baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

Target

setup_x86_x64_install.exe
Size

2.2MB
MD5

e3b3a95ef03de0de77cca7a54ea22c94
SHA1

d318d234f8f27f25de660d9881113df9d11c24ff
SHA256

baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
SHA512

3c1c6254f14491bc2cb096d8b46d0d65e096dac331bab2df9c5b173271eef1b9a9deb831f212a0117fab16665277208d0c1b5183ea600cc2bbe6f9049c57ad0d

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral8/files/0x000400000001ab2d-122.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab2d-125.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab2f-128.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab2f-129.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab2c-124.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab2c-131.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab2c-130.dat	aspack_v212_v242

Executes dropped EXE 8 IoCs

pid	Process
2752	setup_installer.exe
3336	setup_install.exe
4164	Fri1544861ac3fe6a.exe
4212	Fri155442fc38b.exe
4284	Fri157e25afd971.exe
4272	Fri1553f0ee90.exe
4296	Fri156ec98815f89c.exe
4304	Fri15af75ee9b.exe

Loads dropped DLL 6 IoCs

pid	Process
3336	setup_install.exe
3336	setup_install.exe
3336	setup_install.exe
3336	setup_install.exe
3336	setup_install.exe
3336	setup_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 2752	3924	setup_x86_x64_install.exe	81
PID 3924 wrote to memory of 2752	3924	setup_x86_x64_install.exe	81
PID 3924 wrote to memory of 2752	3924	setup_x86_x64_install.exe	81
PID 2752 wrote to memory of 3336	2752	setup_installer.exe	83
PID 2752 wrote to memory of 3336	2752	setup_installer.exe	83
PID 2752 wrote to memory of 3336	2752	setup_installer.exe	83
PID 3336 wrote to memory of 2796	3336	setup_install.exe	86
PID 3336 wrote to memory of 2796	3336	setup_install.exe	86
PID 3336 wrote to memory of 2796	3336	setup_install.exe	86
PID 3336 wrote to memory of 3172	3336	setup_install.exe	87
PID 3336 wrote to memory of 3172	3336	setup_install.exe	87
PID 3336 wrote to memory of 3172	3336	setup_install.exe	87
PID 3336 wrote to memory of 1884	3336	setup_install.exe	88
PID 3336 wrote to memory of 1884	3336	setup_install.exe	88
PID 3336 wrote to memory of 1884	3336	setup_install.exe	88
PID 3336 wrote to memory of 1812	3336	setup_install.exe	95
PID 3336 wrote to memory of 1812	3336	setup_install.exe	95
PID 3336 wrote to memory of 1812	3336	setup_install.exe	95
PID 3336 wrote to memory of 1328	3336	setup_install.exe	89
PID 3336 wrote to memory of 1328	3336	setup_install.exe	89
PID 3336 wrote to memory of 1328	3336	setup_install.exe	89
PID 3336 wrote to memory of 4116	3336	setup_install.exe	93
PID 3336 wrote to memory of 4116	3336	setup_install.exe	93
PID 3336 wrote to memory of 4116	3336	setup_install.exe	93
PID 3336 wrote to memory of 4144	3336	setup_install.exe	92
PID 3336 wrote to memory of 4144	3336	setup_install.exe	92
PID 3336 wrote to memory of 4144	3336	setup_install.exe	92
PID 3172 wrote to memory of 4164	3172	cmd.exe	91
PID 3172 wrote to memory of 4164	3172	cmd.exe	91
PID 3172 wrote to memory of 4164	3172	cmd.exe	91
PID 3336 wrote to memory of 4156	3336	setup_install.exe	90
PID 3336 wrote to memory of 4156	3336	setup_install.exe	90
PID 3336 wrote to memory of 4156	3336	setup_install.exe	90
PID 1328 wrote to memory of 4212	1328	cmd.exe	94
PID 1328 wrote to memory of 4212	1328	cmd.exe	94
PID 2796 wrote to memory of 4256	2796	cmd.exe	96
PID 2796 wrote to memory of 4256	2796	cmd.exe	96
PID 2796 wrote to memory of 4256	2796	cmd.exe	96
PID 4156 wrote to memory of 4272	4156	cmd.exe	100
PID 4156 wrote to memory of 4272	4156	cmd.exe	100
PID 1812 wrote to memory of 4284	1812	cmd.exe	99
PID 1812 wrote to memory of 4284	1812	cmd.exe	99
PID 1812 wrote to memory of 4284	1812	cmd.exe	99
PID 1884 wrote to memory of 4296	1884	cmd.exe	98
PID 1884 wrote to memory of 4296	1884	cmd.exe	98
PID 1884 wrote to memory of 4296	1884	cmd.exe	98
PID 4116 wrote to memory of 4304	4116	cmd.exe	97
PID 4116 wrote to memory of 4304	4116	cmd.exe	97
PID 4116 wrote to memory of 4304	4116	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\7zS0CA85B04\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0CA85B04\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CA85B04\Fri1544861ac3fe6a.exe
        
        Fri1544861ac3fe6a.exe
        5⤵
        Executes dropped EXE
        
        PID:4164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CA85B04\Fri156ec98815f89c.exe
        
        Fri156ec98815f89c.exe
        5⤵
        Executes dropped EXE
        
        PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CA85B04\Fri155442fc38b.exe
        
        Fri155442fc38b.exe
        5⤵
        Executes dropped EXE
        
        PID:4212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CA85B04\Fri1553f0ee90.exe
        
        Fri1553f0ee90.exe
        5⤵
        Executes dropped EXE
        
        PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME7.exe
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CA85B04\Fri15af75ee9b.exe
        
        Fri15af75ee9b.exe
        5⤵
        Executes dropped EXE
        
        PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CA85B04\Fri157e25afd971.exe
        
        Fri157e25afd971.exe
        5⤵
        Executes dropped EXE
        
        PID:4284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3336-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3336-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3336-148-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3336-145-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3336-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3336-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3336-141-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4212-157-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4272-167-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4284-172-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Resubmissions

Analysis

Sharing

General