Analysis
-
max time kernel
146s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30-12-2023 12:57
General
-
Target
193a2f1f586f5966a670c0cebdcd767a.exe
-
Size
510KB
-
MD5
193a2f1f586f5966a670c0cebdcd767a
-
SHA1
80747541e667065c5224e45858147b9491af5106
-
SHA256
d5eb64a4299bc489d0e73aa95dd4bab67212169e1868137cba6654171f58f9fd
-
SHA512
9e7f7e7b33fc5784be755874324344e45a05a85300c81f77ac881b9f526b436c847a8928e33d4ec2259d8c9e7254ac83fe24bd0405f37d4c3eaa3a2d6390f996
-
SSDEEP
12288:qsMxi+i/NBzYLJpjJICcfkmOjuXCjhpehUNtTird:qsMxwNBkOf6jyIehETEd
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Drops file in System32 directory 7 IoCs
-
Drops file in Windows directory 7 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\193a2f1f586f5966a670c0cebdcd767a.exe"C:\Users\Admin\AppData\Local\Temp\193a2f1f586f5966a670c0cebdcd767a.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc1⤵
-
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NET.exeNET STOP srservice1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exeC:\Windows\services.exe -XP1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
268KB
-
Filesize
2.1MB
-
Filesize
2.1MB