2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0

Analysis

max time kernel
173s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe
Size

113KB
MD5

22d37ceb8cee3ec1418d5f277431b5c0
SHA1

518defaec0c1b66babc97633f4e76039cfda0ad0
SHA256

2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0
SHA512

fd69c58c6f045d87c5600e32eeb920e176041a71d76d02bc1fb4cd416d21df2fc61ec3ec5443953acb22003a13e9187dbf3c5db665a635fcd4eaa7bc30056b18
SSDEEP

3072:K6zZAkaBTBSidUgiQnsNW87O05YHdpngwUYD:KsATdF5nsN7O05YPRP

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 18 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	aspack_v212_v242
behavioral1/files/0x00140000000054ab-58.dat	aspack_v212_v242
behavioral1/files/0x00080000000126f1-64.dat	aspack_v212_v242
behavioral1/files/0x00080000000126f1-65.dat	aspack_v212_v242
behavioral1/files/0x0008000000012758-70.dat	aspack_v212_v242
behavioral1/files/0x0008000000012758-71.dat	aspack_v212_v242
behavioral1/files/0x000800000001311a-77.dat	aspack_v212_v242
behavioral1/files/0x000800000001311a-76.dat	aspack_v212_v242
behavioral1/files/0x0007000000013170-82.dat	aspack_v212_v242
behavioral1/files/0x0007000000013170-81.dat	aspack_v212_v242
behavioral1/files/0x00070000000131fd-86.dat	aspack_v212_v242
behavioral1/files/0x00070000000131fd-87.dat	aspack_v212_v242
behavioral1/files/0x0007000000013300-91.dat	aspack_v212_v242
behavioral1/files/0x0007000000013300-92.dat	aspack_v212_v242
behavioral1/files/0x0007000000013359-96.dat	aspack_v212_v242
behavioral1/files/0x0007000000013359-97.dat	aspack_v212_v242
behavioral1/files/0x00080000000133dd-101.dat	aspack_v212_v242
behavioral1/files/0x00080000000133dd-102.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1788	17b92a11.exe

Sets DLL path for service in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	17b92a11.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	17b92a11.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	17b92a11.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	17b92a11.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	17b92a11.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	17b92a11.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	17b92a11.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	17b92a11.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	17b92a11.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	17b92a11.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/288-60-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/288-75-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
1216	svchost.exe
1064	svchost.exe
1564	svchost.exe
1632	svchost.exe
1604	svchost.exe
1848	svchost.exe
936	svchost.exe
1660	svchost.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	17b92a11.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	17b92a11.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	17b92a11.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	17b92a11.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	17b92a11.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	17b92a11.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	17b92a11.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	17b92a11.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	17b92a11.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	17b92a11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1788	17b92a11.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1788	288	2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe	19
PID 288 wrote to memory of 1788	288	2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe	19
PID 288 wrote to memory of 1788	288	2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe	19
PID 288 wrote to memory of 1788	288	2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe	19
PID 288 wrote to memory of 1788	288	2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe	19
PID 288 wrote to memory of 1788	288	2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe	19
PID 288 wrote to memory of 1788	288	2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe	19

C:\Users\Admin\AppData\Local\Temp\2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe
"C:\Users\Admin\AppData\Local\Temp\2299197fe06b9321ba71960ab3c5b7ddacb47bfdce2309af5d894331b57f52d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:288
- C:\17b92a11.exe
  C:\17b92a11.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1848

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\17b92a11.exe

Filesize
55KB

MD5
7d40b388aecc24d553f0a5a8fe53294b

SHA1
3719ca81c2b8053fec85128f673c8c49940707e9

SHA256
3a4a94d5cdceb984bd77c7436f372cb0b31896eec5b6eb57a2de8ec06eb7dc8d

SHA512
57c1d5f4c61c4900433c94b95cba862eadd9534888b681136aa771ac9fbbc913f15b0ac0af9ec662f304034b93cdc649b92d326b739cee003d9308dc8c270c15

Download Submit
C:\17b92a11.exe

Filesize
55KB

MD5
7d40b388aecc24d553f0a5a8fe53294b

SHA1
3719ca81c2b8053fec85128f673c8c49940707e9

SHA256
3a4a94d5cdceb984bd77c7436f372cb0b31896eec5b6eb57a2de8ec06eb7dc8d

SHA512
57c1d5f4c61c4900433c94b95cba862eadd9534888b681136aa771ac9fbbc913f15b0ac0af9ec662f304034b93cdc649b92d326b739cee003d9308dc8c270c15

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\??\c:\windows\SysWOW64\irmon.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\??\c:\windows\SysWOW64\nwcworkstation.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\??\c:\windows\SysWOW64\nwsapagent.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\??\c:\windows\SysWOW64\srservice.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\??\c:\windows\SysWOW64\wmdmpmsp.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\Windows\SysWOW64\Irmon.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\Windows\SysWOW64\Nwsapagent.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\Windows\SysWOW64\SRService.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
\Windows\SysWOW64\WmdmPmSp.dll

Filesize
55KB

MD5
9e386032b056a93a18533bcfd7da4fc8

SHA1
f6778ac18f48b9a1f2c9b0f322c8d2116df185f5

SHA256
aa25006ddf759c92fb0c9390990540c3aaabd7f5102897c23dee76d52a5a0d62

SHA512
9fa82a7a715cb997674d654ee5cb12eedb664e57637e23a7264e136a2ef6187722952285c2f191260ac18c02311519e5a6aa08a65684c686825d11fd530787d3

Download Submit
memory/288-61-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/288-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/288-75-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/288-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/936-100-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/936-99-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1064-73-0x0000000074260000-0x000000007427C000-memory.dmp

Filesize
112KB

Download
memory/1064-74-0x0000000074260000-0x000000007427C000-memory.dmp

Filesize
112KB

Download
memory/1216-67-0x0000000074260000-0x000000007427C000-memory.dmp

Filesize
112KB

Download
memory/1216-68-0x0000000074260000-0x000000007427C000-memory.dmp

Filesize
112KB

Download
memory/1564-80-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1564-79-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1604-89-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1604-90-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1632-85-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1632-84-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1660-104-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1660-105-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1788-69-0x0000000002790000-0x0000000006790000-memory.dmp

Filesize
64.0MB

Download
memory/1788-63-0x0000000002790000-0x0000000006790000-memory.dmp

Filesize
64.0MB

Download
memory/1788-62-0x0000000001370000-0x000000000138C000-memory.dmp

Filesize
112KB

Download
memory/1788-59-0x0000000001370000-0x000000000138C000-memory.dmp

Filesize
112KB

Download
memory/1848-94-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download
memory/1848-95-0x0000000074830000-0x000000007484C000-memory.dmp

Filesize
112KB

Download