008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369

General

Target

008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
Size

347KB
MD5

06aa4eb07e537c6e7a3b8db5e11b2195
SHA1

e943911667a7fadf31966948cbc4fecf97621322
SHA256

008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369
SHA512

d808be5ecfe76ce4599222ebc1102acd929217e130b1157d672c183d13914ad05b4d98bd1351cdc493f21a557f67dfe2327e2b59d65ea6bbcdbe36ed27880104
SSDEEP

6144:5ZuuObR8sVImcyYC5J7b6L9HYDIoWZTDlJQEjDBiqrrfW0zKyJ24f3jYbY:WV+mzvwLvv1iqrrOGVJ24LP

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00080000000122e3-58.dat	aspack_v212_v242
behavioral1/files/0x00080000000122e3-59.dat	aspack_v212_v242
behavioral1/files/0x00080000000122e3-60.dat	aspack_v212_v242
behavioral1/files/0x00080000000122e3-62.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
652	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1148	WScript.exe
1148	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xiantoubudui = "C:\\WINDOWS\\system32\\Tem\\xiantoubudui.exe"	regedit.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\tem\Temp.bat	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File created	\??\c:\windows\SysWOW64\tem\打开文件.txt	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File created	\??\c:\windows\SysWOW64\tem\lcd.vbs	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\lcd.vbs	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File created	\??\c:\windows\SysWOW64\tem\logon.reg	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\qyzngj.dll	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\runtwo.vbs	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\svchost.exe	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File created	\??\c:\windows\SysWOW64\tem\svchost.ini	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\Temp.bat	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File created	\??\c:\windows\SysWOW64\tem\xiantoubudui.exe	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\xiantoubudui.exe	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\logon.reg	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File created	\??\c:\windows\SysWOW64\tem\svchost.exe	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File created	\??\c:\windows\SysWOW64\tem\qyzngj.dll	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\runone.vbs	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\打开文件.txt	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	\??\c:\windows\SysWOW64\tem\svchost.ini	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File opened for modification	C:\Windows\SysWOW64\tem\svchost.ini	svchost.exe
File created	\??\c:\windows\SysWOW64\tem\__tmp_rar_sfx_access_check_7080042	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File created	\??\c:\windows\SysWOW64\tem\runone.vbs	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
File created	\??\c:\windows\SysWOW64\tem\runtwo.vbs	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\nwodesolciwileimvitmtktadf	svchost.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1708	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
652	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1148	1724	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe	27
PID 1724 wrote to memory of 1148	1724	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe	27
PID 1724 wrote to memory of 1148	1724	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe	27
PID 1724 wrote to memory of 1148	1724	008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe	27
PID 1148 wrote to memory of 652	1148	WScript.exe	28
PID 1148 wrote to memory of 652	1148	WScript.exe	28
PID 1148 wrote to memory of 652	1148	WScript.exe	28
PID 1148 wrote to memory of 652	1148	WScript.exe	28
PID 1148 wrote to memory of 368	1148	WScript.exe	29
PID 1148 wrote to memory of 368	1148	WScript.exe	29
PID 1148 wrote to memory of 368	1148	WScript.exe	29
PID 1148 wrote to memory of 368	1148	WScript.exe	29
PID 368 wrote to memory of 1708	368	cmd.exe	31
PID 368 wrote to memory of 1708	368	cmd.exe	31
PID 368 wrote to memory of 1708	368	cmd.exe	31
PID 368 wrote to memory of 1708	368	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe
"C:\Users\Admin\AppData\Local\Temp\008b9f6b9cb4b40d51ddf383a00182561aeb52ccd2c67cf3dac5d3d2c4c78369.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\windows\system32\tem\lcd.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\tem\svchost.exe
    "C:\Windows\System32\tem\svchost.exe" ´ò¿ªÎÄ¼þ µ¹¼ÆÊ± 0,05,59
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\System32\tem\Temp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s logon.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tem\Temp.bat

Filesize
36B

MD5
3aea7c4234681544e8548de5a9c7453e

SHA1
dd2a441c001c00f05b0ba7c670fb616eed4039c7

SHA256
832d5f3dd05a5030a7985ae3964852ff98d94227d0a70acf073052dd14acf5ff

SHA512
3c3ce91a8446bfc97305ffbb58d90ecc3c3e2dc1acca8ed918b551574333dda10fcfe5e7af303191be772f45fb29312a7744f7b2be5dad398f891959c1fca314

