fea5c5b5ab4d3ffc51ba843be267e58f6d3142f7f8699c4b9c833afe9e52963a

General

Target

fea5c5b5ab4d3ffc51ba843be267e58f6d3142f7f8699c4b9c833afe9e52963a.exe
Size

300KB
MD5

67035d867a21de4669745a28d273b833
SHA1

3d19fa876c7a3de98f7a27c6d32e2466bb06037a
SHA256

fea5c5b5ab4d3ffc51ba843be267e58f6d3142f7f8699c4b9c833afe9e52963a
SHA512

dfac1aa2a3ce61e2e6853a676c5642ff0bfb56580dcd3d63676389b0c9f2c5e4ed3eea4e4f6b6d8ea77c0e533710562451febd6534a324bab75da21551e58307

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SCNnnGR.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\SCNnnGR.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

SCNnnGR.exe

pid process

1216 SCNnnGR.exe

pid	process
1216	SCNnnGR.exe

Drops file in Program Files directory 64 IoCs

Processes:

SCNnnGR.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpEng.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Video.UI.exe	SCNnnGR.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteshare.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\OneConnect.exe	SCNnnGR.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxMail.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore.App.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	SCNnnGR.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	SCNnnGR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fea5c5b5ab4d3ffc51ba843be267e58f6d3142f7f8699c4b9c833afe9e52963a.exeSCNnnGR.exe

description	pid	process	target process
PID 2232 wrote to memory of 1216	2232	fea5c5b5ab4d3ffc51ba843be267e58f6d3142f7f8699c4b9c833afe9e52963a.exe	SCNnnGR.exe
PID 2232 wrote to memory of 1216	2232	fea5c5b5ab4d3ffc51ba843be267e58f6d3142f7f8699c4b9c833afe9e52963a.exe	SCNnnGR.exe
PID 2232 wrote to memory of 1216	2232	fea5c5b5ab4d3ffc51ba843be267e58f6d3142f7f8699c4b9c833afe9e52963a.exe	SCNnnGR.exe
PID 1216 wrote to memory of 3700	1216	SCNnnGR.exe	cmd.exe
PID 1216 wrote to memory of 3700	1216	SCNnnGR.exe	cmd.exe
PID 1216 wrote to memory of 3700	1216	SCNnnGR.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fea5c5b5ab4d3ffc51ba843be267e58f6d3142f7f8699c4b9c833afe9e52963a.exe
"C:\Users\Admin\AppData\Local\Temp\fea5c5b5ab4d3ffc51ba843be267e58f6d3142f7f8699c4b9c833afe9e52963a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\SCNnnGR.exe
C:\Users\Admin\AppData\Local\Temp\SCNnnGR.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\676d59dd.bat" "
3⤵
PID:3700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\676d59dd.bat
MD5
6896d0521dd7921acff59f5f51c43ee7

SHA1
d9c0ac6a6d5e8da88e0be51a804c080878054698

SHA256
954d386424a016a18812eb8330bf594ed705156f60bd192faac60537892e1cef

SHA512
a971d064d9ec8a4f8cd88fa84b01215986eb7c3813d58b3149dbb3f5b0d940b1983f906e9dc423e9a2593fb5b001b8c19aaf5082ef36bc02e7b8e1b01ecacfe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SCNnnGR.exe
MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SCNnnGR.exe
MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/1216-114-0x0000000000000000-mapping.dmp

Download
memory/3700-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads