Overview

overview

10

Static

static

3

1a365b3dd9...d8.exe

windows7-x64

10

1a365b3dd9...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a365b3dd9a3b049814b3e4ad813c4d8.exe

  • Size

    1.6MB

  • MD5

    1a365b3dd9a3b049814b3e4ad813c4d8

  • SHA1

    4eed488cb6e8d66dbffd3eb6481e91de9830025c

  • SHA256

    3311fbb32acf6d00f0998e557f0a6ef7c1586232586a9069601db9ad72e7d59f

  • SHA512

    63d655bdda4fe599b1d24b35b448039db872e323caff112203b35614068cd2f77aeac16cadfbb1cfa1ad221c270434bcd39f2608e59ec4b1241099f1ad8c4f67

  • SSDEEP

    12288:blIX21g+kD1t5m1HX71j2TzgNOe099zUdcVlNPu90eDDJph:u5+kRt5mVXBczgNP099zUa1K0Sh

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 9 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a365b3dd9a3b049814b3e4ad813c4d8.exe
    "C:\Users\Admin\AppData\Local\Temp\1a365b3dd9a3b049814b3e4ad813c4d8.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\SysWOW64\fservice.exe
      C:\Windows\system32\fservice.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\services.exe
        C:\Windows\services.exe -XP
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\NET.exe
          NET STOP navapsvc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 STOP navapsvc
            5⤵
              PID:2480
          • C:\Windows\SysWOW64\NET.exe
            NET STOP srservice
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2764
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP srservice
      1⤵
        PID:2528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\fservice.exe
        Filesize

        894KB

        MD5

        c2daca16e13507381b52b932d042dfcd

        SHA1

        698fac3b60940d1dd0b6409e6cb5ce51d9fa393c

        SHA256

        b1b9f1a89a5502bc17b938adcb83811e4547d999f60748222945a5ac9614964b

        SHA512

        90abd32f84a2fa9fa3f15dab8c99486c4f771f7c90acd9a9aa9a239410b205f48891cb621562c16cdf14b0dfacedeab53f61e337c58042aa841d3d6ed81804a3

        Download Submit

      • C:\Windows\services.exe
        Filesize

        877KB

        MD5

        e619df5940d053cbb06967b369a8b4e3

        SHA1

        4183015a885f05d57a194f8b369451943e4bc856

        SHA256

        b3b8a609c03f50ee326f0df01569db23d8efc2b58c2e16c2f28514e3b32aaea1

        SHA512

        3a91e29c62447c495a653a1d0e24f273eae84ff4bf1dd5e3b6b5fa1607ff41c78a7d7d8e1e9860019a777d578ee5374d1bc9e35b94d347867384ac89a115af7f

        Download Submit

      • C:\Windows\services.exe
        Filesize

        384KB

        MD5

        f6e8b202a30d1c2f26e800786e65aa8e

        SHA1

        bfc7c83162a0bf534e2131c188df0a096bf78559

        SHA256

        db1c8abef6f89f5afb6228f8f10a9bba237d1d5071ca0cddacac97b4d210cf94

        SHA512

        58ae69b59e3d574c7c75e3340a0b968178d58223c46212ea3b5ca49c23af522467d9fe808f3bed99bef129eee03ecd23ad048d7a15f1d63419456294045c48c5

        Download Submit

      • C:\Windows\system\sservice.exe
        Filesize

        833KB

        MD5

        b20194febe8f99a74876b814b4f5e7e1

        SHA1

        673b68d3eec5529c3e9dc0a09114723818b37dbd

        SHA256

        138a3c23fdce9b50b817a4935bed56a836031f06632c9a092ba072293d9313cf

        SHA512

        8624410bdd82b24f7e9c7da71db36f56e87c8e91b70a2281ff6d8205e42e5b55c14a1507041dbfc5248a1210cc25833a9dd4eaf82ed1a9f12d28283d20d4e18d

        Download Submit

      • \Windows\SysWOW64\fservice.exe
        Filesize

        1.6MB

        MD5

        1a365b3dd9a3b049814b3e4ad813c4d8

        SHA1

        4eed488cb6e8d66dbffd3eb6481e91de9830025c

        SHA256

        3311fbb32acf6d00f0998e557f0a6ef7c1586232586a9069601db9ad72e7d59f

        SHA512

        63d655bdda4fe599b1d24b35b448039db872e323caff112203b35614068cd2f77aeac16cadfbb1cfa1ad221c270434bcd39f2608e59ec4b1241099f1ad8c4f67

        Download Submit

      • \Windows\SysWOW64\fservice.exe
        Filesize

        1.1MB

        MD5

        785e5936c8481caba9cfb101bf606fee

        SHA1

        8ab34c172c30f6d5699752302199340244c41686

        SHA256

        cc200914c61659e00babce13e534b19b9d034c62dafaea1488fb4afc819c33f3

        SHA512

        caecc4ae32944d606042db82ae7b1567fc1d77bf9180a27021d35bde044a71de4fd697e6ebf9ec8d3ff1441e9b8431e432441f770d7df29638973b2365233bef

        Download Submit

      • \Windows\SysWOW64\reginv.dll
        Filesize

        36KB

        MD5

        d4a3f90e159ffbcbc4f9740de4b7f171

        SHA1

        0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

        SHA256

        2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

        SHA512

        5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

        Download Submit

      • \Windows\SysWOW64\winkey.dll
        Filesize

        24KB

        MD5

        43e7d9b875c921ba6be38d45540fb9dd

        SHA1

        f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

        SHA256

        f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

        SHA512

        2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

        Download Submit

      • memory/2644-26-0x00000000003A0000-0x00000000003A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2644-15-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2644-28-0x0000000003380000-0x0000000003597000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2644-17-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2644-29-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-49-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-51-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-30-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-39-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2688-63-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-62-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-38-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-61-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-60-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-50-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-52-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2688-59-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-53-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-54-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-55-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-56-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-57-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2688-58-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2996-5-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2996-13-0x0000000003450000-0x0000000003667000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2996-16-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2996-0-0x0000000000400000-0x0000000000617000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2996-7-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

        Download