Overview

overview

10

Static

static

3

5dc11ec3ef...9c.exe

windows7-x64

10

5dc11ec3ef...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dc11ec3ef50428adbaddfe4b66c8b9c.exe

  • Size

    2.5MB

  • MD5

    5dc11ec3ef50428adbaddfe4b66c8b9c

  • SHA1

    d1ec0d9a75326ff45cb0f9b0690c52ac09b97623

  • SHA256

    cfe3d835275ab7d9317168a45294687e18004382e3af661bf8fc86c3446e12a8

  • SHA512

    41e7bc131d06b83a286e9482a3b38aa514cefa631baecfcaad22febb378be3232b3ef31b788a0fe7139ae49056b75d5c319069ff63da5483dacdc6ba29c731bd

  • SSDEEP

    24576:t8+kEW1dDBDtIiz++sprV6zJqKs/SjhDV:tQEWvZ9+Z69mkVV

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dc11ec3ef50428adbaddfe4b66c8b9c.exe
    "C:\Users\Admin\AppData\Local\Temp\5dc11ec3ef50428adbaddfe4b66c8b9c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\fservice.exe
      C:\Windows\system32\fservice.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\services.exe
        C:\Windows\services.exe -XP
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 604
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2396
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\5dc11ec3ef50428adbaddfe4b66c8b9c.exe.bat
      2⤵
      • Deletes itself
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\fservice.exe
    Filesize

    1.0MB

    MD5

    5ecdcb9348e873b640b95ac0b702c680

    SHA1

    4d472f9e6bd54bf034b4175f907b7a83625942ae

    SHA256

    fb9152dc04097d33f4d1f1f7d58eb5ee35cd6a7cac2867c14c389538be97472a

    SHA512

    2a9dc18dfe2a94b325441d5c2614eabe8d047b3c8ca6ce5a1558b27af51f590cfd7d33a65f98e1fff99649f81db3a8938aa9bd1e38833e518604c6405d7761bc

    Download Submit

  • C:\Windows\SysWOW64\fservice.exe
    Filesize

    365KB

    MD5

    1816c89f5c18f4f978327e9c5fa6f584

    SHA1

    1f91ce6e54f9a6efa724d34fe37f4a9896601e79

    SHA256

    5ae2527496274effafc011b330514ad0a399c6fc7550574b67a13594cc23086f

    SHA512

    8c3ff79525b473aa7b57a19fa0075a11588543e9b8dc6dca32c45f36acf9770b2081811bdf861bdba54e040b9b5e930786317dfa5dc4d7085cf772b94d074f01

    Download Submit

  • C:\Windows\SysWOW64\fservice.exe
    Filesize

    565KB

    MD5

    a84b8f56d681811833d63e2fde9f4fdc

    SHA1

    3d8f9d7982a9110ca36ff324712c40aa6854d269

    SHA256

    92ddc51234407f18d2945cb2fb649e3ad89367bf5172d36a0c3f07fa1c55bfcd

    SHA512

    776a82d2e0b012b4f6f6474e53be1cd173351f8b8b49f041b6cbabf25b312553accd3c113825b1b24381c75806102a20dd0aa666ac169bda5a3675c90687967f

    Download Submit

  • C:\Windows\services.exe
    Filesize

    431KB

    MD5

    b0aa1b5b8bb2b7e4078d0be392ae4533

    SHA1

    85c7038874fcdc5d00010ab832fd9ac68d0aa4a8

    SHA256

    d38d5a7697eb7be3309cebac18851e258f36bc676ee7531bf555dcbba9c6919d

    SHA512

    226f1f964a1a2349b2e4b5e51ca19a34d1809033a7ec3f1566151faf1ecbf03afee6f4974817b4475829a4e2d68e2931090f868632976e6b7b887ff1fb51d02c

    Download Submit

  • C:\Windows\services.exe
    Filesize

    63KB

    MD5

    f16ddde23820437c7a704d1c1605b2b8

    SHA1

    3bf6ca2543777aeb350e5210f98447527ad3635c

    SHA256

    b333bfa7ea5924ce7a51dcb595eb06b55a1edee231aabc8ee9cf8445eda5888c

    SHA512

    9567364cdeb8635e79cffb532a79d4a405d0cf8f92d2b6497fa898526e8364c3ae3070e307e4fd68db4c38357c1420ddaa7bdc2dd616a1b1a36cf36601ae8be9

    Download Submit

  • C:\Windows\system\sservice.exe
    Filesize

    296KB

    MD5

    c4fac78b4f379517f689508f103d9edb

    SHA1

    437a43238c5760b8fc24e4e0270b79ea6d523759

    SHA256

    d875815f4e9b831676ee8064a5fa545ea1ac9fece6e143ad3e3c25976ba94b69

    SHA512

    07af5de7b1d1c63c2ef8274301d9db135b3f9ed87feede7e773088f9b283b96db9e7e56a95b41e5a4d08d7308a81385f28abc61f7b81f5687d631dec5785b9cf

    Download Submit

  • \Windows\SysWOW64\fservice.exe
    Filesize

    1.8MB

    MD5

    9b74608b041bb5692868c83d14a51b4c

    SHA1

    f5948bf382efa6ff2d9643286b22da9104267a75

    SHA256

    6126d458d9bd8aea727b99be97c947c5a50c9492307671f7141de41182f6ca8e

    SHA512

    889f92f04b61d429f6b8af6e209205ac0d1bd977732d25ebfbd6d24e6640acc8609b85538f6718d199143640f4385aa8917d8465025785f18524d89609378137

    Download Submit

  • \Windows\SysWOW64\fservice.exe
    Filesize

    333KB

    MD5

    05df1499dce8fca5a3db766ae7a25756

    SHA1

    9949e6dbcb47e530cf7117e22228d2ef508f8643

    SHA256

    6bc4c1a77040e0b379516d7ad0db139bfd1c067fc764e75b98bb5f95400a0d1c

    SHA512

    24b64c137b180158ba499f77e684e575f5225327a33d1f089d8cd4e0f7245e871f3c71b41473281c30245fbd0182fd46fb4cd95775c15ceae5601e111f836419

    Download Submit

  • \Windows\SysWOW64\reginv.dll
    Filesize

    36KB

    MD5

    d4a3f90e159ffbcbc4f9740de4b7f171

    SHA1

    0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

    SHA256

    2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

    SHA512

    5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

    Download Submit

  • \Windows\SysWOW64\winkey.dll
    Filesize

    24KB

    MD5

    43e7d9b875c921ba6be38d45540fb9dd

    SHA1

    f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

    SHA256

    f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

    SHA512

    2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

    Download Submit

  • memory/1724-14-0x0000000003A00000-0x0000000004006000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1724-1-0x0000000002500000-0x0000000002610000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1724-51-0x0000000000400000-0x0000000000A06000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1724-52-0x0000000002500000-0x0000000002610000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1724-2-0x0000000000A10000-0x0000000000A11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1724-0-0x0000000000400000-0x0000000000A06000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1956-21-0x0000000002420000-0x0000000002530000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1956-50-0x0000000000400000-0x0000000000A06000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1956-20-0x0000000002580000-0x0000000002581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-27-0x0000000003BC0000-0x00000000041C6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1956-19-0x0000000000400000-0x0000000000A06000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2684-32-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-33-0x00000000022F0000-0x0000000002400000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2684-31-0x0000000000400000-0x0000000000A06000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2684-58-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-57-0x0000000000400000-0x0000000000A06000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2684-59-0x00000000022F0000-0x0000000002400000-memory.dmp

    Filesize

    1.1MB

    Download