Overview

overview

8

Static

static

ffd2cd3152...ba.exe

windows7-x64

8

ffd2cd3152...ba.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba.exe

  • Size

    373KB

  • MD5

    81db7c4a75845432c6465d971fc0c160

  • SHA1

    fea0ae4caa595a9b444ace4b64f0d35b3f8b78ce

  • SHA256

    ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba

  • SHA512

    23464d2c56d74825238565b5855b66fd5e9dd6f4abbb2eec46020b2d966fa3ad91fc4333a51bc57d54826d383bc6139405a5a1cccf208136ed857956561ae30e

  • SSDEEP

    6144:dcIhoZH+MWDYLZvzN5V+pOrVXl7HWrE+icB8aa36OCwb7eEk8vEE+M1P:2IhEWDYLZvEEXVHGbKaW60b7eX8vEkP

Score
8/10
aspackv2persistenceupx

Malware Config

Signatures

  • ASPack v2.12-2.42 5 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba.exe
    "C:\Users\Admin\AppData\Local\Temp\ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\4c856ba6.exe
      C:\4c856ba6.exe
      2⤵
      • Executes dropped EXE
      • Sets DLL path for service in the registry
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1408
  • C:\Windows\SysWOW64\Svchost.exe
    C:\Windows\SysWOW64\Svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\4c856ba6.exe
    Filesize

    222KB

    MD5

    585c2390e02463e6711265e605eff0c7

    SHA1

    d076affdb51cb988509555f866d576aa309cf380

    SHA256

    09b7625008038ff223761acf9bac6bc4794700f336b99b1d1891b58c293bb082

    SHA512

    c829a8b6e70dcf42f6586a8cb0026b7289db55c56d39c7f712b3e43addb7a66eb83fd89cfa39fb306edc1b3db10c0dda7d05aeceddac94fe4a393427c60277f6

    Download Submit

  • C:\4c856ba6.exe
    Filesize

    222KB

    MD5

    585c2390e02463e6711265e605eff0c7

    SHA1

    d076affdb51cb988509555f866d576aa309cf380

    SHA256

    09b7625008038ff223761acf9bac6bc4794700f336b99b1d1891b58c293bb082

    SHA512

    c829a8b6e70dcf42f6586a8cb0026b7289db55c56d39c7f712b3e43addb7a66eb83fd89cfa39fb306edc1b3db10c0dda7d05aeceddac94fe4a393427c60277f6

    Download Submit

  • C:\Users\Infotmp.txt
    Filesize

    724B

    MD5

    2f5bb8c7342cebd28b6d35531e6fd835

    SHA1

    a05ee68662b96511a085a2bf8b17b5e9b85313e9

    SHA256

    e5c454669146f6d91cf76b7e574c6ac2aa571b4a34e57bf238a92051e9012155

    SHA512

    cbb82a82747c477e8d4a53f56afae66bbe18ce80cdd77d282303c7ada2c465bcfeac243a64670ad40a571670c3ced408465b1925d272d237bd73704d3f505b6e

    Download Submit

  • \??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll
    Filesize

    222KB

    MD5

    eca252e84ada8d896458393bfb62d022

    SHA1

    5f200c89df8d196e64987c3f6b61da52dcead693

    SHA256

    b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

    SHA512

    dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

    Download Submit

  • \Windows\SysWOW64\4E8604E8.tmp
    Filesize

    222KB

    MD5

    eca252e84ada8d896458393bfb62d022

    SHA1

    5f200c89df8d196e64987c3f6b61da52dcead693

    SHA256

    b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

    SHA512

    dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

    Download Submit

  • \Windows\SysWOW64\FastUserSwitchingCompatibility.dll
    Filesize

    222KB

    MD5

    eca252e84ada8d896458393bfb62d022

    SHA1

    5f200c89df8d196e64987c3f6b61da52dcead693

    SHA256

    b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

    SHA512

    dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

    Download Submit

  • memory/960-75-0x00000000741F0000-0x0000000074238000-memory.dmp

    Filesize

    288KB

    Download

  • memory/960-73-0x00000000741F0000-0x0000000074238000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1408-68-0x00000000741F0000-0x0000000074238000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1408-59-0x0000000000250000-0x0000000000298000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1408-65-0x0000000000250000-0x0000000000298000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1408-66-0x0000000002040000-0x0000000006040000-memory.dmp

    Filesize

    64.0MB

    Download

  • memory/1408-67-0x00000000757C0000-0x0000000075820000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1408-76-0x00000000757C0000-0x0000000075820000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1408-69-0x0000000002040000-0x0000000006040000-memory.dmp

    Filesize

    64.0MB

    Download

  • memory/2036-64-0x0000000000470000-0x00000000004B8000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2036-62-0x0000000000470000-0x00000000004D1000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2036-63-0x0000000000470000-0x00000000004B8000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2036-61-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2036-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2036-77-0x0000000074091000-0x0000000074093000-memory.dmp

    Filesize

    8KB

    Download