96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45

Analysis

max time kernel
19s
max time network
115s
platform
windows10_x64
resource
win10v20210408
submitted
05-09-2021 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

500A3B64014DE00B03F981299586FAE6.exe
Size

5.5MB
MD5

500a3b64014de00b03f981299586fae6
SHA1

268186377c6306055e8c42c1a1bde48adcb735b2
SHA256

96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
SHA512

fb0f4b59aa74754056252edf1ddc0b4d6fc8a983aa1ff638030bec8b129141915b407b812a4a26c01e65b5b0ed259daab7bcadbb8d9f4c9a53c4d61295629085

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000100000001ab28-118.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab28-120.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4052	setup_install.exe

Loads dropped DLL 4 IoCs

pid	Process
4052	setup_install.exe
4052	setup_install.exe
4052	setup_install.exe
4052	setup_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4052	1832	500A3B64014DE00B03F981299586FAE6.exe	75
PID 1832 wrote to memory of 4052	1832	500A3B64014DE00B03F981299586FAE6.exe	75
PID 1832 wrote to memory of 4052	1832	500A3B64014DE00B03F981299586FAE6.exe	75
PID 4052 wrote to memory of 3600	4052	setup_install.exe	78
PID 4052 wrote to memory of 3600	4052	setup_install.exe	78
PID 4052 wrote to memory of 3600	4052	setup_install.exe	78

C:\Users\Admin\AppData\Local\Temp\500A3B64014DE00B03F981299586FAE6.exe
"C:\Users\Admin\AppData\Local\Temp\500A3B64014DE00B03F981299586FAE6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\7zS827F9844\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS827F9844\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\58a51f2acaa24098.exe
    3⤵
    PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4052-125-0x0000000061880000-0x00000000618B7000-memory.dmp

Filesize
220KB

Download
memory/4052-128-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4052-127-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4052-129-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4052-130-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download