9958b608a40403411d6ddbd68a17435078f686ad6e473b62e4dabbab31531cdb

Analysis

max time kernel
92s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9958b608a40403411d6ddbd68a17435078f686ad6e473b62e4dabbab31531cdb.exe
Size

778KB
MD5

25accfd0d7139098d353b62890c9dbd0
SHA1

9e2124ad99d677bd6835b9b61dffee452a3ea0ee
SHA256

9958b608a40403411d6ddbd68a17435078f686ad6e473b62e4dabbab31531cdb
SHA512

e874c15d8840b1c1c880113fd9cca109097bcfaa8f2fa7a500513ba044ed869d3d9e4c1be223715b022207009363567d35593c8d0ae881078771844540a41baf
SSDEEP

24576:l8VCKdZcTU8dLJJ+0JxCUdcNQ/1z7ktahL:l8V+wELj+0LyNIL

Score

8^/10

aspackv2 upx

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000022637-143.dat	aspack_v212_v242
behavioral2/files/0x0007000000022637-142.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
3668	run.exe
1548	b2e.exe
4324	logo.exe
4284	trans.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022df4-133.dat	upx
behavioral2/files/0x0008000000022df4-134.dat	upx
behavioral2/memory/3668-138-0x0000000000400000-0x00000000004BF000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	9958b608a40403411d6ddbd68a17435078f686ad6e473b62e4dabbab31531cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4324	logo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1472	AUDIODG.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 3668	3112	9958b608a40403411d6ddbd68a17435078f686ad6e473b62e4dabbab31531cdb.exe	79
PID 3112 wrote to memory of 3668	3112	9958b608a40403411d6ddbd68a17435078f686ad6e473b62e4dabbab31531cdb.exe	79
PID 3112 wrote to memory of 3668	3112	9958b608a40403411d6ddbd68a17435078f686ad6e473b62e4dabbab31531cdb.exe	79
PID 3668 wrote to memory of 1548	3668	run.exe	80
PID 3668 wrote to memory of 1548	3668	run.exe	80
PID 3668 wrote to memory of 1548	3668	run.exe	80
PID 1548 wrote to memory of 3132	1548	b2e.exe	81
PID 1548 wrote to memory of 3132	1548	b2e.exe	81
PID 1548 wrote to memory of 3132	1548	b2e.exe	81
PID 3132 wrote to memory of 4324	3132	cmd.exe	84
PID 3132 wrote to memory of 4324	3132	cmd.exe	84
PID 3132 wrote to memory of 4324	3132	cmd.exe	84
PID 3132 wrote to memory of 4284	3132	cmd.exe	93
PID 3132 wrote to memory of 4284	3132	cmd.exe	93
PID 3132 wrote to memory of 4284	3132	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\9958b608a40403411d6ddbd68a17435078f686ad6e473b62e4dabbab31531cdb.exe
"C:\Users\Admin\AppData\Local\Temp\9958b608a40403411d6ddbd68a17435078f686ad6e473b62e4dabbab31531cdb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3112
- C:\WINDOWS\Temp\run.exe
  "C:\WINDOWS\Temp\run.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\9232.tmp\b2e.exe
    "C:\Users\Admin\AppData\Local\Temp\9232.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9232.tmp\b2e.exe C:\WINDOWS\Temp "C:\WINDOWS\Temp\run.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92CF.tmp\batfile.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\WINDOWS\Temp\logo.exe
        
        C:\WINDOWS\Temp\logo.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4324
    - - C:\WINDOWS\Temp\trans.exe
        
        C:\WINDOWS\Temp\trans.exe
        5⤵
        Executes dropped EXE
        
        PID:4284

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9232.tmp\b2e.exe

Filesize
8KB

MD5
b59836f8bce4b7a9c5c44bd3d77bbc05

SHA1
deef3c038817d8af51ebae1c9b547bdeafe90500

SHA256
82b620227e2ff4eecdc396367ef3cd090db387d5fa9c28be98296892acbe0952

SHA512
ba329fecfd4367fdc26b9daa3974e62d27b4763d850f182246ad2f27f8dcb445ec803b576d617d93881d774f2b19a437fef0909c8a637ec9fc2b3380113095d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9232.tmp\b2e.exe

