Overview

overview

10

Static

static

3

125db40e2d...25.exe

windows7-x64

10

125db40e2d...25.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    60s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 07:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    125db40e2dd5b4b217422327ac449c25.exe

  • Size

    1.8MB

  • MD5

    125db40e2dd5b4b217422327ac449c25

  • SHA1

    a5460d1ed787288689afbf64a1ff3d3f6cc769b6

  • SHA256

    b7f9c8c589b7429a6d692a6b7be281d9efe8a17973e6486baa8efd96f7e7f9cf

  • SHA512

    188d9744f8844ebc5e806e018f48a55b273844ae5c3d4980c9f067cf06471705f02b18c61afe3112e7a4dbee38dbfb186d2e51a10968a63eaada23019d622ee7

  • SSDEEP

    24576:GG/oDTSIDDO5uiSyTp+Ddbgo9RALPODNIYZpeuwV0344vzFtRL5Yt/3vDvMA+XJ+:f2S/HhouOJZpev03LjktjGtb25nQiCW

Score
10/10
aspackv2evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 6 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\125db40e2dd5b4b217422327ac449c25.exe
    "C:\Users\Admin\AppData\Local\Temp\125db40e2dd5b4b217422327ac449c25.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\SysWOW64\fservice.exe
      C:\Windows\system32\fservice.exe
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\services.exe
        C:\Windows\services.exe -XP
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Windows\SysWOW64\NET.exe
          NET STOP navapsvc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3008
        • C:\Windows\SysWOW64\NET.exe
          NET STOP srservice
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2976
  • C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP navapsvc
    1⤵
      PID:1696
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP srservice
      1⤵
        PID:1540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\services.exe
        Filesize

        389KB

        MD5

        c32f2df6ea19e1e290fb0a56e79e41b8

        SHA1

        a10063cc554f81e4c7a0494ad3f30f4b1d29cc12

        SHA256

        af681bba364575b65cab0313e0774c76e1ef52d6a581951eb1ada5594c2cc650

        SHA512

        d8f8a0a966609a473cbee665becee3e126121a56ebe437deb266636b94ef7fa19b6a0629a5b72077445bc7d80dd4e4d8e01044b67ec72004e81b42dd3c0740b9

        Download Submit

      • C:\Windows\services.exe
        Filesize

        45KB

        MD5

        4ae49ba0260061ee64beeeb9357447f5

        SHA1

        47cfc3620103652678c25b7d2ea7dbcf67b82308

        SHA256

        499088e6ab847f26f16746756ad952d0c3209a2bfa2385f46ece364f20af4132

        SHA512

        42fcb8116c1f2fd7073873e6227c0131ed23b9b9e17d0eb1f5e8babc55f3b553ab996e61e0129955231459b99734611d6aed256ec286319105cd0edef901c1f2

        Download Submit

      • C:\Windows\system\sservice.exe
        Filesize

        293KB

        MD5

        9bf1ad821b607a6923fa334392c59f5d

        SHA1

        d10f52067b2b62c2e08f8c04487b10ed74d04b2c

        SHA256

        011f92a399cb37900e982499b1948db68131a68e6774b86e8925d3195f4c53be

        SHA512

        d2e39415c1007c3c873feea04f143c2a3253f3adee6665ab6eea246ead07f7aaa132377ee351d3998fe5fc870d510920175374e85f216355a36805575c662e7f

        Download Submit

      • \Windows\SysWOW64\reginv.dll
        Filesize

        20KB

        MD5

        efe1a51eac2e377a23fc11edf9be91d6

        SHA1

        1576d771c4caf4a04b25929fa0f0b06dadc87511

        SHA256

        3320ef352ba97cc4632de11585ac1657e3b279d481465a04656dd230fe65deb5

        SHA512

        c8926141178eac63dda8258d71e4d534d0dcb21d9a94d7ab89b3241caa5e25740c845f420d74cfdabc5606296e9c59a75cc74e84005e4dc27dfbe098ea78d6b4

        Download Submit

      • \Windows\SysWOW64\winkey.dll
        Filesize

        13KB

        MD5

        36234e0b8df76ea2c282bba1a1b45748

        SHA1

        34880e089a5d5c42bce1622195522b431668206f

        SHA256

        d610cecdc353cb4a26e7d158c7ea0f78b573b57f9ac8ffc20832f89a7eac5ada

        SHA512

        cecae4a3e3c890078c01764903da6495d38eb8bcbe689b54607fe4d2029853752187d174690218041b6f0059749bb6ab344e751436c9b8d675e3ee19eced9222

        Download Submit

      • memory/440-146-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-152-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-82-0x0000000004490000-0x0000000004492000-memory.dmp

        Filesize

        8KB

        Download

      • memory/440-144-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-142-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-140-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-138-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-136-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-134-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-131-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-150-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-148-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-154-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-72-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-73-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/440-81-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-156-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/440-87-0x0000000004510000-0x0000000004511000-memory.dmp

        Filesize

        4KB

        Download

      • memory/440-86-0x00000000044A0000-0x00000000044A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/440-85-0x0000000004480000-0x0000000004481000-memory.dmp

        Filesize

        4KB

        Download

      • memory/440-84-0x00000000044C0000-0x00000000044C2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/440-83-0x0000000004470000-0x0000000004471000-memory.dmp

        Filesize

        4KB

        Download

      • memory/440-158-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2060-11-0x00000000045B0000-0x00000000045B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-24-0x00000000046F0000-0x00000000046F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-2-0x0000000000260000-0x0000000000261000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-1-0x00000000020E0000-0x00000000021E2000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2060-5-0x0000000004540000-0x0000000004541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-22-0x0000000004600000-0x0000000004601000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-29-0x00000000046D0000-0x00000000046D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-31-0x00000000055E0000-0x0000000005A8A000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2060-28-0x0000000004530000-0x0000000004531000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-27-0x0000000004710000-0x0000000004711000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-66-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2060-26-0x0000000000A40000-0x0000000000A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-38-0x00000000055E0000-0x0000000005A8A000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2060-25-0x0000000004700000-0x0000000004701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-124-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2060-3-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2060-4-0x0000000004570000-0x0000000004571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-6-0x00000000045A0000-0x00000000045A2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2060-7-0x0000000004550000-0x0000000004551000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-8-0x0000000004560000-0x0000000004561000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-9-0x0000000004580000-0x0000000004581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-10-0x00000000045F0000-0x00000000045F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-0-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2060-12-0x0000000004660000-0x0000000004661000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-17-0x0000000004630000-0x0000000004631000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-18-0x00000000046E0000-0x00000000046E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-19-0x00000000046B0000-0x00000000046B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-20-0x00000000046C0000-0x00000000046C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-23-0x0000000004640000-0x0000000004641000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-21-0x00000000044F0000-0x00000000044F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-60-0x0000000004690000-0x0000000004691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-75-0x0000000004300000-0x0000000004301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-50-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2572-51-0x0000000004470000-0x0000000004471000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-52-0x0000000004440000-0x0000000004441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-53-0x00000000045E0000-0x00000000045E2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2572-55-0x0000000004480000-0x0000000004481000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-54-0x0000000004450000-0x0000000004451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-56-0x0000000004630000-0x0000000004631000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-57-0x00000000045F0000-0x00000000045F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-58-0x00000000046A0000-0x00000000046A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-39-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2572-69-0x00000000055B0000-0x0000000005A5A000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2572-65-0x0000000004650000-0x0000000004651000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-59-0x0000000004640000-0x0000000004641000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-40-0x00000000002E0000-0x00000000002E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-62-0x00000000046E0000-0x00000000046E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-63-0x00000000046C0000-0x00000000046C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-64-0x00000000043F0000-0x00000000043F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-67-0x0000000004680000-0x0000000004681000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-68-0x0000000004420000-0x0000000004421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-70-0x00000000055B0000-0x0000000005A5A000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2572-77-0x00000000046F0000-0x00000000046F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-76-0x0000000004710000-0x0000000004711000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-61-0x0000000004670000-0x0000000004671000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-74-0x0000000004700000-0x0000000004701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-120-0x0000000000400000-0x00000000008AA000-memory.dmp

        Filesize

        4.7MB

        Download