a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe
Size

534KB
MD5

54ae892f0a0fa2c62a333e00405fba00
SHA1

59ab6f034bf50de142b22bed526141141751599e
SHA256

a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995
SHA512

5d191adcabcb18aafbe981054b4091fffc443638bae1dbfb81f8392eadfce6395d17448a7f40e813174941b7eaf2e9584065ef311e3d09d882043308236918fd
SSDEEP

6144:fUZyCJTDEpULgU8L94jDV9U1woU8LSHP0x8Taj9V:xgDEpUE9QDV9U11S+

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0005000000022dbe-133.dat	aspack_v212_v242
behavioral2/files/0x0005000000022dbe-135.dat	aspack_v212_v242
behavioral2/files/0x0005000000022dbe-136.dat	aspack_v212_v242
behavioral2/files/0x0005000000022dbe-146.dat	aspack_v212_v242
behavioral2/files/0x0004000000022deb-148.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
2456	MSWDM.EXE
2400	MSWDM.EXE
3536	A018EB49957A0AC55B181107383583139D6B3485C7024728A6D5F3683976C995.EXE
1176	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
3536	A018EB49957A0AC55B181107383583139D6B3485C7024728A6D5F3683976C995.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	MSWDM.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\devB7BC.tmp	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe
File opened for modification	C:\Windows\dieB7FA.tmp	MSWDM.EXE
File opened for modification	C:\Windows\devB7BC.tmp	MSWDM.EXE
File created	C:\Windows\dieB7FA.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000022ddb-138.dat	nsis_installer_1
behavioral2/files/0x0004000000022deb-142.dat	nsis_installer_1
behavioral2/files/0x0004000000022deb-143.dat	nsis_installer_1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2400	MSWDM.EXE
2400	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2456	2276	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe	77
PID 2276 wrote to memory of 2456	2276	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe	77
PID 2276 wrote to memory of 2456	2276	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe	77
PID 2276 wrote to memory of 2400	2276	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe	79
PID 2276 wrote to memory of 2400	2276	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe	79
PID 2276 wrote to memory of 2400	2276	a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe	79
PID 2400 wrote to memory of 3536	2400	MSWDM.EXE	80
PID 2400 wrote to memory of 3536	2400	MSWDM.EXE	80
PID 2400 wrote to memory of 3536	2400	MSWDM.EXE	80
PID 2400 wrote to memory of 1176	2400	MSWDM.EXE	81
PID 2400 wrote to memory of 1176	2400	MSWDM.EXE	81
PID 2400 wrote to memory of 1176	2400	MSWDM.EXE	81

C:\Users\Admin\AppData\Local\Temp\a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe
"C:\Users\Admin\AppData\Local\Temp\a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2276
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2456
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devB7BC.tmp!C:\Users\Admin\AppData\Local\Temp\a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\A018EB49957A0AC55B181107383583139D6B3485C7024728A6D5F3683976C995.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3536
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devB7BC.tmp!C:\Users\Admin\AppData\Local\Temp\A018EB49957A0AC55B181107383583139D6B3485C7024728A6D5F3683976C995.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A018EB49957A0AC55B181107383583139D6B3485C7024728A6D5F3683976C995.EXE

Filesize
495KB

MD5
fb33bcc98a626b8e21a676c45fcc8aaa

SHA1
98e0904a3f4738bb72869b933d2bff914e0d50a6

SHA256
35b828646910d417350e2b3d109c66ec560cb4163de989892e7180d69aef0607

SHA512
bf12ca9b631386e4460a9f1fefb550ffe0cbe8a3307b1de1f289c77e4f2cdb1a2eed57e6cda18523a134641a276f3e9f88c90defa4417109ec61a3dd1e830205

Download Submit
C:\Users\Admin\AppData\Local\Temp\A018EB49957A0AC55B181107383583139D6B3485C7024728A6D5F3683976C995.EXE

Filesize
534KB

MD5
09c0569bb6121c2c87fbc57b5370bd53

SHA1
2391af4c8d280376a123cd76ca47c8a0eb286119

SHA256
bc8eb2a781d83aa45477567c82b2419e4ab286342c74a35f581aba10e1e934dc

SHA512
8be9bac9557c07e7bba65950b04934ec5b4e6f8cd87e6198db596190f32a1b37b5f6b5b41be70fa92f34dcc36c7e701a84c8c119b965b1466ed9cad6923432e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a018eb49957a0ac55b181107383583139d6b3485c7024728a6d5f3683976c995.exe

