f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e

Analysis

max time kernel
144s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
Size

702KB
MD5

a2813c54390baa559a5bb07f2507ab00
SHA1

cab4f6ecdf7b0684920593527dbdb0de10862538
SHA256

f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e
SHA512

eb9cf670c36e00bac2855bbd27552ddd76f9312a0ce9e39c7bbd83c309637fde6965066709fffeaf47af57413208c7696cd19121742a917f2879204c46d7c9f9
SSDEEP

12288:xF+UfPi1dJU0L/vI9mOxPEUKRknYYJ2tHhyXxAeUgrSACI7XHgZQKhJgeCmAQLs:xF+UfPi1dJU43I98U7nYYJ2tHhADSANv

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000005c51-56.dat	aspack_v212_v242
behavioral1/files/0x0008000000005c51-59.dat	aspack_v212_v242
behavioral1/files/0x0008000000005c51-58.dat	aspack_v212_v242
behavioral1/files/0x0008000000005c51-67.dat	aspack_v212_v242
behavioral1/files/0x00070000000139f5-68.dat	aspack_v212_v242
behavioral1/files/0x00070000000139f5-70.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
1808	MSWDM.EXE
1056	MSWDM.EXE
796	F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE
1988	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1056	MSWDM.EXE
1056	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
File opened for modification	C:\Windows\dev18FE.tmp	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
File opened for modification	C:\Windows\dev18FE.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1056	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1808	1324	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	27
PID 1324 wrote to memory of 1808	1324	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	27
PID 1324 wrote to memory of 1808	1324	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	27
PID 1324 wrote to memory of 1808	1324	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	27
PID 1324 wrote to memory of 1056	1324	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	28
PID 1324 wrote to memory of 1056	1324	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	28
PID 1324 wrote to memory of 1056	1324	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	28
PID 1324 wrote to memory of 1056	1324	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	28
PID 1056 wrote to memory of 796	1056	MSWDM.EXE	29
PID 1056 wrote to memory of 796	1056	MSWDM.EXE	29
PID 1056 wrote to memory of 796	1056	MSWDM.EXE	29
PID 1056 wrote to memory of 796	1056	MSWDM.EXE	29
PID 1056 wrote to memory of 1988	1056	MSWDM.EXE	30
PID 1056 wrote to memory of 1988	1056	MSWDM.EXE	30
PID 1056 wrote to memory of 1988	1056	MSWDM.EXE	30
PID 1056 wrote to memory of 1988	1056	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
"C:\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1324
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1808
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev18FE.tmp!C:\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE
    3⤵
    - Executes dropped EXE
    PID:796
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev18FE.tmp!C:\Users\Admin\AppData\Local\Temp\F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE

Filesize
702KB

MD5
ca6e20d54671945783a705f4ef7d117e

SHA1
dfb9f2e106ad7ed149a958b4224091d4096e6a95

SHA256
7950ea0ab76126a3751725d42263059054e59a6f11d8eb1b141e511da497030c

SHA512
ce795abb1e3d806b2ca8d90498c0240460d2d6ce90d1255be313732bf439bc972b80171d7758665bd778225a2d1027b4e85957a1036f7ed3ed4d43b2204e43c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE

Filesize
702KB

MD5
ca6e20d54671945783a705f4ef7d117e

SHA1
dfb9f2e106ad7ed149a958b4224091d4096e6a95

SHA256
7950ea0ab76126a3751725d42263059054e59a6f11d8eb1b141e511da497030c

SHA512
ce795abb1e3d806b2ca8d90498c0240460d2d6ce90d1255be313732bf439bc972b80171d7758665bd778225a2d1027b4e85957a1036f7ed3ed4d43b2204e43c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe

Filesize
622KB

MD5
a981419c39cc02259b8f2da3974000d9

SHA1
905d359e2c5e8330d39b746132fa9779f52c0b93

SHA256
6e9a4b2f2f62a5fc38c06c47c7ca6905276d05166da99b5fb70573934a0257b8

SHA512
ca08650618b15df511af16340448013f4aa09f7e4459cbe19d4c819255a30a37f54b03196356ca2ff98dade601cd811247a78382645ff53997f69aad962c3532

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
56a11ca0c7d145e8b1010b7c97dc27f7

SHA1
9f73bf0991bc9058f188c282bb6c84e58f43d75b

SHA256
30c12cf52e3f8709676aa650516b61524ed5aa66e2aef216f66eb80504a12e71

SHA512
4faa10edb1655c5e3957e80ae779fc9026da5fa89f66340f9e93942f9cec022da1fea71d91bf66a4d3cecc0375e06e3f1af8d57cbc79e4a61c80d74dd1865964

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
56a11ca0c7d145e8b1010b7c97dc27f7

SHA1
9f73bf0991bc9058f188c282bb6c84e58f43d75b

SHA256
30c12cf52e3f8709676aa650516b61524ed5aa66e2aef216f66eb80504a12e71

SHA512
4faa10edb1655c5e3957e80ae779fc9026da5fa89f66340f9e93942f9cec022da1fea71d91bf66a4d3cecc0375e06e3f1af8d57cbc79e4a61c80d74dd1865964

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
56a11ca0c7d145e8b1010b7c97dc27f7

SHA1
9f73bf0991bc9058f188c282bb6c84e58f43d75b

SHA256
30c12cf52e3f8709676aa650516b61524ed5aa66e2aef216f66eb80504a12e71

SHA512
4faa10edb1655c5e3957e80ae779fc9026da5fa89f66340f9e93942f9cec022da1fea71d91bf66a4d3cecc0375e06e3f1af8d57cbc79e4a61c80d74dd1865964

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
56a11ca0c7d145e8b1010b7c97dc27f7

SHA1
9f73bf0991bc9058f188c282bb6c84e58f43d75b

SHA256
30c12cf52e3f8709676aa650516b61524ed5aa66e2aef216f66eb80504a12e71

SHA512
4faa10edb1655c5e3957e80ae779fc9026da5fa89f66340f9e93942f9cec022da1fea71d91bf66a4d3cecc0375e06e3f1af8d57cbc79e4a61c80d74dd1865964

Download Submit
C:\Windows\dev18FE.tmp

Filesize
622KB

MD5
a981419c39cc02259b8f2da3974000d9

SHA1
905d359e2c5e8330d39b746132fa9779f52c0b93

SHA256
6e9a4b2f2f62a5fc38c06c47c7ca6905276d05166da99b5fb70573934a0257b8

SHA512
ca08650618b15df511af16340448013f4aa09f7e4459cbe19d4c819255a30a37f54b03196356ca2ff98dade601cd811247a78382645ff53997f69aad962c3532

Download Submit
\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe

Filesize
622KB

MD5
a981419c39cc02259b8f2da3974000d9

SHA1
905d359e2c5e8330d39b746132fa9779f52c0b93

SHA256
6e9a4b2f2f62a5fc38c06c47c7ca6905276d05166da99b5fb70573934a0257b8

SHA512
ca08650618b15df511af16340448013f4aa09f7e4459cbe19d4c819255a30a37f54b03196356ca2ff98dade601cd811247a78382645ff53997f69aad962c3532

Download Submit
\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe

Filesize
622KB

MD5
a981419c39cc02259b8f2da3974000d9

SHA1
905d359e2c5e8330d39b746132fa9779f52c0b93

SHA256
6e9a4b2f2f62a5fc38c06c47c7ca6905276d05166da99b5fb70573934a0257b8

SHA512
ca08650618b15df511af16340448013f4aa09f7e4459cbe19d4c819255a30a37f54b03196356ca2ff98dade601cd811247a78382645ff53997f69aad962c3532

Download Submit
memory/796-65-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1056-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1808-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1808-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1988-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download