7bf213788373110026030818ac55747e5e6556ee8b1860f712982673c2c51956

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 13:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3eec32541be894b7f25be656f28a9a4.exe
Size

204KB
MD5

a3eec32541be894b7f25be656f28a9a4
SHA1

616998ca4ddf679594077e2bc7fa82b4fb95f590
SHA256

7bf213788373110026030818ac55747e5e6556ee8b1860f712982673c2c51956
SHA512

f844811a1af17854dcdd6ca126ae67ebadff99f6a6a91cdbdf7341efc4bbc42fd185b3b8184cc8c95b04b4cde3a32283ed812a9f994bc810e8f67ec1916ac07d
SSDEEP

3072:d/VEn1eZTsNnE0zSyFRouI97LPWGDJzJGgyys0yQYpgy69GSAj:d/VEn1eZ2pfG7LPWGDJc0yJpD69W

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	services.exe

Loads dropped DLL 5 IoCs

pid	Process
1832	a3eec32541be894b7f25be656f28a9a4.exe
1832	a3eec32541be894b7f25be656f28a9a4.exe
2220	services.exe
2220	services.exe
2220	services.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\services = "C:\\Windows\\pchealth\\services.exe"	services.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\afire.dll	a3eec32541be894b7f25be656f28a9a4.exe
File opened for modification	C:\Windows\services.exe	a3eec32541be894b7f25be656f28a9a4.exe
File created	C:\Windows\afprj.dll	a3eec32541be894b7f25be656f28a9a4.exe
File opened for modification	C:\Windows\pchealth\services.exe	a3eec32541be894b7f25be656f28a9a4.exe
File opened for modification	C:\Windows\pchealth\services.exe	services.exe
File opened for modification	C:\Windows\setupconfig.dat	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\TypeLib\ = "{C7B28AAD-2087-4832-9E09-B70FF45CDF85}"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\ = "_CSocketMaster"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\ = "__CSocketMaster"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C003C75-A91B-4EB2-8245-61E27B6D705D}\VERSION	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48810106-1FB4-4D74-9745-DE1CB2B1C151}\ProgID\ = "AfirePrj.Afire"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C7B28AAD-2087-4832-9E09-B70FF45CDF85}\1.0\0\win32\ = "C:\\Windows\\AFIRE.DLL"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\TypeLib\Version = "1.0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48810106-1FB4-4D74-9745-DE1CB2B1C151}\TypeLib	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AfirePrj.Afire	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AfirePrj.Afire\ = "AfirePrj.Afire"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C7B28AAD-2087-4832-9E09-B70FF45CDF85}\1.0\FLAGS\ = "0"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\TypeLib	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\TypeLib\Version = "1.0"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C003C75-A91B-4EB2-8245-61E27B6D705D}\ = "AfirePrj.CSocketMaster"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C7B28AAD-2087-4832-9E09-B70FF45CDF85}\1.0\HELPDIR\ = "C:\\Windows"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AfirePrj.CSocketMaster	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AfirePrj.CSocketMaster\Clsid\ = "{0C003C75-A91B-4EB2-8245-61E27B6D705D}"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48810106-1FB4-4D74-9745-DE1CB2B1C151}\TypeLib\ = "{C7B28AAD-2087-4832-9E09-B70FF45CDF85}"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48810106-1FB4-4D74-9745-DE1CB2B1C151}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\ProxyStubClsid32	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C003C75-A91B-4EB2-8245-61E27B6D705D}\TypeLib	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C003C75-A91B-4EB2-8245-61E27B6D705D}\Programmable	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48810106-1FB4-4D74-9745-DE1CB2B1C151}\InprocServer32\ = "C:\\Windows\\AFIRE.DLL"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48810106-1FB4-4D74-9745-DE1CB2B1C151}\Programmable	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C7B28AAD-2087-4832-9E09-B70FF45CDF85}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\ = "_CSocketMaster"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AfirePrj.CSocketMaster\Clsid	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AfirePrj.Afire\Clsid	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\ = "_Afire"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\TypeLib	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\TypeLib\Version = "1.0"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C003C75-A91B-4EB2-8245-61E27B6D705D}\ProgID\ = "AfirePrj.CSocketMaster"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C003C75-A91B-4EB2-8245-61E27B6D705D}\Implemented Categories	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\ProxyStubClsid32	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C003C75-A91B-4EB2-8245-61E27B6D705D}\VERSION\ = "1.0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48810106-1FB4-4D74-9745-DE1CB2B1C151}\InprocServer32	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AfirePrj.Afire\Clsid\ = "{48810106-1FB4-4D74-9745-DE1CB2B1C151}"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\ProxyStubClsid	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\TypeLib	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\TypeLib	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C003C75-A91B-4EB2-8245-61E27B6D705D}\ProgID	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C003C75-A91B-4EB2-8245-61E27B6D705D}\TypeLib\ = "{C7B28AAD-2087-4832-9E09-B70FF45CDF85}"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\ = "CSocketMaster"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\ProxyStubClsid	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\ProxyStubClsid	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\ = "_Afire"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76B44BC9-7507-49F0-880C-E7DAD894B1AE}\TypeLib\Version = "1.0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\TypeLib	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\TypeLib\ = "{C7B28AAD-2087-4832-9E09-B70FF45CDF85}"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C7B28AAD-2087-4832-9E09-B70FF45CDF85}\1.0\ = "AfirePrj"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C7B28AAD-2087-4832-9E09-B70FF45CDF85}\1.0\HELPDIR	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03B875AD-15B9-4721-9842-F39B5B2EA509}\ProxyStubClsid32	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\TypeLib\Version = "1.0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74BAB3C6-4363-4A8E-B6AB-FA03A1A37B13}\ProxyStubClsid32	services.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1832	a3eec32541be894b7f25be656f28a9a4.exe
2220	services.exe
2220	services.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2220	1832	a3eec32541be894b7f25be656f28a9a4.exe	28
PID 1832 wrote to memory of 2220	1832	a3eec32541be894b7f25be656f28a9a4.exe	28
PID 1832 wrote to memory of 2220	1832	a3eec32541be894b7f25be656f28a9a4.exe	28
PID 1832 wrote to memory of 2220	1832	a3eec32541be894b7f25be656f28a9a4.exe	28
PID 1832 wrote to memory of 2220	1832	a3eec32541be894b7f25be656f28a9a4.exe	28
PID 1832 wrote to memory of 2220	1832	a3eec32541be894b7f25be656f28a9a4.exe	28
PID 1832 wrote to memory of 2220	1832	a3eec32541be894b7f25be656f28a9a4.exe	28

C:\Users\Admin\AppData\Local\Temp\a3eec32541be894b7f25be656f28a9a4.exe
"C:\Users\Admin\AppData\Local\Temp\a3eec32541be894b7f25be656f28a9a4.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\pchealth\services.exe
  "C:\Windows\pchealth\services.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AFIRE.DLL

Filesize
152KB

MD5
e408ee2c6efa93ccd3683e52ad58bd1c

SHA1
f8770130fcc9ca8116dbf9c5ecb982c77f3fa41f

SHA256
324d92fadd3d00ad6e481a9e97c1961ac8c871cb175e911f2e5e0fb9c7aaf3bf

SHA512
c324cf0935148df30cbe398399b6b90b757ea6ab595c9b5353c6c2201699038963b586c9baca4446a4b02d1a094ca5850215a3d0079bb0b9b2d528e5100cecb1

Download Submit
C:\Windows\setupconfig.dat

Filesize
14B

MD5
96e98a2a56841e4b3de562e9cce0567d

SHA1
30a1fb35b2cf587f23a79348f6f53c3917293d1b

SHA256
27f8dee93960f38b8b6ab456651a8c09fa26c3724369a9b6648d7ec938e0451d

SHA512
2848c904e50b7160e30590c0b90a4bb030bde4984f064d7ad8274d3f2488d38ca952f78a527d0edba4f71dcaf09e3d5e2f5460275f8c7064a5f9e909ddb2c7bf

Download Submit
\Windows\PCHEALTH\services.exe

Filesize
24KB

MD5
469b9f2dc3250a142a60db98eb2622eb

SHA1
78165392d4df3275daeacf75a56bab00a892b171

SHA256
acf1555792ac1a743c8372da176713084674a735143c5dfa538f1a54141c20a9

SHA512
f61c6b6b64ae6bc7686039e77904d966324ea8eb5e55b42001561a521e80c50f00dab068a058633ee9d00b2cda52503f8a37c2bb5973526b23f9af2a0f7f8e7a

Download Submit
memory/1832-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1832-1-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/1832-10-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/1832-24-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1832-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads