3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3

General

Target

3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe
Size

380KB
MD5

a0257c2e3b2afe9835be40b480d53b50
SHA1

c2752706198a340892b1ff59ce832e913ed343bc
SHA256

3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3
SHA512

0403e0118ef1419accf5c82e7818cd43022a096507e74169c587a5db1501750f578f19fdc3fe5836a637edddb46790f580a715f7180df04c1306ce77bb992d06
SSDEEP

6144:fUZyzI+OEXt+OEXE1Vxo8ISv+CgLNWLEXE1Vxo8ISvq:xc+N+kjxo8ISXgJW7jxo8ISS

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000c000000022f61-134.dat	aspack_v212_v242
behavioral2/files/0x000c000000022f61-135.dat	aspack_v212_v242
behavioral2/files/0x000c000000022f61-137.dat	aspack_v212_v242
behavioral2/files/0x000c000000022f61-145.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f6c-146.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f6c-148.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
4592	MSWDM.EXE
5080	MSWDM.EXE
2540	3AE03B60EB2C7C865A7F69873F17CCCB8B1F36E5303DFB5D2301AFB3EF576AB3.EXE
3104	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe
File opened for modification	C:\Windows\devF8FB.tmp	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe
File opened for modification	C:\Windows\devF8FB.tmp	MSWDM.EXE
File opened for modification	C:\Windows\dieF9E5.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5080	MSWDM.EXE
5080	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 4592	4212	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe	81
PID 4212 wrote to memory of 4592	4212	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe	81
PID 4212 wrote to memory of 4592	4212	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe	81
PID 4212 wrote to memory of 5080	4212	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe	82
PID 4212 wrote to memory of 5080	4212	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe	82
PID 4212 wrote to memory of 5080	4212	3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe	82
PID 5080 wrote to memory of 2540	5080	MSWDM.EXE	83
PID 5080 wrote to memory of 2540	5080	MSWDM.EXE	83
PID 5080 wrote to memory of 2540	5080	MSWDM.EXE	83
PID 5080 wrote to memory of 3104	5080	MSWDM.EXE	84
PID 5080 wrote to memory of 3104	5080	MSWDM.EXE	84
PID 5080 wrote to memory of 3104	5080	MSWDM.EXE	84

C:\Users\Admin\AppData\Local\Temp\3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe
"C:\Users\Admin\AppData\Local\Temp\3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4212
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:4592
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devF8FB.tmp!C:\Users\Admin\AppData\Local\Temp\3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\3AE03B60EB2C7C865A7F69873F17CCCB8B1F36E5303DFB5D2301AFB3EF576AB3.EXE
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devF8FB.tmp!C:\Users\Admin\AppData\Local\Temp\3AE03B60EB2C7C865A7F69873F17CCCB8B1F36E5303DFB5D2301AFB3EF576AB3.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3AE03B60EB2C7C865A7F69873F17CCCB8B1F36E5303DFB5D2301AFB3EF576AB3.EXE

Filesize
380KB

MD5
4a51631edeb04b7b54eb52ee44fa1e3e

SHA1
6af707305c77be65b2bb6110d07a0ad61747631e

SHA256
9234e248592b86ec83bb8a5b92a0c71e4212dcebb2f5c7cde6e1fc2d69ad946c

SHA512
1c85f3b2949afa43c669df93607ee1885806bda5c7f6ed5510998323ce9ef2dc38172ff491d74d8b13eec3492c72148ac7466fb09999747e25d95651c13807ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\3AE03B60EB2C7C865A7F69873F17CCCB8B1F36E5303DFB5D2301AFB3EF576AB3.EXE

Filesize
380KB

MD5
4a51631edeb04b7b54eb52ee44fa1e3e

SHA1
6af707305c77be65b2bb6110d07a0ad61747631e

SHA256
9234e248592b86ec83bb8a5b92a0c71e4212dcebb2f5c7cde6e1fc2d69ad946c

SHA512
1c85f3b2949afa43c669df93607ee1885806bda5c7f6ed5510998323ce9ef2dc38172ff491d74d8b13eec3492c72148ac7466fb09999747e25d95651c13807ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ae03b60eb2c7c865a7f69873f17cccb8b1f36e5303dfb5d2301afb3ef576ab3.exe

Filesize
300KB

MD5
a6d64056ad6ca84534143757fd782d7a

SHA1
19e365305ceabad649ed67278587d2f80b94c78e

SHA256
3bc9afaf7574b6d5abbbd11b571aae45abd24fc1d5691d4927444ec79dd0294b

SHA512
6801ea8a1cf5f2112739bb9c5bb576b8cce4e952dcc5f2165568b80d6b80b9459f6dbda84f0db5061ca108b42c0d30d4a71ded228e1b04d4182f9f8e931afab4

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
bf07dbd180f28f11162e224236282304

SHA1
fa2864b0de486574ae3b8fe7a7b74ea717756904

SHA256
9d1a84750c2d8cb3be4fb06961c21c485bceebbfe3cdc777b798b99e69a4c7e4

SHA512
13076e2a7b1eebd17a93bd743bf09dcb71bfcf25e514220fd107ac324556fc2d85b04ecc169d3599829498e0139228b6cd21ef4517d865def8f5d5531e03384a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
bf07dbd180f28f11162e224236282304

SHA1
fa2864b0de486574ae3b8fe7a7b74ea717756904

SHA256
9d1a84750c2d8cb3be4fb06961c21c485bceebbfe3cdc777b798b99e69a4c7e4

SHA512
13076e2a7b1eebd17a93bd743bf09dcb71bfcf25e514220fd107ac324556fc2d85b04ecc169d3599829498e0139228b6cd21ef4517d865def8f5d5531e03384a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
bf07dbd180f28f11162e224236282304

SHA1
fa2864b0de486574ae3b8fe7a7b74ea717756904

SHA256
9d1a84750c2d8cb3be4fb06961c21c485bceebbfe3cdc777b798b99e69a4c7e4

SHA512
13076e2a7b1eebd17a93bd743bf09dcb71bfcf25e514220fd107ac324556fc2d85b04ecc169d3599829498e0139228b6cd21ef4517d865def8f5d5531e03384a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
bf07dbd180f28f11162e224236282304

SHA1
fa2864b0de486574ae3b8fe7a7b74ea717756904

SHA256
9d1a84750c2d8cb3be4fb06961c21c485bceebbfe3cdc777b798b99e69a4c7e4

SHA512
13076e2a7b1eebd17a93bd743bf09dcb71bfcf25e514220fd107ac324556fc2d85b04ecc169d3599829498e0139228b6cd21ef4517d865def8f5d5531e03384a

Download Submit
C:\Windows\devF8FB.tmp

Filesize
300KB

MD5
a6d64056ad6ca84534143757fd782d7a

SHA1
19e365305ceabad649ed67278587d2f80b94c78e

SHA256
3bc9afaf7574b6d5abbbd11b571aae45abd24fc1d5691d4927444ec79dd0294b

SHA512
6801ea8a1cf5f2112739bb9c5bb576b8cce4e952dcc5f2165568b80d6b80b9459f6dbda84f0db5061ca108b42c0d30d4a71ded228e1b04d4182f9f8e931afab4

Download Submit
memory/3104-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4212-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4212-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4592-140-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4592-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5080-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5080-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing