baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

Target

setup_x86_x64_install.exe
Size

2.2MB
MD5

e3b3a95ef03de0de77cca7a54ea22c94
SHA1

d318d234f8f27f25de660d9881113df9d11c24ff
SHA256

baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
SHA512

3c1c6254f14491bc2cb096d8b46d0d65e096dac331bab2df9c5b173271eef1b9a9deb831f212a0117fab16665277208d0c1b5183ea600cc2bbe6f9049c57ad0d

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral8/files/0x000400000001ab2d-124.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab2e-123.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab2e-128.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab2d-125.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab30-129.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab30-130.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
3940	setup_installer.exe
2124	setup_install.exe
4200	Fri156ec98815f89c.exe
4212	Fri1544861ac3fe6a.exe
4248	Fri157e25afd971.exe
4276	Fri155442fc38b.exe
4296	Fri15af75ee9b.exe
4368	Fri1553f0ee90.exe
4468	Fri157e25afd971.tmp
4728	LzmwAqmV.exe
4792	2127950.exe
4804	zab2our.exe
4868	3384081.exe
4944	Chrome 5.exe
4988	2381092.exe

Loads dropped DLL 6 IoCs

pid	Process
2124	setup_install.exe
2124	setup_install.exe
2124	setup_install.exe
2124	setup_install.exe
2124	setup_install.exe
4468	Fri157e25afd971.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4188	powershell.exe
4188	powershell.exe
4188	powershell.exe
4188	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	Fri1553f0ee90.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	4276	Fri155442fc38b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 3940	2872	setup_x86_x64_install.exe	82
PID 2872 wrote to memory of 3940	2872	setup_x86_x64_install.exe	82
PID 2872 wrote to memory of 3940	2872	setup_x86_x64_install.exe	82
PID 3940 wrote to memory of 2124	3940	setup_installer.exe	83
PID 3940 wrote to memory of 2124	3940	setup_installer.exe	83
PID 3940 wrote to memory of 2124	3940	setup_installer.exe	83
PID 2124 wrote to memory of 3872	2124	setup_install.exe	86
PID 2124 wrote to memory of 3872	2124	setup_install.exe	86
PID 2124 wrote to memory of 3872	2124	setup_install.exe	86
PID 2124 wrote to memory of 3740	2124	setup_install.exe	99
PID 2124 wrote to memory of 3740	2124	setup_install.exe	99
PID 2124 wrote to memory of 3740	2124	setup_install.exe	99
PID 2124 wrote to memory of 1996	2124	setup_install.exe	87
PID 2124 wrote to memory of 1996	2124	setup_install.exe	87
PID 2124 wrote to memory of 1996	2124	setup_install.exe	87
PID 2124 wrote to memory of 2236	2124	setup_install.exe	98
PID 2124 wrote to memory of 2236	2124	setup_install.exe	98
PID 2124 wrote to memory of 2236	2124	setup_install.exe	98
PID 2124 wrote to memory of 8	2124	setup_install.exe	88
PID 2124 wrote to memory of 8	2124	setup_install.exe	88
PID 2124 wrote to memory of 8	2124	setup_install.exe	88
PID 2124 wrote to memory of 4116	2124	setup_install.exe	89
PID 2124 wrote to memory of 4116	2124	setup_install.exe	89
PID 2124 wrote to memory of 4116	2124	setup_install.exe	89
PID 2124 wrote to memory of 4136	2124	setup_install.exe	97
PID 2124 wrote to memory of 4136	2124	setup_install.exe	97
PID 2124 wrote to memory of 4136	2124	setup_install.exe	97
PID 2124 wrote to memory of 4156	2124	setup_install.exe	90
PID 2124 wrote to memory of 4156	2124	setup_install.exe	90
PID 2124 wrote to memory of 4156	2124	setup_install.exe	90
PID 3872 wrote to memory of 4188	3872	cmd.exe	96
PID 3872 wrote to memory of 4188	3872	cmd.exe	96
PID 3872 wrote to memory of 4188	3872	cmd.exe	96
PID 1996 wrote to memory of 4200	1996	cmd.exe	95
PID 1996 wrote to memory of 4200	1996	cmd.exe	95
PID 1996 wrote to memory of 4200	1996	cmd.exe	95
PID 3740 wrote to memory of 4212	3740	cmd.exe	91
PID 3740 wrote to memory of 4212	3740	cmd.exe	91
PID 3740 wrote to memory of 4212	3740	cmd.exe	91
PID 2236 wrote to memory of 4248	2236	cmd.exe	92
PID 2236 wrote to memory of 4248	2236	cmd.exe	92
PID 2236 wrote to memory of 4248	2236	cmd.exe	92
PID 8 wrote to memory of 4276	8	cmd.exe	94
PID 8 wrote to memory of 4276	8	cmd.exe	94
PID 4116 wrote to memory of 4296	4116	cmd.exe	93
PID 4116 wrote to memory of 4296	4116	cmd.exe	93
PID 4116 wrote to memory of 4296	4116	cmd.exe	93
PID 4156 wrote to memory of 4368	4156	cmd.exe	100
PID 4156 wrote to memory of 4368	4156	cmd.exe	100
PID 4248 wrote to memory of 4468	4248	Fri157e25afd971.exe	101
PID 4248 wrote to memory of 4468	4248	Fri157e25afd971.exe	101
PID 4248 wrote to memory of 4468	4248	Fri157e25afd971.exe	101
PID 4368 wrote to memory of 4728	4368	Fri1553f0ee90.exe	102
PID 4368 wrote to memory of 4728	4368	Fri1553f0ee90.exe	102
PID 4368 wrote to memory of 4728	4368	Fri1553f0ee90.exe	102
PID 4276 wrote to memory of 4792	4276	Fri155442fc38b.exe	104
PID 4276 wrote to memory of 4792	4276	Fri155442fc38b.exe	104
PID 4468 wrote to memory of 4804	4468	Fri157e25afd971.tmp	103
PID 4468 wrote to memory of 4804	4468	Fri157e25afd971.tmp	103
PID 4276 wrote to memory of 4868	4276	Fri155442fc38b.exe	105
PID 4276 wrote to memory of 4868	4276	Fri155442fc38b.exe	105
PID 4276 wrote to memory of 4868	4276	Fri155442fc38b.exe	105
PID 4728 wrote to memory of 4944	4728	LzmwAqmV.exe	106
PID 4728 wrote to memory of 4944	4728	LzmwAqmV.exe	106

