71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153

Analysis

max time kernel
162s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe
Size

77KB
MD5

a052c0b0d8195d75c4ea8d73f49a5630
SHA1

857fa1acde66acb9ed227cbe80fc8d5b57c4fb14
SHA256

71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153
SHA512

cd6f8393089d0304ca13b4a49063edc9b0a41038221b775c98296b7cbba015da5359dc8ecf2529cce979be5bb82db0f4e1f826382ee7d7eef9ab59b31fb230de
SSDEEP

1536:3STjtALMd6bE9XJuFrvJ70z+wj1UmxIyYclkOZB4NgbeG/H4m5u1Faee6:86jI9XJy7rJy28C2bD/H4m5u1Eg

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000022de6-135.dat	aspack_v212_v242
behavioral2/files/0x0007000000022de6-133.dat	aspack_v212_v242
behavioral2/files/0x0007000000022de6-136.dat	aspack_v212_v242
behavioral2/files/0x0007000000022de6-144.dat	aspack_v212_v242
behavioral2/files/0x0007000000022de2-145.dat	aspack_v212_v242
behavioral2/files/0x0007000000022de2-147.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
4364	MSWDM.EXE
3640	MSWDM.EXE
3796	71805A1E206FC6965F643796728CD73602D3E5EDF221CF1E5690C563B8EF6153.EXE
3500	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7z.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	MSWDM.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\dieD8B1.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe
File opened for modification	C:\Windows\devD882.tmp	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe
File opened for modification	C:\Windows\devD882.tmp	MSWDM.EXE
File opened for modification	C:\Windows\dieD8B1.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3640	MSWDM.EXE
3640	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4364	2004	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe	78
PID 2004 wrote to memory of 4364	2004	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe	78
PID 2004 wrote to memory of 4364	2004	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe	78
PID 2004 wrote to memory of 3640	2004	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe	79
PID 2004 wrote to memory of 3640	2004	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe	79
PID 2004 wrote to memory of 3640	2004	71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe	79
PID 3640 wrote to memory of 3796	3640	MSWDM.EXE	80
PID 3640 wrote to memory of 3796	3640	MSWDM.EXE	80
PID 3640 wrote to memory of 3796	3640	MSWDM.EXE	80
PID 3640 wrote to memory of 3500	3640	MSWDM.EXE	81
PID 3640 wrote to memory of 3500	3640	MSWDM.EXE	81
PID 3640 wrote to memory of 3500	3640	MSWDM.EXE	81

C:\Users\Admin\AppData\Local\Temp\71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe
"C:\Users\Admin\AppData\Local\Temp\71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4364
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devD882.tmp!C:\Users\Admin\AppData\Local\Temp\71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\71805A1E206FC6965F643796728CD73602D3E5EDF221CF1E5690C563B8EF6153.EXE
    3⤵
    - Executes dropped EXE
    PID:3796
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devD882.tmp!C:\Users\Admin\AppData\Local\Temp\71805A1E206FC6965F643796728CD73602D3E5EDF221CF1E5690C563B8EF6153.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\71805A1E206FC6965F643796728CD73602D3E5EDF221CF1E5690C563B8EF6153.EXE

Filesize
77KB

MD5
d95dbac49fb15457a38000eb0016ab1f

SHA1
5ab0d7cd59cc19257e9704bdadef64a3fafe8873

SHA256
e1876b146eee9269a1e662f6e5a46732719b1c096d9332958f5cb9e01c4192f9

SHA512
b7f0a992a01c52c7677c51b6ef531f7f79593b7acca7654bd9732c382428c6518a36c78a45295a12c3b8ee42f6f0a7d74b2bd52b62b3f2947f49f0152b0563ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\71805A1E206FC6965F643796728CD73602D3E5EDF221CF1E5690C563B8EF6153.EXE

Filesize
77KB

MD5
d95dbac49fb15457a38000eb0016ab1f

SHA1
5ab0d7cd59cc19257e9704bdadef64a3fafe8873

SHA256
e1876b146eee9269a1e662f6e5a46732719b1c096d9332958f5cb9e01c4192f9

SHA512
b7f0a992a01c52c7677c51b6ef531f7f79593b7acca7654bd9732c382428c6518a36c78a45295a12c3b8ee42f6f0a7d74b2bd52b62b3f2947f49f0152b0563ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\71805a1e206fc6965f643796728cd73602d3e5edf221cf1e5690c563b8ef6153.exe

Filesize
38KB

MD5
6d787fdf93de266ce25378fb362df011

SHA1
00ed94c8d2041eecc24a69fe99e0fdbb043fafe3

SHA256
72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5

SHA512
0a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
39KB

MD5
3813e3315d869ab936b472822112db21

SHA1
849c131698153557063e506c7fee9f7bf1fe6a7a

SHA256
f33bc7a69995bbdacbc4b2d5c758df959caa38bf703c42dc36d64fd08f868209

SHA512
38c236d94797e44174f35d07d7683e2a2708d038b0df8ca97cc6996fbcd99536d653ff3da6d610c88013f52e71d5671b2c28b750dafab6b2ef8b2e408b29a942

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
3813e3315d869ab936b472822112db21

SHA1
849c131698153557063e506c7fee9f7bf1fe6a7a

SHA256
f33bc7a69995bbdacbc4b2d5c758df959caa38bf703c42dc36d64fd08f868209

SHA512
38c236d94797e44174f35d07d7683e2a2708d038b0df8ca97cc6996fbcd99536d653ff3da6d610c88013f52e71d5671b2c28b750dafab6b2ef8b2e408b29a942

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
3813e3315d869ab936b472822112db21

SHA1
849c131698153557063e506c7fee9f7bf1fe6a7a

SHA256
f33bc7a69995bbdacbc4b2d5c758df959caa38bf703c42dc36d64fd08f868209

SHA512
38c236d94797e44174f35d07d7683e2a2708d038b0df8ca97cc6996fbcd99536d653ff3da6d610c88013f52e71d5671b2c28b750dafab6b2ef8b2e408b29a942

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
3813e3315d869ab936b472822112db21

SHA1
849c131698153557063e506c7fee9f7bf1fe6a7a

SHA256
f33bc7a69995bbdacbc4b2d5c758df959caa38bf703c42dc36d64fd08f868209

SHA512
38c236d94797e44174f35d07d7683e2a2708d038b0df8ca97cc6996fbcd99536d653ff3da6d610c88013f52e71d5671b2c28b750dafab6b2ef8b2e408b29a942

Download Submit
C:\Windows\devD882.tmp

Filesize
38KB

MD5
6d787fdf93de266ce25378fb362df011

SHA1
00ed94c8d2041eecc24a69fe99e0fdbb043fafe3

SHA256
72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5

SHA512
0a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2

Download Submit
memory/2004-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3500-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3640-140-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3640-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4364-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4364-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download