Filesize
495KB

MD5
fb33bcc98a626b8e21a676c45fcc8aaa

SHA1
98e0904a3f4738bb72869b933d2bff914e0d50a6

SHA256
35b828646910d417350e2b3d109c66ec560cb4163de989892e7180d69aef0607

SHA512
bf12ca9b631386e4460a9f1fefb550ffe0cbe8a3307b1de1f289c77e4f2cdb1a2eed57e6cda18523a134641a276f3e9f88c90defa4417109ec61a3dd1e830205

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskBB95.tmp\System.dll

Filesize
10KB

MD5
05e52213cfa17dee760186462a9645ed

SHA1
f6d5e82080bbba65db7d54e89250c95af833aae3

SHA256
d9d3ffa4c7d7a152f435f4777e72aa1b6a6c0555f277e59eedebc587c3b66ba5

SHA512
586eea0bec6345b437667ce528bc2396427dd444a396456e38046a8962e92a52e7ee62b9f6c97f41bc1fb4a1b3905a302d6f7055e26b84e60709ba3b416ad172

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
39KB

MD5
d3c3e537f8e0d8056cadbd7fb28ee483

SHA1
1a6701a54b9a964271112369f5ba1ef32a1e606a

SHA256
6d5ee8998fe5482039fcff93841d9982c3b2dbdb7c3bbd8ac5a21113e7d007fd

SHA512
94c8f274aad2080040fe5c3fbc2c1e53d3b31ef020897824c5e025963bee23b12778932dd9c5253f8d795aaff51ad7bad759c7dad904cff462a4ac23f1bf4bf5

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
d3c3e537f8e0d8056cadbd7fb28ee483

SHA1
1a6701a54b9a964271112369f5ba1ef32a1e606a

SHA256
6d5ee8998fe5482039fcff93841d9982c3b2dbdb7c3bbd8ac5a21113e7d007fd

SHA512
94c8f274aad2080040fe5c3fbc2c1e53d3b31ef020897824c5e025963bee23b12778932dd9c5253f8d795aaff51ad7bad759c7dad904cff462a4ac23f1bf4bf5

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
d3c3e537f8e0d8056cadbd7fb28ee483

SHA1
1a6701a54b9a964271112369f5ba1ef32a1e606a

SHA256
6d5ee8998fe5482039fcff93841d9982c3b2dbdb7c3bbd8ac5a21113e7d007fd

SHA512
94c8f274aad2080040fe5c3fbc2c1e53d3b31ef020897824c5e025963bee23b12778932dd9c5253f8d795aaff51ad7bad759c7dad904cff462a4ac23f1bf4bf5

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
d3c3e537f8e0d8056cadbd7fb28ee483

SHA1
1a6701a54b9a964271112369f5ba1ef32a1e606a

SHA256
6d5ee8998fe5482039fcff93841d9982c3b2dbdb7c3bbd8ac5a21113e7d007fd

SHA512
94c8f274aad2080040fe5c3fbc2c1e53d3b31ef020897824c5e025963bee23b12778932dd9c5253f8d795aaff51ad7bad759c7dad904cff462a4ac23f1bf4bf5

Download Submit
C:\Windows\devB7BC.tmp

Filesize
495KB

MD5
fb33bcc98a626b8e21a676c45fcc8aaa

SHA1
98e0904a3f4738bb72869b933d2bff914e0d50a6

SHA256
35b828646910d417350e2b3d109c66ec560cb4163de989892e7180d69aef0607

SHA512
bf12ca9b631386e4460a9f1fefb550ffe0cbe8a3307b1de1f289c77e4f2cdb1a2eed57e6cda18523a134641a276f3e9f88c90defa4417109ec61a3dd1e830205

Download Submit
memory/1176-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1176-145-0x0000000000000000-mapping.dmp

Download
memory/2276-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2400-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2400-134-0x0000000000000000-mapping.dmp

Download
memory/2400-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2456-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2456-132-0x0000000000000000-mapping.dmp

Download
memory/2456-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3536-140-0x0000000000000000-mapping.dmp

Download