Filesize
8KB

MD5
b59836f8bce4b7a9c5c44bd3d77bbc05

SHA1
deef3c038817d8af51ebae1c9b547bdeafe90500

SHA256
82b620227e2ff4eecdc396367ef3cd090db387d5fa9c28be98296892acbe0952

SHA512
ba329fecfd4367fdc26b9daa3974e62d27b4763d850f182246ad2f27f8dcb445ec803b576d617d93881d774f2b19a437fef0909c8a637ec9fc2b3380113095d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\92CF.tmp\batfile.bat

Filesize
158B

MD5
2ebd35710cdf46a6bfc1b7a9a573e991

SHA1
c52403395a0b51b50cd550e97d8cc260605bc873

SHA256
52ca6a8fe69ab59ca99b72500f5a9baadbe277ca0dea6dd8462acb322678a146

SHA512
d2907d3fe5c3c44f8fb08e233671a9cf268f647e9cd7780c46b3db7afe74b5c59a410ac4993dd5e5a928b6dc5e95d31e6bebc34e1bf9746b6dab6283d798ea8f

Download Submit
C:\WINDOWS\Temp\logo.exe

Filesize
539KB

MD5
1193331f68ce9016cafae71284453d75

SHA1
1bdc6d8d9b7f958bc113a1793c367a41a4f6dac1

SHA256
2962140fb8b1ab340f5d76813aec9fbc79cd8f3ea389407c5ed5597551d2125f

SHA512
4075a8aa2feec57cc040bf51d228d42b0d36ad3870a94889d84f0a87b1b610bc90e7f5bbdc5a40bb1ab419fffa6ae9c922c4bd97901c395a09784bd30b393928

Download Submit
C:\WINDOWS\Temp\run.exe

Filesize
370KB

MD5
633b2db9da9af8ce7f6c14acbd24770a

SHA1
7c6d4fc0cddb0213fc98421167f75e5d7afe27fe

SHA256
9638581a59653c0d6f01110be90cfaf13b15ab91b3839ee9d46dce33f26e6a2b

SHA512
fac63132db6d52d55c10618dac00f3b4ffe7cc1ddc5284dd90da5e24f447366273aea7712590ab36a2f243535e7c095c4b29bef9f6ba54db4b3993ee55a52172

Download Submit
C:\WINDOWS\Temp\trans.exe

Filesize
178KB

MD5
8fdd8d2ab15c3bd9977bb212c8611af4

SHA1
bce49aa7c995311ba9eee6ca9da92163b37f2f50

SHA256
b3a9e24e5b449a7124efe8c707c8bfb71b7c604ff53cff1da8eba8ef4c7fe3ad

SHA512
81623b08b256653ba5f902ed315766c55dfc4cf340990e38ecdad76e7c04a145f0942ea79c1bfbeb214e4b59e248de938c716a1bc9b3c309db0b482187a04934

Download Submit
C:\Windows\Temp\logo.exe

Filesize
539KB

MD5
1193331f68ce9016cafae71284453d75

SHA1
1bdc6d8d9b7f958bc113a1793c367a41a4f6dac1

SHA256
2962140fb8b1ab340f5d76813aec9fbc79cd8f3ea389407c5ed5597551d2125f

SHA512
4075a8aa2feec57cc040bf51d228d42b0d36ad3870a94889d84f0a87b1b610bc90e7f5bbdc5a40bb1ab419fffa6ae9c922c4bd97901c395a09784bd30b393928

Download Submit
C:\Windows\Temp\run.exe

Filesize
370KB

MD5
633b2db9da9af8ce7f6c14acbd24770a

SHA1
7c6d4fc0cddb0213fc98421167f75e5d7afe27fe

SHA256
9638581a59653c0d6f01110be90cfaf13b15ab91b3839ee9d46dce33f26e6a2b

SHA512
fac63132db6d52d55c10618dac00f3b4ffe7cc1ddc5284dd90da5e24f447366273aea7712590ab36a2f243535e7c095c4b29bef9f6ba54db4b3993ee55a52172

Download Submit
C:\Windows\Temp\trans.exe

Filesize
178KB

MD5
8fdd8d2ab15c3bd9977bb212c8611af4

SHA1
bce49aa7c995311ba9eee6ca9da92163b37f2f50

SHA256
b3a9e24e5b449a7124efe8c707c8bfb71b7c604ff53cff1da8eba8ef4c7fe3ad

SHA512
81623b08b256653ba5f902ed315766c55dfc4cf340990e38ecdad76e7c04a145f0942ea79c1bfbeb214e4b59e248de938c716a1bc9b3c309db0b482187a04934

Download Submit
memory/1548-144-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3668-138-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download