Download Submit
C:\Windows\SysWOW64\tem\svchost.exe

Filesize
104KB

MD5
3b8ad4b3e7f5690c304badccc4d20b20

SHA1
ea772ea0708a4ac4d45c3b2a45c035ae1ab22bd7

SHA256
b5c221ab14112ea8f45dafccc4eb2c227abcd9afa682197cdc7739fbe86e3c06

SHA512
e3a634943a341975fed100e8afbf19349f36652528a58049addd1ece38d92cda5e1169d2f74161322502104052477c47b52fb8ec725d0f2e2e5ee23216a57028

Download Submit
C:\Windows\SysWOW64\tem\svchost.exe

Filesize
104KB

MD5
3b8ad4b3e7f5690c304badccc4d20b20

SHA1
ea772ea0708a4ac4d45c3b2a45c035ae1ab22bd7

SHA256
b5c221ab14112ea8f45dafccc4eb2c227abcd9afa682197cdc7739fbe86e3c06

SHA512
e3a634943a341975fed100e8afbf19349f36652528a58049addd1ece38d92cda5e1169d2f74161322502104052477c47b52fb8ec725d0f2e2e5ee23216a57028

Download Submit
C:\Windows\SysWOW64\tem\svchost.ini

Filesize
815B

MD5
44db75a0772f0b81c1520954bea047e6

SHA1
de2cd5e10e47754eb7cb9b5a56a8cf19a21a8a70

SHA256
39032f557128cbf89ef1e1860978e596391448aa9dc400c068408c2e581b5def

SHA512
804a3f102c085d4a805602fd1b42c24dbba614b1f23d88ec22b933373185b8ff216987760b80938d27a246b684e242538534ff33e379763f4fbdc7717003509a

Download Submit
C:\windows\SysWOW64\tem\lcd.vbs

Filesize
125B

MD5
815d68dd0fb980bf3c6ed4bb390c6bb5

SHA1
7e8391a31f2f08731398b9152e6df68636a4c16c

SHA256
a02c8fcdf8b8606d89b0453de0039e042ca472efb60297f28436fc0e9e810a7d

SHA512
dee86386a35b491d7a89b085887e1f2c7b4a5cf549d3acdc4030ec3cef0ba82660b7bd0c6a5d7f6ca3ce6b5ce90c9af1f5e1f0500ce4509282b8ce9c8a996019

Download Submit
\??\c:\windows\SysWOW64\tem\logon.reg

Filesize
169B

MD5
16b5e2ffeaeda8d525bd176c208ec31a

SHA1
ca14b3bdd43c47df0c620368ac60a9ce569ae396

SHA256
48e56411cdebeac7009980e5ce93e0866b5b53373f01ee81ae6c1c4764c09bb3

SHA512
7b6dd5e7c2c9efe977e1504d9c395df5cb119765b5b499302ce843405bc5e69b6ca9a5eb0e1a7ad3ecdf015572b1191c556b0ddbf258907b8a622bd7308709de

Download Submit
\Windows\SysWOW64\tem\svchost.exe

Filesize
104KB

MD5
3b8ad4b3e7f5690c304badccc4d20b20

SHA1
ea772ea0708a4ac4d45c3b2a45c035ae1ab22bd7

SHA256
b5c221ab14112ea8f45dafccc4eb2c227abcd9afa682197cdc7739fbe86e3c06

SHA512
e3a634943a341975fed100e8afbf19349f36652528a58049addd1ece38d92cda5e1169d2f74161322502104052477c47b52fb8ec725d0f2e2e5ee23216a57028

Download Submit
\Windows\SysWOW64\tem\svchost.exe

Filesize
104KB

MD5
3b8ad4b3e7f5690c304badccc4d20b20

SHA1
ea772ea0708a4ac4d45c3b2a45c035ae1ab22bd7

SHA256
b5c221ab14112ea8f45dafccc4eb2c227abcd9afa682197cdc7739fbe86e3c06

SHA512
e3a634943a341975fed100e8afbf19349f36652528a58049addd1ece38d92cda5e1169d2f74161322502104052477c47b52fb8ec725d0f2e2e5ee23216a57028

Download Submit
memory/652-71-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing