f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e

Analysis

max time kernel
152s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
Size

702KB
MD5

a2813c54390baa559a5bb07f2507ab00
SHA1

cab4f6ecdf7b0684920593527dbdb0de10862538
SHA256

f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e
SHA512

eb9cf670c36e00bac2855bbd27552ddd76f9312a0ce9e39c7bbd83c309637fde6965066709fffeaf47af57413208c7696cd19121742a917f2879204c46d7c9f9
SSDEEP

12288:xF+UfPi1dJU0L/vI9mOxPEUKRknYYJ2tHhyXxAeUgrSACI7XHgZQKhJgeCmAQLs:xF+UfPi1dJU43I98U7nYYJ2tHhADSANv

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000022f63-134.dat	aspack_v212_v242
behavioral2/files/0x0008000000022f63-135.dat	aspack_v212_v242
behavioral2/files/0x0008000000022f63-137.dat	aspack_v212_v242
behavioral2/files/0x0008000000022f63-145.dat	aspack_v212_v242
behavioral2/files/0x0007000000022f64-146.dat	aspack_v212_v242
behavioral2/files/0x0007000000022f64-148.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
5116	MSWDM.EXE
2700	MSWDM.EXE
3536	F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE
5084	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	MSWDM.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
File opened for modification	C:\Windows\devE2C3.tmp	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
File opened for modification	C:\Windows\dieE3BD.tmp	MSWDM.EXE
File created	C:\Windows\dieE3BD.tmp	MSWDM.EXE
File opened for modification	C:\Windows\devE2C3.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	MSWDM.EXE
2700	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 5116	3728	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	80
PID 3728 wrote to memory of 5116	3728	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	80
PID 3728 wrote to memory of 5116	3728	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	80
PID 3728 wrote to memory of 2700	3728	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	81
PID 3728 wrote to memory of 2700	3728	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	81
PID 3728 wrote to memory of 2700	3728	f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe	81
PID 2700 wrote to memory of 3536	2700	MSWDM.EXE	82
PID 2700 wrote to memory of 3536	2700	MSWDM.EXE	82
PID 2700 wrote to memory of 3536	2700	MSWDM.EXE	82
PID 2700 wrote to memory of 5084	2700	MSWDM.EXE	83
PID 2700 wrote to memory of 5084	2700	MSWDM.EXE	83
PID 2700 wrote to memory of 5084	2700	MSWDM.EXE	83

C:\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe
"C:\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3728
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:5116
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devE2C3.tmp!C:\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE
    3⤵
    - Executes dropped EXE
    PID:3536
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devE2C3.tmp!C:\Users\Admin\AppData\Local\Temp\F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE

Filesize
80KB

MD5
56a11ca0c7d145e8b1010b7c97dc27f7

SHA1
9f73bf0991bc9058f188c282bb6c84e58f43d75b

SHA256
30c12cf52e3f8709676aa650516b61524ed5aa66e2aef216f66eb80504a12e71

SHA512
4faa10edb1655c5e3957e80ae779fc9026da5fa89f66340f9e93942f9cec022da1fea71d91bf66a4d3cecc0375e06e3f1af8d57cbc79e4a61c80d74dd1865964

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9C33E8993D43E63F47B1AEEB9D38C8C2520C295593357AF17488CA6AE16465E.EXE

Filesize
702KB

MD5
268b7957b8b4edc0325c34bb12fe9024

SHA1
cfb40e9fb8830173ab2cfb72907023dd165185dd

SHA256
6a59e7616b4abec20338f51283b13764cc62aac1d83af91329cc7356710960d6

SHA512
3f57a737f5dabbb6ab16806c5004a6c2c943d20ba1ef4d26e446366450c148c4afbed6685ac7dd5d8d1b67348985bb9e68ec13be540fb4bad7d91bafb33c4850

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c33e8993d43e63f47b1aeeb9d38c8c2520c295593357af17488ca6ae16465e.exe

Filesize
622KB

MD5
a981419c39cc02259b8f2da3974000d9

SHA1
905d359e2c5e8330d39b746132fa9779f52c0b93

SHA256
6e9a4b2f2f62a5fc38c06c47c7ca6905276d05166da99b5fb70573934a0257b8

SHA512
ca08650618b15df511af16340448013f4aa09f7e4459cbe19d4c819255a30a37f54b03196356ca2ff98dade601cd811247a78382645ff53997f69aad962c3532

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
56a11ca0c7d145e8b1010b7c97dc27f7

SHA1
9f73bf0991bc9058f188c282bb6c84e58f43d75b

SHA256
30c12cf52e3f8709676aa650516b61524ed5aa66e2aef216f66eb80504a12e71

SHA512
4faa10edb1655c5e3957e80ae779fc9026da5fa89f66340f9e93942f9cec022da1fea71d91bf66a4d3cecc0375e06e3f1af8d57cbc79e4a61c80d74dd1865964

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
56a11ca0c7d145e8b1010b7c97dc27f7

SHA1
9f73bf0991bc9058f188c282bb6c84e58f43d75b

SHA256
30c12cf52e3f8709676aa650516b61524ed5aa66e2aef216f66eb80504a12e71

SHA512
4faa10edb1655c5e3957e80ae779fc9026da5fa89f66340f9e93942f9cec022da1fea71d91bf66a4d3cecc0375e06e3f1af8d57cbc79e4a61c80d74dd1865964

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
56a11ca0c7d145e8b1010b7c97dc27f7

SHA1
9f73bf0991bc9058f188c282bb6c84e58f43d75b

SHA256
30c12cf52e3f8709676aa650516b61524ed5aa66e2aef216f66eb80504a12e71

SHA512
4faa10edb1655c5e3957e80ae779fc9026da5fa89f66340f9e93942f9cec022da1fea71d91bf66a4d3cecc0375e06e3f1af8d57cbc79e4a61c80d74dd1865964

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
56a11ca0c7d145e8b1010b7c97dc27f7

SHA1
9f73bf0991bc9058f188c282bb6c84e58f43d75b

SHA256
30c12cf52e3f8709676aa650516b61524ed5aa66e2aef216f66eb80504a12e71

SHA512
4faa10edb1655c5e3957e80ae779fc9026da5fa89f66340f9e93942f9cec022da1fea71d91bf66a4d3cecc0375e06e3f1af8d57cbc79e4a61c80d74dd1865964

Download Submit
C:\Windows\devE2C3.tmp

Filesize
622KB

MD5
a981419c39cc02259b8f2da3974000d9

SHA1
905d359e2c5e8330d39b746132fa9779f52c0b93

SHA256
6e9a4b2f2f62a5fc38c06c47c7ca6905276d05166da99b5fb70573934a0257b8

SHA512
ca08650618b15df511af16340448013f4aa09f7e4459cbe19d4c819255a30a37f54b03196356ca2ff98dade601cd811247a78382645ff53997f69aad962c3532

Download Submit
memory/2700-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2700-143-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3728-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3728-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5084-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5116-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5116-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download