8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e

Analysis

max time kernel
69s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe
Size

159KB
MD5

116669c194c69dec2238a16c9794e99d
SHA1

a433dd9a553a583191ab6d170ae45e7f852981a1
SHA256

8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e
SHA512

f8ec04190153b4b0d68133d35ec39862a3c2534bb9b7e8fdcf4774baf62a3c52826d7eedd74993725ae5b87f6538ae97f32e9a3f13d1cf31871a4f1843e92dab
SSDEEP

3072:+iFx+MrcRKO6ZWpY+38pa6XZNkPN9VBACgg7gy0J:+iFI7RKOj5gbXZNk9w4gZJ

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0004000000000727-137.dat	aspack_v212_v242
behavioral2/files/0x0004000000000727-138.dat	aspack_v212_v242
behavioral2/files/0x0004000000000727-143.dat	aspack_v212_v242
behavioral2/files/0x0004000000000727-148.dat	aspack_v212_v242
behavioral2/files/0x0004000000000727-153.dat	aspack_v212_v242
behavioral2/files/0x0004000000000727-158.dat	aspack_v212_v242
behavioral2/files/0x0004000000000727-163.dat	aspack_v212_v242

Executes dropped EXE 6 IoCs

pid	Process
3408	1.exe
5088	1.exe
2496	1.exe
3732	1.exe
1800	1.exe
748	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1724	PING.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4936	5108	8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe	83
PID 5108 wrote to memory of 4936	5108	8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe	83
PID 5108 wrote to memory of 4936	5108	8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe	83
PID 4936 wrote to memory of 3556	4936	cmd.exe	85
PID 4936 wrote to memory of 3556	4936	cmd.exe	85
PID 4936 wrote to memory of 3556	4936	cmd.exe	85
PID 4936 wrote to memory of 3408	4936	cmd.exe	86
PID 4936 wrote to memory of 3408	4936	cmd.exe	86
PID 4936 wrote to memory of 3408	4936	cmd.exe	86
PID 4936 wrote to memory of 5088	4936	cmd.exe	87
PID 4936 wrote to memory of 5088	4936	cmd.exe	87
PID 4936 wrote to memory of 5088	4936	cmd.exe	87
PID 4936 wrote to memory of 2496	4936	cmd.exe	88
PID 4936 wrote to memory of 2496	4936	cmd.exe	88
PID 4936 wrote to memory of 2496	4936	cmd.exe	88
PID 4936 wrote to memory of 3732	4936	cmd.exe	89
PID 4936 wrote to memory of 3732	4936	cmd.exe	89
PID 4936 wrote to memory of 3732	4936	cmd.exe	89
PID 4936 wrote to memory of 1800	4936	cmd.exe	90
PID 4936 wrote to memory of 1800	4936	cmd.exe	90
PID 4936 wrote to memory of 1800	4936	cmd.exe	90
PID 4936 wrote to memory of 748	4936	cmd.exe	91
PID 4936 wrote to memory of 748	4936	cmd.exe	91
PID 4936 wrote to memory of 748	4936	cmd.exe	91
PID 4936 wrote to memory of 736	4936	cmd.exe	92
PID 4936 wrote to memory of 736	4936	cmd.exe	92
PID 4936 wrote to memory of 736	4936	cmd.exe	92
PID 4936 wrote to memory of 1724	4936	cmd.exe	93
PID 4936 wrote to memory of 1724	4936	cmd.exe	93
PID 4936 wrote to memory of 1724	4936	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe
"C:\Users\Admin\AppData\Local\Temp\8ee36a6c15f6a406eaa75e38bcad95ad3a3d1ab17129ef04ad4be754e661f40e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /s /b "*.doc" "*.xls" "*.txt" "*.ppt" "*.docx" "*.xlsx" "*.pptx" "*.pdf" "*.mlf" "*.jpg" "*.png" "*.bmp"
    3⤵
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    1.exe "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1660332030.txt"
    3⤵
    - Executes dropped EXE
    PID:3408
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    1.exe "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
    3⤵
    - Executes dropped EXE
    PID:5088
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    1.exe "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4F1D.txt"
    3⤵
    - Executes dropped EXE
    PID:2496
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    1.exe "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4F4B.txt"
    3⤵
    - Executes dropped EXE
    PID:3732
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    1.exe "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4F1D.txt"
    3⤵
    - Executes dropped EXE
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    1.exe "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4F4B.txt"
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /s /b "*_*.doc" "*.xls" "*_*.txt" "*_*.ppt" "*_*.docx" "*_*.xlsx" "*_*.pptx" "*_*.pdf" "*_*.mlf" "*_*.jpg" "*_*.png" "*_*.bmp"
    3⤵
    PID:736
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.bat

Filesize
1KB

MD5
1495442e7e355dc5241fb2fafa936db6

SHA1
4ebf68683fedda6b969b6f772fc2eb5abd2ae8dd

SHA256
d434dc558dd8a797c26f86a6743e4072f48d822664a9d340f1525545792ec795

SHA512
d57976738592f03756925bb0dae102f383b267d1b94517fb493e29d22b5b56fd0ee9839f0279030d834d15950c07e0d73145467350205a56e5a73ba8b1f7368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
41KB

MD5
1b9f50b972ba520df3a5883e94058b2f

SHA1
303471507dc565f6588e7b89b0e95b55daae94ed

SHA256
855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68

SHA512
4fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
41KB

MD5
1b9f50b972ba520df3a5883e94058b2f

SHA1
303471507dc565f6588e7b89b0e95b55daae94ed

SHA256
855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68

SHA512
4fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
41KB

MD5
1b9f50b972ba520df3a5883e94058b2f

SHA1
303471507dc565f6588e7b89b0e95b55daae94ed

SHA256
855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68

SHA512
4fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
41KB

MD5
1b9f50b972ba520df3a5883e94058b2f

SHA1
303471507dc565f6588e7b89b0e95b55daae94ed

SHA256
855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68

SHA512
4fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
41KB

MD5
1b9f50b972ba520df3a5883e94058b2f

SHA1
303471507dc565f6588e7b89b0e95b55daae94ed

SHA256
855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68

SHA512
4fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
41KB

MD5
1b9f50b972ba520df3a5883e94058b2f

SHA1
303471507dc565f6588e7b89b0e95b55daae94ed

SHA256
855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68

SHA512
4fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
41KB

MD5
1b9f50b972ba520df3a5883e94058b2f

SHA1
303471507dc565f6588e7b89b0e95b55daae94ed

SHA256
855fe75a1998575564f223a87cfd244cc42fb2814d9563ed33af2e4d82284a68

SHA512
4fce9642e07c42a81e2f8bacbba902423b97f432b9231230a7e29f73dafde35d8cb30295ee99512dfb8ff742cb82ac7e76a67a7a6c75c72b489e9ab4da0d6fc6

Download Submit
memory/748-165-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/748-164-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/748-166-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/1800-161-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/1800-159-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/1800-160-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/2496-149-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/2496-151-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/2496-150-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/3408-141-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/3408-139-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/3408-140-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/3732-155-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/3732-156-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/3732-154-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/5088-144-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/5088-145-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/5088-146-0x0000000000E30000-0x0000000000E5F000-memory.dmp

Filesize
188KB

Download
memory/5108-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download