536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f

General

Target

536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe
Size

57KB
MD5

3bc1df0b6f446019b21968d6f1fc7a00
SHA1

3c7a398b11f9f1210e73e8a27654ccd7555983ec
SHA256

536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f
SHA512

24fecd3b2a94b482d4cae0f545709a589662c92748303a8b24461cd56734bb5563fdf3dd384274e6e675502cfd3139b775cf27e6917a2e4edce2bbace9f13113

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\lkvlfq.dll	aspack_v212_v242
C:\Windows\SysWOW64\lkvlfq.dll	aspack_v212_v242
\??\c:\windows\SysWOW64\lkvlfq.dll	aspack_v212_v242
C:\Windows\SysWOW64\lkvlfq.dll	aspack_v212_v242
C:\Windows\SysWOW64\lkvlfq.dll	aspack_v212_v242

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tmvusi\parameters\ServiceDll = "%SystemRoot%\\System32\\lkvlfq.dll"	536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\tmvusi\parameters\ServiceDll = "%SystemRoot%\\System32\\lkvlfq.dll"	536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\tmvusi\parameters\ServiceDll = "%SystemRoot%\\System32\\lkvlfq.dll"	536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe

Loads dropped DLL 4 IoCs

Processes:

536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exesvchost.exe

pid process

4576 536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe
5060 svchost.exe
5060 svchost.exe
5060 svchost.exe

pid	process
4576	536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe
5060	svchost.exe
5060	svchost.exe
5060	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\0004a017.ini	536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe
File created	C:\Windows\SysWOW64\lkvlfq.dll	536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2796 5060 WerFault.exe svchost.exe
4008 5060 WerFault.exe svchost.exe
1840 5060 WerFault.exe svchost.exe

pid	pid_target	process	target process
2796	5060	WerFault.exe	svchost.exe
4008	5060	WerFault.exe	svchost.exe
1840	5060	WerFault.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe
"C:\Users\Admin\AppData\Local\Temp\536575707eb2747af3fbc2d5bded88dc858f7d43e52efd57dd584c856bef600f.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:4576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k tmvusi
1⤵
- Loads dropped DLL
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 532
2⤵
- Program crash
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 336
2⤵
- Program crash
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 392
2⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5060 -ip 5060
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5060 -ip 5060
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5060 -ip 5060
1⤵
PID:2356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lkvlfq.dll
Filesize
50KB

MD5
c162cd428e2f9f9c82ebf827c432f853

SHA1
bcaaf327334e899f55e4a4b7aff11dc6e2a3d172

SHA256
6aaead18b6d659786e349471f75bfe79e7078404a70e2fb6f0cd85baa4e9fe78

SHA512
08a2cda299671fa6cc0357909625237d2b6c547012fc30f95304e2633835bb2a8284c8c4f518fb9ff48007be4135506f1445ab6afd723830f63259fb207f10a1

Download Submit
C:\Windows\SysWOW64\lkvlfq.dll
Filesize
50KB

MD5
c162cd428e2f9f9c82ebf827c432f853

SHA1
bcaaf327334e899f55e4a4b7aff11dc6e2a3d172

SHA256
6aaead18b6d659786e349471f75bfe79e7078404a70e2fb6f0cd85baa4e9fe78

SHA512
08a2cda299671fa6cc0357909625237d2b6c547012fc30f95304e2633835bb2a8284c8c4f518fb9ff48007be4135506f1445ab6afd723830f63259fb207f10a1

Download Submit
C:\Windows\SysWOW64\lkvlfq.dll
Filesize
50KB

MD5
c162cd428e2f9f9c82ebf827c432f853

SHA1
bcaaf327334e899f55e4a4b7aff11dc6e2a3d172

SHA256
6aaead18b6d659786e349471f75bfe79e7078404a70e2fb6f0cd85baa4e9fe78

SHA512
08a2cda299671fa6cc0357909625237d2b6c547012fc30f95304e2633835bb2a8284c8c4f518fb9ff48007be4135506f1445ab6afd723830f63259fb207f10a1

Download Submit
C:\Windows\SysWOW64\lkvlfq.dll
Filesize
50KB

MD5
c162cd428e2f9f9c82ebf827c432f853

SHA1
bcaaf327334e899f55e4a4b7aff11dc6e2a3d172

SHA256
6aaead18b6d659786e349471f75bfe79e7078404a70e2fb6f0cd85baa4e9fe78

SHA512
08a2cda299671fa6cc0357909625237d2b6c547012fc30f95304e2633835bb2a8284c8c4f518fb9ff48007be4135506f1445ab6afd723830f63259fb207f10a1

Download Submit
\??\c:\windows\SysWOW64\lkvlfq.dll
Filesize
50KB

MD5
c162cd428e2f9f9c82ebf827c432f853

SHA1
bcaaf327334e899f55e4a4b7aff11dc6e2a3d172

SHA256
6aaead18b6d659786e349471f75bfe79e7078404a70e2fb6f0cd85baa4e9fe78

SHA512
08a2cda299671fa6cc0357909625237d2b6c547012fc30f95304e2633835bb2a8284c8c4f518fb9ff48007be4135506f1445ab6afd723830f63259fb207f10a1

Download Submit
memory/4576-133-0x0000000000400000-0x000000000040D261-memory.dmp

Filesize
52KB

Download
memory/5060-134-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/5060-137-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads