PID 2696 wrote to memory of 2836	2696	services.exe	30
PID 2696 wrote to memory of 2836	2696	services.exe	30
PID 2696 wrote to memory of 2836	2696	services.exe	30
PID 2696 wrote to memory of 2836	2696	services.exe	30
PID 2696 wrote to memory of 2712	2696	services.exe	32
PID 2696 wrote to memory of 2712	2696	services.exe	32
PID 2696 wrote to memory of 2712	2696	services.exe	32
PID 2696 wrote to memory of 2712	2696	services.exe	32
PID 2836 wrote to memory of 2908	2836	NET.exe	35
PID 2836 wrote to memory of 2908	2836	NET.exe	35
PID 2836 wrote to memory of 2908	2836	NET.exe	35
PID 2836 wrote to memory of 2908	2836	NET.exe	35
PID 2712 wrote to memory of 2888	2712	NET.exe	34
PID 2712 wrote to memory of 2888	2712	NET.exe	34
PID 2712 wrote to memory of 2888	2712	NET.exe	34
PID 2712 wrote to memory of 2888	2712	NET.exe	34
PID 860 wrote to memory of 2616	860	2607186f40af391ca3a1a25c1b6ea23f.exe	36
PID 860 wrote to memory of 2616	860	2607186f40af391ca3a1a25c1b6ea23f.exe	36
PID 860 wrote to memory of 2616	860	2607186f40af391ca3a1a25c1b6ea23f.exe	36
PID 860 wrote to memory of 2616	860	2607186f40af391ca3a1a25c1b6ea23f.exe	36

C:\Users\Admin\AppData\Local\Temp\2607186f40af391ca3a1a25c1b6ea23f.exe
"C:\Users\Admin\AppData\Local\Temp\2607186f40af391ca3a1a25c1b6ea23f.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP srservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        5⤵
        
        PID:2908
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\2607186f40af391ca3a1a25c1b6ea23f.exe.bat
  2⤵
  - Deletes itself
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2607186f40af391ca3a1a25c1b6ea23f.exe.bat

Filesize
133B

MD5
54d54253babd62157d3764e867e637bb

SHA1
31d88ccdcc887476a02974da18c100571c41dda4

SHA256
6a94b3d200fc8f81db92771c6d14c580953d83fd4a84062a9a3a127a91c4cf34

SHA512
0a472bb814bb3fd207ffb154d713bcae9f4eec353f6b10977baaa1305cfb8b81890cf074d84bf55d13041d59363b860a40e318c5e725358b25fc1c5b7f261cd8

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
1.4MB

MD5
acea89fd72412bbfe9d8cf8befc29226

SHA1
04fd961c4c20a4b6cef32a0638b701c91474c677

SHA256
109fcf27a0af97cf3cf816a9ed3efed4fc42b6442e41780df48048b4403ca01b

SHA512
9e30a5e815d0abbaff14a9382b1da27e263fbb323ed8a00460e3c5e94b9aaa58e0643cbd0e644f749af0f8dc64536acb562c0dcc31d4d898dd4f4eec78afe831

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
1.0MB

MD5
7cf5067007b5ccddf446f5d7e7512198

SHA1
56cdddb8734b6afd40dc70e2aedb20a3002125c3

SHA256
49f5a7cf03d9d492686c3ed055e990aad3cc317f28c2486f609f12b42a781f1b

SHA512
737e14b6d95ec56d205457633b4cc0ad966dcd04b1f7baa890710f16253734857c6cd280756670e237949807451448e9e72b2c4d4225b604108f3ab9268a736b

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
1.0MB

MD5
e280ab3b660f4502a0b32b7b6da93d2f

SHA1
5083ee9809bbf0c5f03c59ea8aa7809b6ab9a066

SHA256
a7af7989207d16b8ff60bfc50ca4ef5e90fdedede9c60c501e341e06bb5ac831

SHA512
d2bc103179e97c306c5db15ae8f582ead1f5a60159b04705b49734970db516c01c0c5e33b62a36c03d03f3eb6630e822fa4688d0551db907a3d43cc7e4656db0

Download Submit
C:\Windows\services.exe

Filesize
769KB

MD5
264354f390f9c80da8f6f305d5982941

SHA1
722bee58283df75c33186d33ff33962f553e4c72

SHA256
274f9e867559ea485631fd84badc8f9d183029ac67e631717b6138adb96156de

SHA512
077f7ef736c784ef005fb546266f4e3be5ac8c31727c21cf0cb4bc8aee8b6eec417b9b0ab3db8e8800982f2cb10f59d791ec8b37ac995bed907644f1b7189a8a

Download Submit
C:\Windows\services.exe

Filesize
451KB

MD5
d2d770c141e7768c7a8e36cd8dcb99a4

SHA1
9ae7401be19caf1b94505ec38c769712725385c6

SHA256
46d9df8b783fe125be74ac43c71b3c095d2abd0caa8f36b865cbf4db3ed6ac83

SHA512
f6762215a92a83b33cb7f9f28b26cab17a5ef983655237569421e3428bc6d941e901dc2bb0daf7160ba52e5f28464e191dc1aaffc83bcf856c9e19df64af2de6

Download Submit
C:\Windows\system\sservice.exe

Filesize
936KB

MD5
4085bd5aadf9732d376e7a0767944318

SHA1
e627bee6bfc0a5ab5dec07ef855eb6089694d625

SHA256
b4a6f37a9b4d48e24f875d00d93b5d8ac2ed46e608a34f544a1ec6839d5771ea

SHA512
56b0f9366b34a41dc3ec5b6f4e9f1f9e051720c2f2f86b6d8226773e6feb77e7d5a8ac75c831d864f90115b6c5d54c8b21c5763281aa7aa31dec5070d6912240

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
1.9MB

MD5
2607186f40af391ca3a1a25c1b6ea23f

SHA1
49397a07384995875ededc8c600c54ec9634c660

SHA256
39528a427154aecef4600e402eccaf4e22a225dcb62fb42cf5820a4b9322c817

SHA512
eb8980295eb5cda39ffc09973c9628c8f50fc2c8546b751fd98dbd451d9e2aff432463c1cc3fc337d150b9fdf130001b816bb22ef9dc0d1b966c5d4df06e58f7

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
826KB

MD5
5eb34b8a88b0126e91fed657506fbf63

SHA1
f25324c69e59ee0921980c3183d24a214e157bd8

SHA256
566e0dc36c71c8825e5bce3530e5ab5a6a17150ad7713afaa583f525f13efad8

SHA512
8021ce7e11f5f5374dffcf066f3b91f4dfdc3dc74dc7b9a8f4d1422c3c24383a0cb96177b599444cbd5bf41e614d239e3a571f419c704f9ba19b203ea31183d1

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
memory/860-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/860-43-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/1992-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1992-33-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-22-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2696-56-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-45-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-46-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2696-47-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-49-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2696-50-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-52-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-54-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-26-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2696-58-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-60-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-62-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-64-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-66-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-68-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-70-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/2696-72-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download