0b90c40e938c22cb9bb9c9e8cf03d215b2e9e796d3e2f278a03c0438fe1a6597

Analysis

max time kernel
55s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Size

519KB
MD5

4ee02d0aaa6c5973e34d05d0d6a7f19c
SHA1

1d04a6a5db7e0fa2c06b3f2b4554aeabd9f78c68
SHA256

0b90c40e938c22cb9bb9c9e8cf03d215b2e9e796d3e2f278a03c0438fe1a6597
SHA512

059be49389131afcee3011f1821ab6f83ed52c6d11dec5caebb4938910fb851b782ad7614e90102332c48726c1d4cd04f426bf7dbce1cc8f6893977a6fa41bab
SSDEEP

12288:yo5r7ZZ3RuAEEkCts0FNaWHcE+fcP1wb8HnAB88ZFg:yo5r7ZZ3d2mNa1H8RH/8U

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000d000000014636-66.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2824	fservice.exe
2628	services.exe

Loads dropped DLL 4 IoCs

pid	Process
2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
2628	services.exe
2628	services.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fservice.exe	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sservice.exe	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
2824	fservice.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe
2628	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2628	services.exe
2628	services.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2824	2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe	30
PID 2188 wrote to memory of 2824	2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe	30
PID 2188 wrote to memory of 2824	2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe	30
PID 2188 wrote to memory of 2824	2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe	30
PID 2188 wrote to memory of 2592	2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe	29
PID 2188 wrote to memory of 2592	2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe	29
PID 2188 wrote to memory of 2592	2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe	29
PID 2188 wrote to memory of 2592	2188	4ee02d0aaa6c5973e34d05d0d6a7f19c.exe	29
PID 2824 wrote to memory of 2628	2824	fservice.exe	31
PID 2824 wrote to memory of 2628	2824	fservice.exe	31
PID 2824 wrote to memory of 2628	2824	fservice.exe	31
PID 2824 wrote to memory of 2628	2824	fservice.exe	31
PID 2628 wrote to memory of 2888	2628	services.exe	35
PID 2628 wrote to memory of 2888	2628	services.exe	35
PID 2628 wrote to memory of 2888	2628	services.exe	35
PID 2628 wrote to memory of 2888	2628	services.exe	35
PID 2628 wrote to memory of 2788	2628	services.exe	33
PID 2628 wrote to memory of 2788	2628	services.exe	33
PID 2628 wrote to memory of 2788	2628	services.exe	33
PID 2628 wrote to memory of 2788	2628	services.exe	33
PID 2888 wrote to memory of 1632	2888	NET.exe	36
PID 2888 wrote to memory of 1632	2888	NET.exe	36
PID 2888 wrote to memory of 1632	2888	NET.exe	36
PID 2888 wrote to memory of 1632	2888	NET.exe	36
PID 2788 wrote to memory of 1644	2788	NET.exe	37
PID 2788 wrote to memory of 1644	2788	NET.exe	37
PID 2788 wrote to memory of 1644	2788	NET.exe	37
PID 2788 wrote to memory of 1644	2788	NET.exe	37

C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
"C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe.bat
  2⤵
  - Deletes itself
  PID:2592
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        
        PID:1644
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP srservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        5⤵
        
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe.bat

Filesize
133B

MD5
5d84397466f8a032857aab5e6e777835

SHA1
5f38d388701c1a6f8e4450a933a08c948014be12

SHA256
0315c1c07b2d2c1c0443621d2c2bc61cc17df79cbac8a9592adc5a0f333eaa1c

SHA512
43ee4b7733ca8d1c924ac3029fddce69c18d766509d8942c009a27eb5dbd8b6c50db9e6e75a8dbc9f7887e5f851de79db56ff4112e0dc8a9592e1ef64b0966f5

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
5KB

MD5
a850884752fcf5cdda3c11f6f513ce73

SHA1
2d8b5ff7a7871b08cee5b275793c4525e205ffe3

SHA256
6846f579c49b3aee63a58d28ed16021f5615b2f90d88eb55ead776b8c0b838ac

SHA512
a05dd7865e702d89fd48f3740cc14ee8be24f8c397c7dd2cfae0e3d50f9624d4ce09f94fe603b7a22002487d990a2fa4e5c996a540cacafedd247252490de2ac

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
1KB

MD5
2b9305e02eeb74f2c0212762c478796d

SHA1
15eb2c7fdc6901e327a0419f3844b9e9dfed3d9f

SHA256
975cb998c0fa0d88f002d406e678029f453553a9f822d6214ab9519f546e90cd

SHA512
42abb63df8bafb1bee67edd127fd674b92412f17ff04f8b74166e615e7f8d0deec517469a3f42c6dd384ff1871580bd2c4d985ed913d6eccf31b3d87a227f1c2

Download Submit
C:\Windows\services.exe

Filesize
49KB

MD5
47ee7b3b041db6c1ed350760b0d71413

SHA1
204c5adb9b908b7378da17b30baab53187a38249

SHA256
7b92b0ff73ff8696fcbc543d2284b90dff123529d13ad8f3c462e43d469b1d36

SHA512
43d340d34c0041970361173ae3e018b927a5b2d5af53dc903ba23e0b6694e519fa5ebaf041a1db8bbe4410bd4667cebf6d1468ed2516a406f1e49a4675392d4a

Download Submit
C:\Windows\system\sservice.exe

Filesize
71KB

MD5
a94efb7850d40fa57a0ead0b025250b4

SHA1
16fd08ce4ccadfe59d8924d15fc5560da69bc5ec

SHA256
f312c2b8b8d1a04861555c77b3e0b0ecce100f8096ce4e7ac843a801765b8662

SHA512
ebbaff15c34f311c1bcc2794dd58db865fd6a6ff9fa474d68e229ffa6855850aa4a1a385fdedea7754a20b913b7d2cbf5248e9fdb15a7bb680fea1a1360e098e

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
15KB

MD5
c845465367025572c9364e9544a0bbed

SHA1
65e905c6d53145e97197666810b57af461f19fca

SHA256
c5a23dfbba87d72c6ee391a27a1612b9791e7f7436e04a935e9094d91aca0ebb

SHA512
df613ba494ce371c7c1baaa475f4fbc0c7c8bac55f095f8632600c56638c37130f819aaa4b3edf5e1be85ecb1f24d4f3f97c485b9278fa5122206cb83daa1b66

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
13KB

MD5
3ecad5dc1a9c635879500b1a5200fefc

SHA1
461b92f3e9212add5c8edfa2ca255e3883cc7274

SHA256
1672e44582b8f567b5f6982780606438e474fff76f59b21927215328b02fe8d8

SHA512
00e1d91a1ba8b284c7112bf14c07de39d22199bc9360e8d86d4456ab3c3a570f5ae14b65e7f0233a2d932b21f3ceae5ce16d6da559fb9049649de7cbd807d00f

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
1KB

MD5
7d22e72fdb2e7b3aa6da3114145ea840

SHA1
c713c0c79fbe65349f359dd6b96d859d6269a4e9

SHA256
c636a1a1ec7d708cbae1b10d1c6350c6bdf3f97851b8cce40e758db128486929

SHA512
8cd4f3e23280dcd34ee5f1b0e5e90a25d42a219de87456678eea65d750800df00804375fee76b92d97533c14fa850631ec78ef5c90f5c080474f8c48bbd2b674

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
memory/2188-11-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2188-4-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2188-0-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2188-1-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2188-19-0x00000000031C0000-0x00000000033D2000-memory.dmp

Filesize
2.1MB

Download
memory/2188-33-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2188-32-0x00000000031C0000-0x00000000033D2000-memory.dmp

Filesize
2.1MB

Download
memory/2188-30-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2188-10-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download
memory/2188-9-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2188-3-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2188-2-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2628-65-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2628-61-0x00000000002A0000-0x00000000002CD000-memory.dmp

Filesize
180KB

Download
memory/2628-78-0x00000000002A0000-0x00000000002CD000-memory.dmp

Filesize
180KB

Download
memory/2628-70-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2628-80-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2628-68-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2628-60-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2628-76-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2628-57-0x00000000002A0000-0x00000000002CD000-memory.dmp

Filesize
180KB

Download
memory/2628-63-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2628-64-0x00000000002E0000-0x00000000002E2000-memory.dmp

Filesize
8KB

Download
memory/2628-52-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2628-79-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2628-59-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2824-21-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2824-51-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2824-55-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2824-58-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2824-56-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2824-54-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2824-35-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2824-36-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2824-37-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2824-41-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2824-43-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2824-42-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2824-29-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download