272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
Size

290KB
MD5

5e3f586b0d8690e7a258ddae83549bb0
SHA1

99e811542284dc3f19aa40b58447f2b96026077c
SHA256

272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348
SHA512

68204e3ac3a14f8b97ec6f0c816ce9c777cffbf18e2ad657068eaa87e98329b3bb1442fbd80e161d8f4f35bf862346221c80e7390cf9024a7f9d4f6632e62fc4
SSDEEP

6144:YoQbRB/EpJdbK8/ljQ3sx23NaIHX0EMIkd9qT7InaUPy6YHZb5945IN:Yom/Ep/VQ3VaEXyxXqT7InaH6YHZb5qe

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

yara_rule
aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
4124	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
1148	msmgr.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	msmgr.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\utama.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\winmsgr.exe	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\sharelnk.vbs	msmgr.exe
File created	C:\Windows\SysWOW64\winmsgr.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File opened for modification	C:\Windows\SysWOW64\winmsgr.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File opened for modification	C:\Windows\SysWOW64\yorm.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\msmgr.exe	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\zip.zip	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File opened for modification	C:\Windows\SysWOW64\nmlsvcex.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\MsPMSNSvs.dll	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\koruptor.html.lnk	WScript.exe
File created	C:\Windows\SysWOW64\utama.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File opened for modification	C:\Windows\SysWOW64\MsPMSNSvs.dll	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\utama.exe	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\history.bat	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\exe.zip	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\yorm.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
File created	C:\Windows\SysWOW64\nmlsvcex.txt	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4684	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	msmgr.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4684	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
1148	msmgr.exe
1148	msmgr.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 4124	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	83
PID 3600 wrote to memory of 4124	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	83
PID 3600 wrote to memory of 4124	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	83
PID 3600 wrote to memory of 1672	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	84
PID 3600 wrote to memory of 1672	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	84
PID 3600 wrote to memory of 1672	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	84
PID 1672 wrote to memory of 3832	1672	cmd.exe	86
PID 1672 wrote to memory of 3832	1672	cmd.exe	86
PID 1672 wrote to memory of 3832	1672	cmd.exe	86
PID 3832 wrote to memory of 628	3832	net.exe	87
PID 3832 wrote to memory of 628	3832	net.exe	87
PID 3832 wrote to memory of 628	3832	net.exe	87
PID 3600 wrote to memory of 1148	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	88
PID 3600 wrote to memory of 1148	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	88
PID 3600 wrote to memory of 1148	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	88
PID 3600 wrote to memory of 3628	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	89
PID 3600 wrote to memory of 3628	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	89
PID 3600 wrote to memory of 3628	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	89
PID 3628 wrote to memory of 4556	3628	cmd.exe	91
PID 3628 wrote to memory of 4556	3628	cmd.exe	91
PID 3628 wrote to memory of 4556	3628	cmd.exe	91
PID 4556 wrote to memory of 4008	4556	net.exe	92
PID 4556 wrote to memory of 4008	4556	net.exe	92
PID 4556 wrote to memory of 4008	4556	net.exe	92
PID 1148 wrote to memory of 2840	1148	msmgr.exe	93
PID 1148 wrote to memory of 2840	1148	msmgr.exe	93
PID 1148 wrote to memory of 2840	1148	msmgr.exe	93
PID 3600 wrote to memory of 2804	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	94
PID 3600 wrote to memory of 2804	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	94
PID 3600 wrote to memory of 2804	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	94
PID 2804 wrote to memory of 2740	2804	cmd.exe	96
PID 2804 wrote to memory of 2740	2804	cmd.exe	96
PID 2804 wrote to memory of 2740	2804	cmd.exe	96
PID 2740 wrote to memory of 1236	2740	net.exe	97
PID 2740 wrote to memory of 1236	2740	net.exe	97
PID 2740 wrote to memory of 1236	2740	net.exe	97
PID 3600 wrote to memory of 1124	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	99
PID 3600 wrote to memory of 1124	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	99
PID 3600 wrote to memory of 1124	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	99
PID 1124 wrote to memory of 4684	1124	cmd.exe	100
PID 1124 wrote to memory of 4684	1124	cmd.exe	100
PID 1124 wrote to memory of 4684	1124	cmd.exe	100
PID 3600 wrote to memory of 4036	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	102
PID 3600 wrote to memory of 4036	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	102
PID 3600 wrote to memory of 4036	3600	272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe	102

C:\Users\Admin\AppData\Local\Temp\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
"C:\Users\Admin\AppData\Local\Temp\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe
  "C:\Users\Admin\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe"
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C Net Stop ERSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\net.exe
    Net Stop ERSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 Stop ERSvc
      4⤵
      PID:628
- C:\Windows\SysWOW64\msmgr.exe
  "C:\Windows\system32\msmgr.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\system32\sharelnk.vbs"
    3⤵
    - Drops file in System32 directory
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C net stop WmdmPmSN
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\net.exe
    net stop WmdmPmSN
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WmdmPmSN
      4⤵
      PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C net start WmdmPmSN
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\net.exe
    net start WmdmPmSN
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start WmdmPmSN
      4⤵
      PID:1236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /IM firefox.exe /T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM firefox.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Windows\system32\history.bat
  2⤵
  - Drops file in Program Files directory
  PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe

Filesize
32KB

MD5
845cfcb9624f447f48fe5ad09a257dd9

SHA1
2fbef109bffa346d4efbeabd39ce3cbe12aa5d1e

SHA256
d05abe7fe2365a22d0261ae6b53c108fd7fbb9c846ba2b238a6f634e8eaa9e8d

SHA512
5318e670959975f43283405ceab1557215e42cbc125e4fbcca8af829fcf9e21799917f2c049a89aef099b5383d3607391959b37bac83f4bd49f1bcb0b62baa66

Download Submit
C:\Users\Admin\272834af9c9ef00c8f89ae5d3b777e5d8300cc79af5e02a429c149e69264e348.exe

Filesize
32KB

MD5
845cfcb9624f447f48fe5ad09a257dd9

SHA1
2fbef109bffa346d4efbeabd39ce3cbe12aa5d1e

SHA256
d05abe7fe2365a22d0261ae6b53c108fd7fbb9c846ba2b238a6f634e8eaa9e8d

SHA512
5318e670959975f43283405ceab1557215e42cbc125e4fbcca8af829fcf9e21799917f2c049a89aef099b5383d3607391959b37bac83f4bd49f1bcb0b62baa66

Download Submit
C:\Windows\SysWOW64\history.bat

Filesize
111B

MD5
0010ef82c63366ee3485b2a5d5f32ffd

SHA1
79968a1918a7b17747de77df2fae15bee0aef204

SHA256
2a97f8da1fc1a9d2e9b913a73d33efdaf6037e26e3715c70a152ea4c5a1df25c

SHA512
c9ce4a2c2c0a1a64ec0110ca4a6df6cb49dcb1de54aba8d6df009bc82a6cfd56d84fbcdc27119b78c786a82a4caad0159c0b6041e46311105f407ed517ba8481

Download Submit
C:\Windows\SysWOW64\msmgr.exe

Filesize
129KB

MD5
b626aac73d079a115d4352b31f74f6d6

SHA1
1ec899a8dd3a65e47ea1cd8901106e4e2144d26e

SHA256
0fe347abcc1e59f3e106ebd00b4ff14baf329c8fa073f9863129ee7c787e39bd

SHA512
ec350f1159b9d407a88e632d7f717a675992ef52c3b5e489a46453479dd3761902339a3e83d11547d53ebcd3a6a5cb640ad76b2dc954289416e1af4ef4f5f45a

Download Submit
C:\Windows\SysWOW64\msmgr.exe

Filesize
129KB

MD5
b626aac73d079a115d4352b31f74f6d6

SHA1
1ec899a8dd3a65e47ea1cd8901106e4e2144d26e

SHA256
0fe347abcc1e59f3e106ebd00b4ff14baf329c8fa073f9863129ee7c787e39bd

SHA512
ec350f1159b9d407a88e632d7f717a675992ef52c3b5e489a46453479dd3761902339a3e83d11547d53ebcd3a6a5cb640ad76b2dc954289416e1af4ef4f5f45a

Download Submit
C:\Windows\SysWOW64\sharelnk.vbs

Filesize
980B

MD5
ab9fbdace210fbbc7285f9b4f23dbb7e

SHA1
f7d1c47b78a543b67a638f39dd3152b069300ef9

SHA256
e3d4b1683d780a28633367a6a3febd0ec1e46a57b2baff81429fb4c0d09e4ed6

SHA512
f743188a56af8fc5ff3f5d6184c6af31ab65be08203830083e990901488434b07d8d4d0c63319a1ee2c04a45b09ae57212506dbafee249aa49a3bf84970150fb

Download Submit