5e2bf564a4f985a7482d505def1ec79c92566bf7eda4724811ee29b9c4a66156

Resubmissions

05-10-2021 16:27

211005-tx24csaah9 10

04-10-2021 16:37

04-10-2021 07:39

03-10-2021 18:09

02-10-2021 23:31

02-10-2021 06:10

01-10-2021 13:44

Analysis

max time kernel
387s
max time network
377s
platform
windows7_x64
resource
win7-ja-20210920
submitted
02-10-2021 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

6.4MB
MD5

c6e46aa3d6424b03e0a4ccb193d3eade
SHA1

c8b49055743fa7b4d6a982aea26efb627bb1f2e1
SHA256

5e2bf564a4f985a7482d505def1ec79c92566bf7eda4724811ee29b9c4a66156
SHA512

06e0c7d8012d4dbf1e6ccb7049c16d3041eb792261cc9910115c8663a45272c90cbce0ccd51875b8cd465b8f5a5c9f69164cc665b60787884ac42aec3aa7d32e

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libstdc++-6.dll	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

setup_installer.exesetup_install.exe

pid process

1696 setup_installer.exe
1316 setup_install.exe

pid	process
1696	setup_installer.exe
1316	setup_install.exe

Loads dropped DLL 15 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.exe

pid	process
308	setup_x86_x64_install.exe
1696	setup_installer.exe
1696	setup_installer.exe
1696	setup_installer.exe
1696	setup_installer.exe
1696	setup_installer.exe
1696	setup_installer.exe
1316	setup_install.exe
1316	setup_install.exe
1316	setup_install.exe
1316	setup_install.exe
1316	setup_install.exe
1316	setup_install.exe
1316	setup_install.exe
1316	setup_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2020 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2020 powershell.exe

pid	process
2020	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2020	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.exe

description	pid	process	target process
PID 308 wrote to memory of 1696	308	setup_x86_x64_install.exe	setup_installer.exe
PID 308 wrote to memory of 1696	308	setup_x86_x64_install.exe	setup_installer.exe
PID 308 wrote to memory of 1696	308	setup_x86_x64_install.exe	setup_installer.exe
PID 308 wrote to memory of 1696	308	setup_x86_x64_install.exe	setup_installer.exe
PID 308 wrote to memory of 1696	308	setup_x86_x64_install.exe	setup_installer.exe
PID 308 wrote to memory of 1696	308	setup_x86_x64_install.exe	setup_installer.exe
PID 308 wrote to memory of 1696	308	setup_x86_x64_install.exe	setup_installer.exe
PID 1696 wrote to memory of 1316	1696	setup_installer.exe	setup_install.exe
PID 1696 wrote to memory of 1316	1696	setup_installer.exe	setup_install.exe
PID 1696 wrote to memory of 1316	1696	setup_installer.exe	setup_install.exe
PID 1696 wrote to memory of 1316	1696	setup_installer.exe	setup_install.exe
PID 1696 wrote to memory of 1316	1696	setup_installer.exe	setup_install.exe
PID 1696 wrote to memory of 1316	1696	setup_installer.exe	setup_install.exe
PID 1696 wrote to memory of 1316	1696	setup_installer.exe	setup_install.exe
PID 1316 wrote to memory of 1944	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1944	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1944	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1944	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1944	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1944	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1944	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1064	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1064	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1064	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1064	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1064	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1064	1316	setup_install.exe	cmd.exe
PID 1316 wrote to memory of 1064	1316	setup_install.exe	cmd.exe
PID 1944 wrote to memory of 2020	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 2020	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 2020	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 2020	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 2020	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 2020	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 2020	1944	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1034cd265b5e0adcd.exe
4⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe
MD5
baa61c7ac272018ef3c9162121f2f728

SHA1
a9eb477fe841000152082f0d3025af99d38981b1

SHA256
1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

SHA512
5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe
MD5
baa61c7ac272018ef3c9162121f2f728

SHA1
a9eb477fe841000152082f0d3025af99d38981b1

SHA256
1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

SHA512
5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
2da8ab89fff4bfc1be98d577169e3cf8

SHA1
5379737ccaf546c86fe92ee92e49afaa2eef1bee

SHA256
28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14

SHA512
d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
2da8ab89fff4bfc1be98d577169e3cf8

SHA1
5379737ccaf546c86fe92ee92e49afaa2eef1bee

SHA256
28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14

SHA512
d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe
MD5
baa61c7ac272018ef3c9162121f2f728

SHA1
a9eb477fe841000152082f0d3025af99d38981b1

SHA256
1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

SHA512
5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe
MD5
baa61c7ac272018ef3c9162121f2f728

SHA1
a9eb477fe841000152082f0d3025af99d38981b1

SHA256
1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

SHA512
5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe
MD5
baa61c7ac272018ef3c9162121f2f728

SHA1
a9eb477fe841000152082f0d3025af99d38981b1

SHA256
1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

SHA512
5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe
MD5
baa61c7ac272018ef3c9162121f2f728

SHA1
a9eb477fe841000152082f0d3025af99d38981b1

SHA256
1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

SHA512
5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe
MD5
baa61c7ac272018ef3c9162121f2f728

SHA1
a9eb477fe841000152082f0d3025af99d38981b1

SHA256
1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

SHA512
5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0A6E1553\setup_install.exe
MD5
baa61c7ac272018ef3c9162121f2f728

SHA1
a9eb477fe841000152082f0d3025af99d38981b1

SHA256
1d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2

SHA512
5f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
2da8ab89fff4bfc1be98d577169e3cf8

SHA1
5379737ccaf546c86fe92ee92e49afaa2eef1bee

SHA256
28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14

SHA512
d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
2da8ab89fff4bfc1be98d577169e3cf8

SHA1
5379737ccaf546c86fe92ee92e49afaa2eef1bee

SHA256
28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14

SHA512
d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
2da8ab89fff4bfc1be98d577169e3cf8

SHA1
5379737ccaf546c86fe92ee92e49afaa2eef1bee

SHA256
28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14

SHA512
d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
2da8ab89fff4bfc1be98d577169e3cf8

SHA1
5379737ccaf546c86fe92ee92e49afaa2eef1bee

SHA256
28043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14

SHA512
d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c

Download Submit
memory/308-54-0x0000000074E31000-0x0000000074E33000-memory.dmp

Filesize
8KB

Download
memory/1064-94-0x0000000000000000-mapping.dmp

Download
memory/1316-91-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1316-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1316-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1316-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1316-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1316-84-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1316-89-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1316-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1316-66-0x0000000000000000-mapping.dmp

Download
memory/1316-83-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1316-92-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1696-56-0x0000000000000000-mapping.dmp

Download
memory/1944-93-0x0000000000000000-mapping.dmp

Download
memory/2020-96-0x0000000000000000-mapping.dmp

Download
memory/2020-100-0x00000000002A2000-0x00000000002A4000-memory.dmp

Filesize
8KB

Download
memory/2020-99-0x00000000002A1000-0x00000000002A2000-memory.dmp

Filesize
4KB

Download
memory/2020-98-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads