74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756

Analysis

max time kernel
34s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 17:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
Size

204KB
MD5

9138d2354dad94c3f1813b6642dbfa80
SHA1

263ba21c821093f2ec843d7295f7ee9ba217229d
SHA256

74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756
SHA512

57b2066798b07fd2569830fbb713718b2b3a114a9077d316b63cb4fa66167246eb99d011d7c84db5ccf9c37407205b544ef5b0970a28be016c98e1723f0f6477
SSDEEP

6144:9Km1mbXnb1wGr1nSEvV90VH0YKFsdyeJgtrg:9K2mbb1wUFSEvU4soCgm

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000014b75-55.dat	aspack_v212_v242

Loads dropped DLL 1 IoCs

pid	Process
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\king_mg = "C:\\Windows\\system32\\mgking.exe"	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mgking.exe	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
File created	C:\Windows\SysWOW64\mgking.exe	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
File opened for modification	C:\Windows\SysWOW64\mgking0.dll	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
File created	C:\Windows\SysWOW64\mgking0.dll	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1360	1764	74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe
  "C:\Users\Admin\AppData\Local\Temp\74ac963f7d9a44ba823e7aa67b679dee091a6aec26397faef5f2df71b7f4e756.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\mgking0.dll

Filesize
113KB

MD5
b1fb04828e2eae7d63ced16d2e0264bc

SHA1
9d4dd4f56acba33ca15ab13d072189a93e4de0ce

SHA256
17cd4ef596c4774aab3303d07d5cd5274b1fae8ed7ccde1d26599e74d14db3c5

SHA512
1fc60cee1fa3ed1cb2d5c8d954ecb767ae816cf3931412daf1518b2f96b341150693a90994e4ac5864dfa0a59f6531206bade3563355bfe49c18ece37d4eb96c

Download Submit
memory/1764-54-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1764-56-0x0000000010000000-0x000000001008E000-memory.dmp

Filesize
568KB

Download
memory/1764-57-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1764-58-0x0000000010000000-0x000000001008E000-memory.dmp

Filesize
568KB

Download