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\7zS46F6E8E3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS46F6E8E3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Users\Admin\AppData\Local\Temp\7zS46F6E8E3\Fri156ec98815f89c.exe
        
        Fri156ec98815f89c.exe
        5⤵
        Executes dropped EXE
        
        PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Users\Admin\AppData\Local\Temp\7zS46F6E8E3\Fri155442fc38b.exe
        
        Fri155442fc38b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Users\Admin\AppData\Roaming\2127950.exe
        
        "C:\Users\Admin\AppData\Roaming\2127950.exe"
        6⤵
        Executes dropped EXE
        
        PID:4792
      - C:\Users\Admin\AppData\Roaming\3384081.exe
        
        "C:\Users\Admin\AppData\Roaming\3384081.exe"
        6⤵
        Executes dropped EXE
        
        PID:4868
      - C:\Users\Admin\AppData\Roaming\2381092.exe
        
        "C:\Users\Admin\AppData\Roaming\2381092.exe"
        6⤵
        Executes dropped EXE
        
        PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\7zS46F6E8E3\Fri15af75ee9b.exe
        
        Fri15af75ee9b.exe
        5⤵
        Executes dropped EXE
        
        PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\7zS46F6E8E3\Fri1553f0ee90.exe
        
        Fri1553f0ee90.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        
        PID:5048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME7.exe
      4⤵
      PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3740

C:\Users\Admin\AppData\Local\Temp\7zS46F6E8E3\Fri1544861ac3fe6a.exe
Fri1544861ac3fe6a.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Local\Temp\7zS46F6E8E3\Fri157e25afd971.exe
Fri157e25afd971.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\is-8IC1T.tmp\Fri157e25afd971.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8IC1T.tmp\Fri157e25afd971.tmp" /SL5="$20086,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS46F6E8E3\Fri157e25afd971.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\is-ICACI.tmp\zab2our.exe
    "C:\Users\Admin\AppData\Local\Temp\is-ICACI.tmp\zab2our.exe" /S /UID=burnerch2
    3⤵
    - Executes dropped EXE
    PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-134-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2124-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2124-136-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2124-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2124-135-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2124-132-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2124-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4188-195-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/4188-192-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/4188-209-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/4188-179-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/4188-181-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/4188-173-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/4188-184-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/4188-175-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/4188-187-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/4188-190-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/4188-191-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/4188-186-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/4188-185-0x0000000004BF2000-0x0000000004BF3000-memory.dmp

Filesize
4KB

Download
memory/4188-183-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/4248-170-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4276-178-0x000000001BD40000-0x000000001BD41000-memory.dmp

Filesize
4KB

Download
memory/4276-188-0x000000001B920000-0x000000001B922000-memory.dmp

Filesize
8KB

Download
memory/4276-177-0x0000000002A00000-0x0000000002A16000-memory.dmp

Filesize
88KB

Download
memory/4276-194-0x000000001B650000-0x000000001B651000-memory.dmp

Filesize
4KB

Download
memory/4276-168-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4368-182-0x000000001B720000-0x000000001B722000-memory.dmp

Filesize
8KB

Download
memory/4368-166-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/4468-189-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4728-198-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4792-206-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/4792-222-0x0000000002DA0000-0x0000000002DDE000-memory.dmp

Filesize
248KB

Download
memory/4804-215-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/4868-216-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/4868-224-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4944-217-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download