Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

043d28836f...9f.exe

windows7_x64

10

043d28836f...9f.exe

windows10_x64

10

096fc162ed...c8.exe

windows7_x64

10

096fc162ed...c8.exe

windows10_x64

10

1ad787b5aa...62.exe

windows7_x64

10

1ad787b5aa...62.exe

windows10_x64

10

258cbb13ac...bd.exe

windows7_x64

10

258cbb13ac...bd.exe

windows10_x64

10

25d79c1a50...7f.exe

windows7_x64

10

25d79c1a50...7f.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

500e7e5c00...44.exe

windows7_x64

10

500e7e5c00...44.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

7dc7ca2414...84.exe

windows7_x64

10

7dc7ca2414...84.exe

windows10_x64

10

96c9fde298...34.exe

windows7_x64

10

96c9fde298...34.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

ca14b87b56...83.exe

windows7_x64

10

ca14b87b56...83.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

8

cbf31d825a...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    08-11-2021 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe

  • Size

    5.6MB

  • MD5

    5802bc4fd763cd759b7875e94f9f2eaf

  • SHA1

    91eaa6e6f9b5c52a2b91806bfbf513ed336e3f6a

  • SHA256

    cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2

  • SHA512

    91f9c64c61456c91e74cad1c8a5f9aca54e44f00612085721c1b2ad8e9305679f3ed562939b0505843c06b619ab8f4818f3a537e33c122a02569cf080d13181a

Score
8/10
aspackv2

Malware Config

Signatures

  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
    "C:\Users\Admin\AppData\Local\Temp\cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\7zS0D6A2556\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS0D6A2556\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1008
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:572
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue01d702368dbba.exe
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Users\Admin\AppData\Local\Temp\7zS0D6A2556\Tue01d702368dbba.exe
            Tue01d702368dbba.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:688
            • C:\Users\Admin\AppData\Local\Temp\is-G2GC8.tmp\Tue01d702368dbba.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-G2GC8.tmp\Tue01d702368dbba.tmp" /SL5="$4012C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0D6A2556\Tue01d702368dbba.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1232
              • C:\Users\Admin\AppData\Local\Temp\7zS0D6A2556\Tue01d702368dbba.exe
                "C:\Users\Admin\AppData\Local\Temp\7zS0D6A2556\Tue01d702368dbba.exe" /SILENT
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:920
                • C:\Users\Admin\AppData\Local\Temp\is-9HQ2Q.tmp\Tue01d702368dbba.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-9HQ2Q.tmp\Tue01d702368dbba.tmp" /SL5="$5012C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0D6A2556\Tue01d702368dbba.exe" /SILENT
                  8⤵
                  • Executes dropped EXE
                  PID:1668
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Tue0133c29150b.exe
          4⤵
            PID:1636

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/572-144-0x00000000005B2000-0x00000000005B4000-memory.dmp

      Filesize

      8KB

      Download

    • memory/572-142-0x00000000005B1000-0x00000000005B2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/572-140-0x00000000005B0000-0x00000000005B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/688-122-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/920-135-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1232-134-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1268-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1268-94-0x000000006B280000-0x000000006B2A6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1268-96-0x0000000064940000-0x0000000064959000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1268-92-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1268-89-0x0000000064940000-0x0000000064959000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1268-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1268-91-0x0000000064940000-0x0000000064959000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1268-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1268-93-0x0000000064940000-0x0000000064959000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1268-95-0x000000006B280000-0x000000006B2A6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1268-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1268-98-0x000000006B440000-0x000000006B4CF000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1268-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1268-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1268-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1436-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1612-141-0x0000000001F90000-0x0000000002BDA000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/1612-143-0x0000000001F90000-0x0000000002BDA000-memory.dmp

      Filesize

      12.3MB

      Download