46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
153s
max time network
157s
platform
windows10_x64
resource
win10
submitted
11-08-2020 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/0becfedf4d0b9ad5251aca33274a4cf4.exe

Score

10^/10

aspackv2 evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0becfedf4d0b9ad5251aca33274a4cf4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Program Files (x86)\\Adobe\\EXjnIWaB.exe"	0becfedf4d0b9ad5251aca33274a4cf4.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

mKcqniHT.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	mKcqniHT.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

mKcqniHT.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Start = "4"	mKcqniHT.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe	aspack_v212_v242
C:\Program Files (x86)\Adobe\EXjnIWaB.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\xAzEKuJt.exe	aspack_v212_v242
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QcMtemuo.exe	aspack_v212_v242

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

mKcqniHT.exemKcqniHT.exe

pid process

1820 mKcqniHT.exe
1664 mKcqniHT.exe

pid	process
1820	mKcqniHT.exe
1664	mKcqniHT.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral18/memory/1932-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral18/memory/1932-2-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral18/memory/1932-3-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Drops startup file 4 IoCs

Processes:

0becfedf4d0b9ad5251aca33274a4cf4.exemKcqniHT.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QcMtemuo.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QcMtemuo.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QcMtemuo.exe	mKcqniHT.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QcMtemuo.exe	mKcqniHT.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

mKcqniHT.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mKcqniHT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	mKcqniHT.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0becfedf4d0b9ad5251aca33274a4cf4.exemKcqniHT.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	0becfedf4d0b9ad5251aca33274a4cf4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YMJzMRSt = "C:\\Users\\Admin\\AppData\\Local\\ConnectedDevicesPlatform\\xAzEKuJt.exe"	0becfedf4d0b9ad5251aca33274a4cf4.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	mKcqniHT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YMJzMRSt = "C:\\Users\\Admin\\AppData\\Local\\ConnectedDevicesPlatform\\xAzEKuJt.exe"	mKcqniHT.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

mKcqniHT.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mKcqniHT.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mKcqniHT.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0becfedf4d0b9ad5251aca33274a4cf4.exemKcqniHT.exe

description	pid	process	target process
PID 3928 set thread context of 1932	3928	0becfedf4d0b9ad5251aca33274a4cf4.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe
PID 1820 set thread context of 1664	1820	mKcqniHT.exe	mKcqniHT.exe

Drops file in Program Files directory 2 IoCs

Processes:

0becfedf4d0b9ad5251aca33274a4cf4.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\EXjnIWaB.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe
File opened for modification	C:\Program Files (x86)\Adobe\EXjnIWaB.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mKcqniHT.exe

pid	process
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe
1664	mKcqniHT.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

0becfedf4d0b9ad5251aca33274a4cf4.exemKcqniHT.exe

description	pid	process
Token: SeSecurityPrivilege	1932	0becfedf4d0b9ad5251aca33274a4cf4.exe
Token: SeDebugPrivilege	1932	0becfedf4d0b9ad5251aca33274a4cf4.exe
Token: SeTcbPrivilege	1932	0becfedf4d0b9ad5251aca33274a4cf4.exe
Token: SeSecurityPrivilege	1664	mKcqniHT.exe
Token: SeDebugPrivilege	1664	mKcqniHT.exe
Token: SeTcbPrivilege	1664	mKcqniHT.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0becfedf4d0b9ad5251aca33274a4cf4.exe0becfedf4d0b9ad5251aca33274a4cf4.exemKcqniHT.exe

description	pid	process	target process
PID 3928 wrote to memory of 1932	3928	0becfedf4d0b9ad5251aca33274a4cf4.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe
PID 3928 wrote to memory of 1932	3928	0becfedf4d0b9ad5251aca33274a4cf4.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe
PID 3928 wrote to memory of 1932	3928	0becfedf4d0b9ad5251aca33274a4cf4.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe
PID 3928 wrote to memory of 1932	3928	0becfedf4d0b9ad5251aca33274a4cf4.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe
PID 3928 wrote to memory of 1932	3928	0becfedf4d0b9ad5251aca33274a4cf4.exe	0becfedf4d0b9ad5251aca33274a4cf4.exe
PID 1932 wrote to memory of 1820	1932	0becfedf4d0b9ad5251aca33274a4cf4.exe	mKcqniHT.exe
PID 1932 wrote to memory of 1820	1932	0becfedf4d0b9ad5251aca33274a4cf4.exe	mKcqniHT.exe
PID 1932 wrote to memory of 1820	1932	0becfedf4d0b9ad5251aca33274a4cf4.exe	mKcqniHT.exe
PID 1820 wrote to memory of 1664	1820	mKcqniHT.exe	mKcqniHT.exe
PID 1820 wrote to memory of 1664	1820	mKcqniHT.exe	mKcqniHT.exe
PID 1820 wrote to memory of 1664	1820	mKcqniHT.exe	mKcqniHT.exe
PID 1820 wrote to memory of 1664	1820	mKcqniHT.exe	mKcqniHT.exe
PID 1820 wrote to memory of 1664	1820	mKcqniHT.exe	mKcqniHT.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

mKcqniHT.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mKcqniHT.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mKcqniHT.exe

C:\Users\Admin\AppData\Local\Temp\foo\0becfedf4d0b9ad5251aca33274a4cf4.exe
"C:\Users\Admin\AppData\Local\Temp\foo\0becfedf4d0b9ad5251aca33274a4cf4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Admin\AppData\Local\Temp\foo\0becfedf4d0b9ad5251aca33274a4cf4.exe
"C:\Users\Admin\AppData\Local\Temp\foo\0becfedf4d0b9ad5251aca33274a4cf4.exe"
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe
"C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe
"C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe"
4⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\EXjnIWaB.exe
MD5
0becfedf4d0b9ad5251aca33274a4cf4

SHA1
5d6faf04a6215b08988f289373f3b239d5878d06

SHA256
235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

SHA512
0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

Download Submit
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\xAzEKuJt.exe
MD5
0becfedf4d0b9ad5251aca33274a4cf4

SHA1
5d6faf04a6215b08988f289373f3b239d5878d06

SHA256
235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

SHA512
0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe
MD5
0becfedf4d0b9ad5251aca33274a4cf4

SHA1
5d6faf04a6215b08988f289373f3b239d5878d06

SHA256
235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

SHA512
0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe
MD5
0becfedf4d0b9ad5251aca33274a4cf4

SHA1
5d6faf04a6215b08988f289373f3b239d5878d06

SHA256
235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

SHA512
0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKcqniHT.exe
MD5
0becfedf4d0b9ad5251aca33274a4cf4

SHA1
5d6faf04a6215b08988f289373f3b239d5878d06

SHA256
235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

SHA512
0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QcMtemuo.exe
MD5
0becfedf4d0b9ad5251aca33274a4cf4

SHA1
5d6faf04a6215b08988f289373f3b239d5878d06

SHA256
235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

SHA512
0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

Download Submit
memory/1664-8-0x0000000000414B90-mapping.dmp

Download
memory/1820-4-0x0000000000000000-mapping.dmp

Download
memory/1932-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-1-0x0000000000414B90-mapping.dmp

Download
memory/1932-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download