d5eb64a4299bc489d0e73aa95dd4bab67212169e1868137cba6654171f58f9fd

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 12:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

193a2f1f586f5966a670c0cebdcd767a.exe
Size

510KB
MD5

193a2f1f586f5966a670c0cebdcd767a
SHA1

80747541e667065c5224e45858147b9491af5106
SHA256

d5eb64a4299bc489d0e73aa95dd4bab67212169e1868137cba6654171f58f9fd
SHA512

9e7f7e7b33fc5784be755874324344e45a05a85300c81f77ac881b9f526b436c847a8928e33d4ec2259d8c9e7254ac83fe24bd0405f37d4c3eaa3a2d6390f996
SSDEEP

12288:qsMxi+i/NBzYLJpjJICcfkmOjuXCjhpehUNtTird:qsMxwNBkOf6jyIehETEd

Score

10^/10

bootkit persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	193a2f1f586f5966a670c0cebdcd767a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	193a2f1f586f5966a670c0cebdcd767a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	193a2f1f586f5966a670c0cebdcd767a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	193a2f1f586f5966a670c0cebdcd767a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	193a2f1f586f5966a670c0cebdcd767a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	193a2f1f586f5966a670c0cebdcd767a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

Executes dropped EXE 2 IoCs

pid	Process
2556	fservice.exe
2908	services.exe

Loads dropped DLL 6 IoCs

pid	Process
1080	193a2f1f586f5966a670c0cebdcd767a.exe
1080	193a2f1f586f5966a670c0cebdcd767a.exe
2908	services.exe
2908	services.exe
2556	fservice.exe
1080	193a2f1f586f5966a670c0cebdcd767a.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	193a2f1f586f5966a670c0cebdcd767a.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	193a2f1f586f5966a670c0cebdcd767a.exe
File opened for modification	\??\PhysicalDrive0	fservice.exe
File opened for modification	\??\PhysicalDrive0	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fservice.exe	193a2f1f586f5966a670c0cebdcd767a.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	193a2f1f586f5966a670c0cebdcd767a.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	193a2f1f586f5966a670c0cebdcd767a.exe
File opened for modification	C:\Windows\system\sservice.exe	193a2f1f586f5966a670c0cebdcd767a.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe
2908	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2908	services.exe
2908	services.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2556	1080	193a2f1f586f5966a670c0cebdcd767a.exe	29
PID 1080 wrote to memory of 2556	1080	193a2f1f586f5966a670c0cebdcd767a.exe	29
PID 1080 wrote to memory of 2556	1080	193a2f1f586f5966a670c0cebdcd767a.exe	29
PID 1080 wrote to memory of 2556	1080	193a2f1f586f5966a670c0cebdcd767a.exe	29
PID 2556 wrote to memory of 2908	2556	fservice.exe	28
PID 2556 wrote to memory of 2908	2556	fservice.exe	28
PID 2556 wrote to memory of 2908	2556	fservice.exe	28
PID 2556 wrote to memory of 2908	2556	fservice.exe	28
PID 2908 wrote to memory of 1404	2908	services.exe	35
PID 2908 wrote to memory of 1404	2908	services.exe	35
PID 2908 wrote to memory of 1404	2908	services.exe	35
PID 2908 wrote to memory of 1404	2908	services.exe	35
PID 2908 wrote to memory of 1412	2908	services.exe	30
PID 2908 wrote to memory of 1412	2908	services.exe	30
PID 2908 wrote to memory of 1412	2908	services.exe	30
PID 2908 wrote to memory of 1412	2908	services.exe	30
PID 1404 wrote to memory of 2084	1404	NET.exe	33
PID 1404 wrote to memory of 2084	1404	NET.exe	33
PID 1404 wrote to memory of 2084	1404	NET.exe	33
PID 1404 wrote to memory of 2084	1404	NET.exe	33
PID 1412 wrote to memory of 1708	1412	NET.exe	32
PID 1412 wrote to memory of 1708	1412	NET.exe	32
PID 1412 wrote to memory of 1708	1412	NET.exe	32
PID 1412 wrote to memory of 1708	1412	NET.exe	32

C:\Users\Admin\AppData\Local\Temp\193a2f1f586f5966a670c0cebdcd767a.exe
"C:\Users\Admin\AppData\Local\Temp\193a2f1f586f5966a670c0cebdcd767a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2556

C:\Windows\services.exe
C:\Windows\services.exe -XP
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\NET.exe
  NET STOP navapsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP navapsvc
    3⤵
    PID:1708
- C:\Windows\SysWOW64\NET.exe
  NET STOP srservice
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-1-0x0000000000370000-0x00000000003B3000-memory.dmp

Filesize
268KB

Download
memory/1080-35-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1080-67-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1080-66-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1080-65-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/1080-64-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/1080-63-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/1080-193-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1080-62-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1080-61-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/1080-60-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/1080-59-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1080-58-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1080-57-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/1080-56-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/1080-55-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/1080-54-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/1080-53-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/1080-52-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/1080-51-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/1080-46-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1080-45-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1080-44-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1080-43-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1080-42-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1080-41-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1080-40-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1080-39-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1080-38-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1080-37-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1080-36-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1080-34-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1080-33-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1080-32-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1080-31-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1080-30-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1080-29-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1080-28-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1080-27-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1080-26-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1080-25-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1080-24-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1080-23-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/1080-22-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1080-21-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1080-20-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1080-19-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/1080-18-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1080-17-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1080-16-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1080-15-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1080-14-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1080-13-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1080-12-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1080-11-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1080-10-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1080-9-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1080-8-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1080-7-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1080-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1080-6-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1080-5-0x0000000000650000-0x0000000000653000-memory.dmp

Filesize
12KB

Download
memory/1080-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1080-2-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1080-0-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2556-191-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-204-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-211-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-213-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-215-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-217-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-219-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-221-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-223-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-225-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-227-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-229-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-231-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-233-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2908-235-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download