c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a

General

Target

c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe
Size

21KB
MD5

14303216a7dedb014985b13c58308e73
SHA1

e1553ed898d1e0aa170573b0d3dda1c181b1928c
SHA256

c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a
SHA512

bd16d8242f3d71c7749060fc134563be7b9e27ab08dce100aa0f3073ed4f28f21c0112c9223e5e3ed3c66338771c861feb05c52c7376581c6e1398fd14a2ec54
SSDEEP

384:nshUHuAdwb492W08W8OY2CWNZ597y68iYf1HRjkzgQJd1Axzr6+S9Pfu7n5c:nmUHuzz8W8ByZj7y68vVRjkzgQKxKdeG

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000005c50-55.dat	aspack_v212_v242
behavioral1/files/0x0007000000005c50-56.dat	aspack_v212_v242
behavioral1/files/0x0007000000005c50-58.dat	aspack_v212_v242
behavioral1/files/0x0007000000005c50-60.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1176	smss.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autostart.exe	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autostart.exe	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
1248	c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe
1248	c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REGEDIT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REGEDIT.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\smss.exe	c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe
File opened for modification	C:\Program Files\Common Files\System\smss.exe	c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe
File created	C:\Program Files\Common Files\System\start.bat	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs regedit.exe 1 IoCs

pid	Process
704	REGEDIT.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1176	1248	c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe	26
PID 1248 wrote to memory of 1176	1248	c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe	26
PID 1248 wrote to memory of 1176	1248	c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe	26
PID 1248 wrote to memory of 1176	1248	c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe	26
PID 1176 wrote to memory of 704	1176	smss.exe	27
PID 1176 wrote to memory of 704	1176	smss.exe	27
PID 1176 wrote to memory of 704	1176	smss.exe	27
PID 1176 wrote to memory of 704	1176	smss.exe	27

C:\Users\Admin\AppData\Local\Temp\c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe
"C:\Users\Admin\AppData\Local\Temp\c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Program Files\Common Files\System\smss.exe
  "C:\Program Files\Common Files\System\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\REGEDIT.exe
    REGEDIT /S "C:\Program Files\Common Files\System\start.bat"
    3⤵
    - Adds Run key to start application
    - Runs regedit.exe
    PID:704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\smss.exe

Filesize
21KB

MD5
14303216a7dedb014985b13c58308e73

SHA1
e1553ed898d1e0aa170573b0d3dda1c181b1928c

SHA256
c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a

SHA512
bd16d8242f3d71c7749060fc134563be7b9e27ab08dce100aa0f3073ed4f28f21c0112c9223e5e3ed3c66338771c861feb05c52c7376581c6e1398fd14a2ec54

Download Submit
C:\Program Files\Common Files\System\smss.exe

Filesize
21KB

MD5
14303216a7dedb014985b13c58308e73

SHA1
e1553ed898d1e0aa170573b0d3dda1c181b1928c

SHA256
c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a

SHA512
bd16d8242f3d71c7749060fc134563be7b9e27ab08dce100aa0f3073ed4f28f21c0112c9223e5e3ed3c66338771c861feb05c52c7376581c6e1398fd14a2ec54

Download Submit
C:\Program Files\Common Files\System\start.bat

Filesize
291B

MD5
239692327ed96d1d23daf92e034275d0

SHA1
72368106cfe3dbfa6c7c09068df12b4840a8de23

SHA256
b70c591470a52b92ded3a5fef8bc6cc2d0169573bb2aa53956024811c4116c3c

SHA512
acd5fdc14f16ee7a3f025c742f1077ac1f3459fade751790a64f7bea995195c82be48334cd27ebae5e00a79d1d6a3dbdf468dfc95eba2149b4dbc317df558067

Download Submit
\Program Files\Common Files\System\smss.exe

Filesize
21KB

MD5
14303216a7dedb014985b13c58308e73

SHA1
e1553ed898d1e0aa170573b0d3dda1c181b1928c

SHA256
c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a

SHA512
bd16d8242f3d71c7749060fc134563be7b9e27ab08dce100aa0f3073ed4f28f21c0112c9223e5e3ed3c66338771c861feb05c52c7376581c6e1398fd14a2ec54

Download Submit
\Program Files\Common Files\System\smss.exe

Filesize
21KB

MD5
14303216a7dedb014985b13c58308e73

SHA1
e1553ed898d1e0aa170573b0d3dda1c181b1928c

SHA256
c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a

SHA512
bd16d8242f3d71c7749060fc134563be7b9e27ab08dce100aa0f3073ed4f28f21c0112c9223e5e3ed3c66338771c861feb05c52c7376581c6e1398fd14a2ec54

Download Submit
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing