01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 12:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
Size

154KB
MD5

002b2fec0f03af913f1d965186c037c4
SHA1

17a718c70932262b6fbf217d51efe97bb9f356fd
SHA256

01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef
SHA512

24b0d33d0c5d66213b8141ff32baecb7dca8c0e75511186ae562936d0386ca9ead4deabd4c506f0af0d3f6206677ff88765ae3a603ab5a99aa9f854e9c0aea44
SSDEEP

3072:D+XRhTVQW5m+51KwSVfz0VzOtaAiP6Z4ZUJ9C8BGThRB4:sRhTSWZ1Khdz0V6tzZ4uJRsTK

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00140000000054ab-57.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
948	taskmgrnt.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-57.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	taskmgrnt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Registry NT Save = "\"c:\\windows\\taskmgrnt.exe\""	taskmgrnt.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\taskmgrnt.exe	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
File opened for modification	\??\c:\windows\taskmgrnt.exe	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
File created	C:\Windows\rumlog.dat	taskmgrnt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
892	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
948	taskmgrnt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 948	892	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe	27
PID 892 wrote to memory of 948	892	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe	27
PID 892 wrote to memory of 948	892	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe	27
PID 892 wrote to memory of 948	892	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe	27

C:\Users\Admin\AppData\Local\Temp\01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
"C:\Users\Admin\AppData\Local\Temp\01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892
- \??\c:\windows\taskmgrnt.exe
  c:\windows\taskmgrnt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\taskmgrnt.exe

Filesize
154KB

MD5
002b2fec0f03af913f1d965186c037c4

SHA1
17a718c70932262b6fbf217d51efe97bb9f356fd

SHA256
01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef

SHA512
24b0d33d0c5d66213b8141ff32baecb7dca8c0e75511186ae562936d0386ca9ead4deabd4c506f0af0d3f6206677ff88765ae3a603ab5a99aa9f854e9c0aea44

Download Submit