c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155

Analysis

max time kernel
144s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
Size

156KB
MD5

a09bdd634c41cd21c6ea2a9903e48280
SHA1

c549574b6d345eae259b1f0b08c1c394703cbf18
SHA256

c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155
SHA512

4e1ab723db1045907aec53caabcf72342015115b2efc4a46f16140924b66ed42ea3377870e4810eae3c18e4a4628229490c6782e4f63488e8fb8f833d01aa608
SSDEEP

3072:86jI9XJy7rRAolpnyhcqPL1/7w6ZAs+VBKL:fUZyWolpnyhFQVk

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00140000000054ab-57.dat	aspack_v212_v242
behavioral1/files/0x00140000000054ab-55.dat	aspack_v212_v242
behavioral1/files/0x00140000000054ab-59.dat	aspack_v212_v242
behavioral1/files/0x00140000000054ab-66.dat	aspack_v212_v242
behavioral1/files/0x0007000000013402-67.dat	aspack_v212_v242
behavioral1/files/0x0007000000013402-69.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
1008	MSWDM.EXE
1716	MSWDM.EXE
1660	C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE
316	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1716	MSWDM.EXE
1716	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
File opened for modification	C:\Windows\dev2C5F.tmp	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
File opened for modification	C:\Windows\dev2C5F.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1716	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1008	1208	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	28
PID 1208 wrote to memory of 1008	1208	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	28
PID 1208 wrote to memory of 1008	1208	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	28
PID 1208 wrote to memory of 1008	1208	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	28
PID 1208 wrote to memory of 1716	1208	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	29
PID 1208 wrote to memory of 1716	1208	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	29
PID 1208 wrote to memory of 1716	1208	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	29
PID 1208 wrote to memory of 1716	1208	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	29
PID 1716 wrote to memory of 1660	1716	MSWDM.EXE	30
PID 1716 wrote to memory of 1660	1716	MSWDM.EXE	30
PID 1716 wrote to memory of 1660	1716	MSWDM.EXE	30
PID 1716 wrote to memory of 1660	1716	MSWDM.EXE	30
PID 1716 wrote to memory of 316	1716	MSWDM.EXE	31
PID 1716 wrote to memory of 316	1716	MSWDM.EXE	31
PID 1716 wrote to memory of 316	1716	MSWDM.EXE	31
PID 1716 wrote to memory of 316	1716	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
"C:\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1208
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1008
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev2C5F.tmp!C:\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev2C5F.tmp!C:\Users\Admin\AppData\Local\Temp\C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE

Filesize
156KB

MD5
11ace7794af272cf0f6836a49d50d4d4

SHA1
d88daab2542f61ac60dd1078948aeb4bd61fd3d5

SHA256
ea86a6749ccb781506360e6a126a1a8b533fd12e8ef9c3a343b195f7b4c0467b

SHA512
afe0bfd56618bcb8ed31cb4ea8aa04199164c3b7f05b66b27d89688abef633f21844577c334059121ddab7b93cfc188d6b3c99e737ea8635cf28214f6b65b311

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE

Filesize
156KB

MD5
11ace7794af272cf0f6836a49d50d4d4

SHA1
d88daab2542f61ac60dd1078948aeb4bd61fd3d5

SHA256
ea86a6749ccb781506360e6a126a1a8b533fd12e8ef9c3a343b195f7b4c0467b

SHA512
afe0bfd56618bcb8ed31cb4ea8aa04199164c3b7f05b66b27d89688abef633f21844577c334059121ddab7b93cfc188d6b3c99e737ea8635cf28214f6b65b311

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe

Filesize
76KB

MD5
f8a069e7d2bb8868cea4def627cde6e9

SHA1
25f64b33dd8d98766e12272aab10f6c44cd00d0f

SHA256
5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

SHA512
67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
51ffd84d0056bbe31486979a150c91df

SHA1
d7773afd81dc28b58223a3400dde3c92db9c4916

SHA256
9d39d2016f5e76bb681f4ff7b5be03e5b1f4ca63863c656e70e393b5ee687939

SHA512
2286390e7567bf672e8d0a86086dbcd3ed7d6bc3e760fdef73f3a1b40eb4ea676dc7dfad64b38c9573bcfb17c958c157164be787d1574aa7b814f7641412fc76

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
51ffd84d0056bbe31486979a150c91df

SHA1
d7773afd81dc28b58223a3400dde3c92db9c4916

SHA256
9d39d2016f5e76bb681f4ff7b5be03e5b1f4ca63863c656e70e393b5ee687939

SHA512
2286390e7567bf672e8d0a86086dbcd3ed7d6bc3e760fdef73f3a1b40eb4ea676dc7dfad64b38c9573bcfb17c958c157164be787d1574aa7b814f7641412fc76

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
51ffd84d0056bbe31486979a150c91df

SHA1
d7773afd81dc28b58223a3400dde3c92db9c4916

SHA256
9d39d2016f5e76bb681f4ff7b5be03e5b1f4ca63863c656e70e393b5ee687939

SHA512
2286390e7567bf672e8d0a86086dbcd3ed7d6bc3e760fdef73f3a1b40eb4ea676dc7dfad64b38c9573bcfb17c958c157164be787d1574aa7b814f7641412fc76

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
51ffd84d0056bbe31486979a150c91df

SHA1
d7773afd81dc28b58223a3400dde3c92db9c4916

SHA256
9d39d2016f5e76bb681f4ff7b5be03e5b1f4ca63863c656e70e393b5ee687939

SHA512
2286390e7567bf672e8d0a86086dbcd3ed7d6bc3e760fdef73f3a1b40eb4ea676dc7dfad64b38c9573bcfb17c958c157164be787d1574aa7b814f7641412fc76

Download Submit
C:\Windows\dev2C5F.tmp

Filesize
76KB

MD5
f8a069e7d2bb8868cea4def627cde6e9

SHA1
25f64b33dd8d98766e12272aab10f6c44cd00d0f

SHA256
5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

SHA512
67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

Download Submit
\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe

Filesize
76KB

MD5
f8a069e7d2bb8868cea4def627cde6e9

SHA1
25f64b33dd8d98766e12272aab10f6c44cd00d0f

SHA256
5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

SHA512
67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

Download Submit
\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe

Filesize
76KB

MD5
f8a069e7d2bb8868cea4def627cde6e9

SHA1
25f64b33dd8d98766e12272aab10f6c44cd00d0f

SHA256
5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

SHA512
67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

Download Submit
memory/316-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1008-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1008-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1208-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1716-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download