01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
Size

154KB
MD5

002b2fec0f03af913f1d965186c037c4
SHA1

17a718c70932262b6fbf217d51efe97bb9f356fd
SHA256

01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef
SHA512

24b0d33d0c5d66213b8141ff32baecb7dca8c0e75511186ae562936d0386ca9ead4deabd4c506f0af0d3f6206677ff88765ae3a603ab5a99aa9f854e9c0aea44
SSDEEP

3072:D+XRhTVQW5m+51KwSVfz0VzOtaAiP6Z4ZUJ9C8BGThRB4:sRhTSWZ1Khdz0V6tzZ4uJRsTK

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000725-135.dat	aspack_v212_v242
behavioral2/files/0x0003000000000725-136.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4864	taskmgrnt.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000725-135.dat	upx
behavioral2/files/0x0003000000000725-136.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	taskmgrnt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Registry NT Save = "\"c:\\windows\\taskmgrnt.exe\""	taskmgrnt.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\taskmgrnt.exe	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
File opened for modification	\??\c:\windows\taskmgrnt.exe	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
File created	C:\Windows\rumlog.dat	taskmgrnt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3400	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
4864	taskmgrnt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4864	3400	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe	83
PID 3400 wrote to memory of 4864	3400	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe	83
PID 3400 wrote to memory of 4864	3400	01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe	83

C:\Users\Admin\AppData\Local\Temp\01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe
"C:\Users\Admin\AppData\Local\Temp\01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400
- \??\c:\windows\taskmgrnt.exe
  c:\windows\taskmgrnt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\taskmgrnt.exe

Filesize
154KB

MD5
002b2fec0f03af913f1d965186c037c4

SHA1
17a718c70932262b6fbf217d51efe97bb9f356fd

SHA256
01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef

SHA512
24b0d33d0c5d66213b8141ff32baecb7dca8c0e75511186ae562936d0386ca9ead4deabd4c506f0af0d3f6206677ff88765ae3a603ab5a99aa9f854e9c0aea44

Download Submit
\??\c:\windows\taskmgrnt.exe

Filesize
154KB

MD5
002b2fec0f03af913f1d965186c037c4

SHA1
17a718c70932262b6fbf217d51efe97bb9f356fd

SHA256
01196f3d2bef875ab58a08bded18d9e5ff79e7880a0fd4fa07acda83379009ef

SHA512
24b0d33d0c5d66213b8141ff32baecb7dca8c0e75511186ae562936d0386ca9ead4deabd4c506f0af0d3f6206677ff88765ae3a603ab5a99aa9f854e9c0aea44

Download Submit
memory/4864-134-0x0000000000000000-mapping.dmp

Download