ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1

General

Target

ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe
Size

632KB
MD5

457d3dba54b93e93128b3a252c0f8051
SHA1

005df6bccc65bde25a4eaa64fda0744226bfa9ca
SHA256

ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1
SHA512

8faf1785bab253e606bde621f7d1b925614ca95a7a80f1dedef48ae49bb150fa803213952cbff4a9eb7b2e9f32398fcc45aecd773a258d0d40e85ed9bb224499

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice45.exe	aspack_v212_v242
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice45.exe	aspack_v212_v242
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice45.exe	aspack_v212_v242
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

rejoice45.exe

pid process

1476 rejoice45.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

572 cmd.exe

pid	process
1476	rejoice45.exe

pid	process
572	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe

pid	process
836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe
836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe

Drops file in System32 directory 2 IoCs

Processes:

rejoice45.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_rejoice45.exe	rejoice45.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice45.exe	rejoice45.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rejoice45.exe

description pid process target process

PID 1476 set thread context of 1620 1476 rejoice45.exe calc.exe

description	pid	process	target process
PID 1476 set thread context of 1620	1476	rejoice45.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1368 1476 WerFault.exe rejoice45.exe

pid	pid_target	process	target process
1368	1476	WerFault.exe	rejoice45.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exerejoice45.exe

description	pid	process	target process
PID 836 wrote to memory of 1476	836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe	rejoice45.exe
PID 836 wrote to memory of 1476	836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe	rejoice45.exe
PID 836 wrote to memory of 1476	836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe	rejoice45.exe
PID 836 wrote to memory of 1476	836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe	rejoice45.exe
PID 1476 wrote to memory of 1620	1476	rejoice45.exe	calc.exe
PID 1476 wrote to memory of 1620	1476	rejoice45.exe	calc.exe
PID 1476 wrote to memory of 1620	1476	rejoice45.exe	calc.exe
PID 1476 wrote to memory of 1620	1476	rejoice45.exe	calc.exe
PID 1476 wrote to memory of 1620	1476	rejoice45.exe	calc.exe
PID 1476 wrote to memory of 1620	1476	rejoice45.exe	calc.exe
PID 1476 wrote to memory of 944	1476	rejoice45.exe	IEXPLORE.EXE
PID 1476 wrote to memory of 944	1476	rejoice45.exe	IEXPLORE.EXE
PID 1476 wrote to memory of 944	1476	rejoice45.exe	IEXPLORE.EXE
PID 1476 wrote to memory of 944	1476	rejoice45.exe	IEXPLORE.EXE
PID 1476 wrote to memory of 1368	1476	rejoice45.exe	WerFault.exe
PID 1476 wrote to memory of 1368	1476	rejoice45.exe	WerFault.exe
PID 1476 wrote to memory of 1368	1476	rejoice45.exe	WerFault.exe
PID 1476 wrote to memory of 1368	1476	rejoice45.exe	WerFault.exe
PID 836 wrote to memory of 572	836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe	cmd.exe
PID 836 wrote to memory of 572	836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe	cmd.exe
PID 836 wrote to memory of 572	836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe	cmd.exe
PID 836 wrote to memory of 572	836	ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe
"C:\Users\Admin\AppData\Local\Temp\ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:836

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:1620

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 316
3⤵
- Program crash
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
2⤵
- Deletes itself
PID:572

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat
Filesize
248B

MD5
49712cc8534d6e855804749d6113e545

SHA1
8fd9618f9e770f5b59c6d43763bed198effc8cb1

SHA256
b90b1b9cdb5c9f912dddabc383aa6b2cd943fab226fe19b6d908d5bb223627a4

SHA512
4fd0439860e68b5d7331b553f962f3ee1cbc372ece9b7c982f6966985bc5c7108e97b55b670d63965e5cc27e5edca240f4e2671afbdad1c3df06180f5a81e5b7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe
Filesize
632KB

MD5
457d3dba54b93e93128b3a252c0f8051

SHA1
005df6bccc65bde25a4eaa64fda0744226bfa9ca

SHA256
ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1

SHA512
8faf1785bab253e606bde621f7d1b925614ca95a7a80f1dedef48ae49bb150fa803213952cbff4a9eb7b2e9f32398fcc45aecd773a258d0d40e85ed9bb224499

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice45.exe
Filesize
632KB

MD5
457d3dba54b93e93128b3a252c0f8051

SHA1
005df6bccc65bde25a4eaa64fda0744226bfa9ca

SHA256
ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1

SHA512
8faf1785bab253e606bde621f7d1b925614ca95a7a80f1dedef48ae49bb150fa803213952cbff4a9eb7b2e9f32398fcc45aecd773a258d0d40e85ed9bb224499

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice45.exe
Filesize
632KB

MD5
457d3dba54b93e93128b3a252c0f8051

SHA1
005df6bccc65bde25a4eaa64fda0744226bfa9ca

SHA256
ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1

SHA512
8faf1785bab253e606bde621f7d1b925614ca95a7a80f1dedef48ae49bb150fa803213952cbff4a9eb7b2e9f32398fcc45aecd773a258d0d40e85ed9bb224499

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice45.exe
Filesize
632KB

MD5
457d3dba54b93e93128b3a252c0f8051

SHA1
005df6bccc65bde25a4eaa64fda0744226bfa9ca

SHA256
ddc3aa16d9b852405a0cc74241441c766142e740ccc772d26cefbe97eee225c1

SHA512
8faf1785bab253e606bde621f7d1b925614ca95a7a80f1dedef48ae49bb150fa803213952cbff4a9eb7b2e9f32398fcc45aecd773a258d0d40e85ed9bb224499

Download Submit
memory/572-73-0x0000000000000000-mapping.dmp

Download
memory/836-55-0x0000000001D30000-0x0000000001D84000-memory.dmp

Filesize
336KB

Download
memory/836-56-0x0000000003360000-0x0000000003460000-memory.dmp

Filesize
1024KB

Download
memory/836-57-0x0000000001D30000-0x0000000001D84000-memory.dmp

Filesize
336KB

Download
memory/836-74-0x0000000001D30000-0x0000000001D84000-memory.dmp

Filesize
336KB

Download
memory/836-54-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1368-70-0x0000000000000000-mapping.dmp

Download
memory/1476-65-0x0000000003360000-0x0000000003460000-memory.dmp

Filesize
1024KB

Download
memory/1476-71-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/1476-72-0x0000000003360000-0x0000000003460000-memory.dmp

Filesize
1024KB

Download
memory/1476-64-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/1476-60-0x0000000000000000-mapping.dmp

Download
memory/1620-69-0x0000000000512001-mapping.dmp

Download
memory/1620-68-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1620-66-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads