d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422

Analysis

max time kernel
119s
max time network
124s
platform
windows10_x64
resource
win10-en-20211104
submitted
09-11-2021 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe
Size

3.8MB
MD5

3c1bcfc5e5d1327746d9e8d3fdb5b49f
SHA1

58af3de1e2e55241141f05a3a82163ed2ef62339
SHA256

d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
SHA512

4f779d352e3d6e16337e4f3875d296e629e016d7c779b195ef62db5e1726d40bd5e0faed9997b3e0ad734ffc99f2f1096a1395b30a68cae4ae4133e5a2ec14a9

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\libzip.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\libzip.dll	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

setup.exesetup_install.exe

pid process

3284 setup.exe
660 setup_install.exe
Loads dropped DLL 5 IoCs

Processes:

setup_install.exe

pid process

660 setup_install.exe
660 setup_install.exe
660 setup_install.exe
660 setup_install.exe
660 setup_install.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3284	setup.exe
660	setup_install.exe

pid	process
660	setup_install.exe
660	setup_install.exe
660	setup_install.exe
660	setup_install.exe
660	setup_install.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exesetup.exesetup_install.exe

description	pid	process	target process
PID 3796 wrote to memory of 3284	3796	D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe	setup.exe
PID 3796 wrote to memory of 3284	3796	D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe	setup.exe
PID 3796 wrote to memory of 3284	3796	D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe	setup.exe
PID 3284 wrote to memory of 660	3284	setup.exe	setup_install.exe
PID 3284 wrote to memory of 660	3284	setup.exe	setup_install.exe
PID 3284 wrote to memory of 660	3284	setup.exe	setup_install.exe
PID 660 wrote to memory of 1544	660	setup_install.exe	cmd.exe
PID 660 wrote to memory of 1544	660	setup_install.exe	cmd.exe
PID 660 wrote to memory of 1544	660	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe
"C:\Users\Admin\AppData\Local\Temp\D1F610AF3C46FFF6C857BE0136C696604EB8E7466B4A7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\717d52c15560bcc853bc.exe
4⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\libzip.dll
MD5
81d6f0a42171755753e3bc9b48f43c30

SHA1
b766d96e38e151a6a51d72e753fb92687e8f9d03

SHA256
e186cf97d768a139819278c4ce35e6df65adb2bdaee450409994d4c7c8d7c723

SHA512
461bf23b1ec98d97281fd55308d1384a3f471d0a4b2e68c2a81a98346db9edc3ca2b8dbeb68ae543796f73cc04900ec298554b7ff837db0241863a157b43cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\setup_install.exe
MD5
c01d7c884846a42ba40d3b0919d8bfbf

SHA1
96686a1c0cb588978b7b3fad0c34cbf6298a9d35

SHA256
9337741946e6767a63477f67e625a168f3cd92d465abcd061f70f2591999d6e8

SHA512
c49f9092d2b1d7d90c4371616bb74cbd308d4ba159cf2e85c65241aaa776c0d5da0c45ffb6db73d7e66aa2b11156b7f4b198e6f11d435bd694cc76d5470ecbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\setup_install.exe
MD5
c01d7c884846a42ba40d3b0919d8bfbf

SHA1
96686a1c0cb588978b7b3fad0c34cbf6298a9d35

SHA256
9337741946e6767a63477f67e625a168f3cd92d465abcd061f70f2591999d6e8

SHA512
c49f9092d2b1d7d90c4371616bb74cbd308d4ba159cf2e85c65241aaa776c0d5da0c45ffb6db73d7e66aa2b11156b7f4b198e6f11d435bd694cc76d5470ecbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\zlib1.dll
MD5
c7d4d685a0af2a09cbc21cb474358595

SHA1
b784599c82bb90d5267fd70aaa42acc0c614b5d2

SHA256
e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc

SHA512
fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
8758d3305f5ec5a2787b9fb25c9a9ab8

SHA1
d6f9865f8022d06eb48e4670be46e7ffdce56820

SHA256
7b5d27ccb937003af77dfc6b74bfdee573f9e2980ce608da15a0b11854332218

SHA512
99e4865107279973ed8655727cce7f5a7d17ed1b325cd24aaacf2a6f33276ead043e2b70dd64808a2db37b0281bde514aa5a2cac2b2572dd4bb71440f293931c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
8758d3305f5ec5a2787b9fb25c9a9ab8

SHA1
d6f9865f8022d06eb48e4670be46e7ffdce56820

SHA256
7b5d27ccb937003af77dfc6b74bfdee573f9e2980ce608da15a0b11854332218

SHA512
99e4865107279973ed8655727cce7f5a7d17ed1b325cd24aaacf2a6f33276ead043e2b70dd64808a2db37b0281bde514aa5a2cac2b2572dd4bb71440f293931c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\libzip.dll
MD5
81d6f0a42171755753e3bc9b48f43c30

SHA1
b766d96e38e151a6a51d72e753fb92687e8f9d03

SHA256
e186cf97d768a139819278c4ce35e6df65adb2bdaee450409994d4c7c8d7c723

SHA512
461bf23b1ec98d97281fd55308d1384a3f471d0a4b2e68c2a81a98346db9edc3ca2b8dbeb68ae543796f73cc04900ec298554b7ff837db0241863a157b43cda1

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4DC2EBA5\zlib1.dll
MD5
c7d4d685a0af2a09cbc21cb474358595

SHA1
b784599c82bb90d5267fd70aaa42acc0c614b5d2

SHA256
e96b397b499d9eaa3f52eaf496ca8941e80c0ad1544879ccadf02bf2c6a1ecfc

SHA512
fed2c126a499fae6215e0ef7d76aeec45b60417ed11c7732379d1e92c87e27355fe8753efed86af4f58d52ea695494ef674538192fac1e8a2a114467061a108b

Download Submit
memory/660-121-0x0000000000000000-mapping.dmp

Download
memory/660-133-0x0000000061880000-0x00000000618B7000-memory.dmp

Filesize
220KB

Download
memory/660-136-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/660-135-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/660-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/660-138-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1544-134-0x0000000000000000-mapping.dmp

Download
memory/3284-118-0x0000000000000000-mapping.dmp

Download