de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248

General

Target

de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Size

231KB
MD5

6b699598d9b88107f16ea4977a39dd2c
SHA1

28ae2c9fe6ae8ca1e891d32094e159684363cef1
SHA256

de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248
SHA512

668ca675242b843f7781df225c4156b2b7722b7f7a5afe9233e45ff587546ac5d35f282f43fc518228ae7591290f4bb0da5aada839bcfe1ee255f98c694d0050

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

SKP.EXEde048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\System Volume Information\\QRJSLZN.EXE \"%1\" %*"	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	SKP.EXE

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\$Recycle.Bin\SKP.EXE	aspack_v212_v242
\$Recycle.Bin\SKP.EXE	aspack_v212_v242
C:\$Recycle.Bin\SKP.EXE	aspack_v212_v242
C:\$Recycle.Bin\SKP.EXE	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

SKP.EXE

pid process

2032 SKP.EXE

pid	process
2032	SKP.EXE

Loads dropped DLL 2 IoCs

Processes:

de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe

pid	process
1096	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
1096	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exeSKP.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZARHAIJ.EXE = "C:\\Users\\DRPXJME.EXE"	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SKP.EXE

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exeSKP.EXE

description	ioc	process
File opened (read-only)	\??\U:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\V:	SKP.EXE
File opened (read-only)	\??\R:	SKP.EXE
File opened (read-only)	\??\U:	SKP.EXE
File opened (read-only)	\??\P:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\S:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\H:	SKP.EXE
File opened (read-only)	\??\K:	SKP.EXE
File opened (read-only)	\??\Q:	SKP.EXE
File opened (read-only)	\??\E:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\K:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\I:	SKP.EXE
File opened (read-only)	\??\O:	SKP.EXE
File opened (read-only)	\??\T:	SKP.EXE
File opened (read-only)	\??\Q:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\E:	SKP.EXE
File opened (read-only)	\??\T:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\G:	SKP.EXE
File opened (read-only)	\??\I:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\O:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\H:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\L:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\M:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\N:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\F:	SKP.EXE
File opened (read-only)	\??\L:	SKP.EXE
File opened (read-only)	\??\F:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\G:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\P:	SKP.EXE
File opened (read-only)	\??\M:	SKP.EXE
File opened (read-only)	\??\S:	SKP.EXE
File opened (read-only)	\??\J:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\R:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\N:	SKP.EXE
File opened (read-only)	\??\V:	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File opened (read-only)	\??\J:	SKP.EXE

Drops file in Program Files directory 10 IoCs

Processes:

SKP.EXEde048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe

description	ioc	process
File created	C:\Program Files\WJDLI.EXE	SKP.EXE
File created	C:\Program Files\OBHFP.EXE	SKP.EXE
File created	C:\Program Files (x86)\WLOVF.EXE	SKP.EXE
File created	C:\Program Files (x86)\RUQFVX.EXE	SKP.EXE
File created	C:\Program Files (x86)\NDSQMT.EXE	SKP.EXE
File created	C:\Program Files (x86)\VFVML.EXE	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File created	C:\Program Files\FOIS.EXE	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File created	C:\Program Files\SONXR.EXE	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
File created	C:\Program Files\JKJQG.EXE	SKP.EXE
File created	C:\Program Files (x86)\FTLAX.EXE	SKP.EXE

Modifies registry class 38 IoCs

Processes:

SKP.EXEde048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files\\FOIS.EXE \"%1\""	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\System Volume Information\\IHCCWP.EXE %1"	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	SKP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\YBFIJVA.EXE %1"	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	SKP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\System Volume Information\\QRJSLZN.EXE \"%1\" %*"	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files\\SONXR.EXE \"%1\""	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell	SKP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	SKP.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe

description	pid	process	target process
PID 1096 wrote to memory of 2032	1096	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe	SKP.EXE
PID 1096 wrote to memory of 2032	1096	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe	SKP.EXE
PID 1096 wrote to memory of 2032	1096	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe	SKP.EXE
PID 1096 wrote to memory of 2032	1096	de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe	SKP.EXE

C:\Users\Admin\AppData\Local\Temp\de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
"C:\Users\Admin\AppData\Local\Temp\de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096

C:\$Recycle.Bin\SKP.EXE
C:\$Recycle.Bin\SKP.EXE
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
PID:2032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\SKP.EXE
MD5
c0af04427381d5d5c8f5cac417779f82

SHA1
c3aaeaf828772e30dd90cc9172e664b6b7e8b0ee

SHA256
ebee22918c0c0755eb41ef14626709e40b0be187404a475a4b681dff34fb8fc6

SHA512
16e48191ddd04cb7c2ee240b525d2ecb27443d9e7a3819594f269e4dbb82fde891779cbd0c55ae50b822b83dbc492ee15fe702e4fb2e651865e29eeef50b5612

Download Submit
C:\$Recycle.Bin\SKP.EXE
MD5
c0af04427381d5d5c8f5cac417779f82

SHA1
c3aaeaf828772e30dd90cc9172e664b6b7e8b0ee

SHA256
ebee22918c0c0755eb41ef14626709e40b0be187404a475a4b681dff34fb8fc6

SHA512
16e48191ddd04cb7c2ee240b525d2ecb27443d9e7a3819594f269e4dbb82fde891779cbd0c55ae50b822b83dbc492ee15fe702e4fb2e651865e29eeef50b5612

Download Submit
\$Recycle.Bin\SKP.EXE
MD5
c0af04427381d5d5c8f5cac417779f82

SHA1
c3aaeaf828772e30dd90cc9172e664b6b7e8b0ee

SHA256
ebee22918c0c0755eb41ef14626709e40b0be187404a475a4b681dff34fb8fc6

SHA512
16e48191ddd04cb7c2ee240b525d2ecb27443d9e7a3819594f269e4dbb82fde891779cbd0c55ae50b822b83dbc492ee15fe702e4fb2e651865e29eeef50b5612

Download Submit
\$Recycle.Bin\SKP.EXE
MD5
c0af04427381d5d5c8f5cac417779f82

SHA1
c3aaeaf828772e30dd90cc9172e664b6b7e8b0ee

SHA256
ebee22918c0c0755eb41ef14626709e40b0be187404a475a4b681dff34fb8fc6

SHA512
16e48191ddd04cb7c2ee240b525d2ecb27443d9e7a3819594f269e4dbb82fde891779cbd0c55ae50b822b83dbc492ee15fe702e4fb2e651865e29eeef50b5612

Download Submit
memory/1096-65-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2032-62-0x0000000000000000-mapping.dmp

Download
memory/2032-66-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads