62016a398e0047d22414e322488e63e54f714578497e836a49ce64e90494a9ff

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 03:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73ae2f529cc85be3df021318041f40fe.exe
Size

373KB
MD5

73ae2f529cc85be3df021318041f40fe
SHA1

37b93f5aabdc32c63ad2cd35f164a26bba9e1294
SHA256

62016a398e0047d22414e322488e63e54f714578497e836a49ce64e90494a9ff
SHA512

38abadd6ec39f587d21868ba86c89f9746c0b9c35a15e7bc9051b1c17c5ba342f1fa6e83c05ae826fbbda6fb8e7a09a9f0f66d420ce2cd2b7c57fcf015461184
SSDEEP

6144:LGFWi0nLzd4VhtV3xfN5fa+Wk/20pP2+T8C7Yi81W4xN6KwKn78VBqqrQ:ji0/d47tV3xVve6P2y77Yb6KPn78jfQ

Score

10^/10

aspackv2 persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	DetoX-HACKS.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	DetoX-HACKS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	DetoX-HACKS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	DetoX-HACKS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	DetoX-HACKS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	DetoX-HACKS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000d00000002313a-30.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	73ae2f529cc85be3df021318041f40fe.exe

Executes dropped EXE 3 IoCs

pid	Process
2668	DetoX-HACKS.exe
4080	fservice.exe
4532	services.exe

Loads dropped DLL 5 IoCs

pid	Process
4532	services.exe
4532	services.exe
4532	services.exe
4080	fservice.exe
2668	DetoX-HACKS.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000e000000023137-4.dat	upx
behavioral2/memory/2668-9-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/files/0x0009000000023139-17.dat	upx
behavioral2/files/0x0009000000023139-16.dat	upx
behavioral2/memory/4532-27-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4080-42-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/2668-46-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-48-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-50-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-51-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-54-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-56-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-58-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-60-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-62-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-64-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-66-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-68-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-70-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-72-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-74-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4532-76-0x0000000000400000-0x00000000005FC000-memory.dmp	upx

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	DetoX-HACKS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DetoX-HACKS.exe	73ae2f529cc85be3df021318041f40fe.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	DetoX-HACKS.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\DetoX-HACKS.exe.bat	DetoX-HACKS.exe
File created	C:\Windows\SysWOW64\fservice.exe	DetoX-HACKS.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	DetoX-HACKS.exe
File opened for modification	C:\Windows\system\sservice.exe	DetoX-HACKS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe
4532	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4532	services.exe
4532	services.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2668	2288	73ae2f529cc85be3df021318041f40fe.exe	95
PID 2288 wrote to memory of 2668	2288	73ae2f529cc85be3df021318041f40fe.exe	95
PID 2288 wrote to memory of 2668	2288	73ae2f529cc85be3df021318041f40fe.exe	95
PID 2668 wrote to memory of 4080	2668	DetoX-HACKS.exe	96
PID 2668 wrote to memory of 4080	2668	DetoX-HACKS.exe	96
PID 2668 wrote to memory of 4080	2668	DetoX-HACKS.exe	96
PID 4080 wrote to memory of 4532	4080	fservice.exe	97
PID 4080 wrote to memory of 4532	4080	fservice.exe	97
PID 4080 wrote to memory of 4532	4080	fservice.exe	97
PID 4532 wrote to memory of 3380	4532	services.exe	101
PID 4532 wrote to memory of 3380	4532	services.exe	101
PID 4532 wrote to memory of 3380	4532	services.exe	101
PID 4532 wrote to memory of 4744	4532	services.exe	100
PID 4532 wrote to memory of 4744	4532	services.exe	100
PID 4532 wrote to memory of 4744	4532	services.exe	100
PID 4744 wrote to memory of 2700	4744	NET.exe	103
PID 4744 wrote to memory of 2700	4744	NET.exe	103
PID 4744 wrote to memory of 2700	4744	NET.exe	103
PID 3380 wrote to memory of 1260	3380	NET.exe	102
PID 3380 wrote to memory of 1260	3380	NET.exe	102
PID 3380 wrote to memory of 1260	3380	NET.exe	102
PID 2668 wrote to memory of 3948	2668	DetoX-HACKS.exe	106
PID 2668 wrote to memory of 3948	2668	DetoX-HACKS.exe	106
PID 2668 wrote to memory of 3948	2668	DetoX-HACKS.exe	106

C:\Users\Admin\AppData\Local\Temp\73ae2f529cc85be3df021318041f40fe.exe
"C:\Users\Admin\AppData\Local\Temp\73ae2f529cc85be3df021318041f40fe.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\DetoX-HACKS.exe
  "C:\Windows\System32\DetoX-HACKS.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\fservice.exe
    C:\Windows\system32\fservice.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\services.exe
      C:\Windows\services.exe -XP
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP navapsvc
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        6⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP srservice
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3380
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        6⤵
        
        PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\DetoX-HACKS.exe.bat
    3⤵
    PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DetoX-HACKS.exe

Filesize
342KB

MD5
7e58c655c09466daf23d107b5ad481b8

SHA1
0edc33f0694a4fe70f2028b2b8114fa0592a3204

SHA256
f8d7a8108aa4bbc139d314f0b624927e15d205ef3e2592492284f70c5fb83bea

SHA512
1ea2f52716c22d3e6b7b3f5dd90fbf55d13a2c99f752e3f670f4ba6261f3b901beafa2dfca600fcb256d5b0baf8d46fc225569459c363951f64e9ce1413101ea

Download Submit
C:\Windows\SysWOW64\DetoX-HACKS.exe.bat

Filesize
105B

MD5
86add7cdaae02129f5c4b08dd0dce47d

SHA1
bc721be8b7d51d3dee90f8bc60fcc9af7ba4cea7

SHA256
cf1f3e2fe9ba13cff848c851e2c91e5c67c81c324bc7b9b9fca18c7c71d54539

SHA512
7fe059951b8b74af98a58a78249f9a9f0e4d586a17a59e5e602a5ff460dc5caab9ffcfd2e3a2ea16dcb459049c51d4ff3a85879e53f77345becd4f8bdb320388

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
75KB

MD5
250bfef2bcbf221370d0805498ceeb28

SHA1
d1bacfef3cda540766feb87bc99e45724552fe22

SHA256
4a8de3b27975e8bac945b9a80fda8c80176751515dd5e98390b597a510ca74c1

SHA512
5fc127477376d82aa60b5ba9fd9204e954170703d4b33e00171a7f9d9e17d53c9d51842e0943ddc6f463a302e7d70af55ea6586c117940e17cb0d065101bac8e

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
95KB

MD5
c512357ad72afe365b78d0d62cf2c158

SHA1
bb6ce7dbe8b59e9a3be590fd2c01b6a61ff75f54

SHA256
65af5435e03b3e9ae5599fc6755efb775974ba4193688685e7baed1249b2a35b

SHA512
b3a216831e3442f5a381795e79443127f5efee1274b7c0d1df90e797a2322e2418494ed5cc53bc96d17d01059eaae525d9617de8884ee77ab83f7a84866779e5

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
memory/2288-8-0x0000000010000000-0x0000000010066000-memory.dmp

Filesize
408KB

Download
memory/2668-9-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2668-10-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2668-46-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4080-42-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4080-18-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4532-27-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-58-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-28-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4532-48-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-50-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-51-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-53-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4532-54-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-56-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-33-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/4532-60-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-62-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-64-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-66-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-68-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-70-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-72-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-74-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4532-76-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download