Overview

overview

8

Static

static

ffd2cd3152...ba.exe

windows7-x64

8

ffd2cd3152...ba.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    171s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba.exe

  • Size

    373KB

  • MD5

    81db7c4a75845432c6465d971fc0c160

  • SHA1

    fea0ae4caa595a9b444ace4b64f0d35b3f8b78ce

  • SHA256

    ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba

  • SHA512

    23464d2c56d74825238565b5855b66fd5e9dd6f4abbb2eec46020b2d966fa3ad91fc4333a51bc57d54826d383bc6139405a5a1cccf208136ed857956561ae30e

  • SSDEEP

    6144:dcIhoZH+MWDYLZvzN5V+pOrVXl7HWrE+icB8aa36OCwb7eEk8vEE+M1P:2IhEWDYLZvEEXVHGbKaW60b7eX8vEkP

Score
8/10
aspackv2persistenceupx

Malware Config

Signatures

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba.exe
    "C:\Users\Admin\AppData\Local\Temp\ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\4c856ba6.exe
      C:\4c856ba6.exe
      2⤵
      • Executes dropped EXE
      • Sets DLL path for service in the registry
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2088
  • C:\Windows\SysWOW64\Svchost.exe
    C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
    1⤵
    • Loads dropped DLL
    PID:392

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\4c856ba6.exe
    Filesize

    222KB

    MD5

    585c2390e02463e6711265e605eff0c7

    SHA1

    d076affdb51cb988509555f866d576aa309cf380

    SHA256

    09b7625008038ff223761acf9bac6bc4794700f336b99b1d1891b58c293bb082

    SHA512

    c829a8b6e70dcf42f6586a8cb0026b7289db55c56d39c7f712b3e43addb7a66eb83fd89cfa39fb306edc1b3db10c0dda7d05aeceddac94fe4a393427c60277f6

    Download Submit

  • C:\4c856ba6.exe
    Filesize

    222KB

    MD5

    585c2390e02463e6711265e605eff0c7

    SHA1

    d076affdb51cb988509555f866d576aa309cf380

    SHA256

    09b7625008038ff223761acf9bac6bc4794700f336b99b1d1891b58c293bb082

    SHA512

    c829a8b6e70dcf42f6586a8cb0026b7289db55c56d39c7f712b3e43addb7a66eb83fd89cfa39fb306edc1b3db10c0dda7d05aeceddac94fe4a393427c60277f6

    Download Submit

  • C:\Users\Infotmp.txt
    Filesize

    724B

    MD5

    006395c5626bbe5c01fd2fa62e11ded7

    SHA1

    1a69c87cf48265cb5573262b497bc2c6cbd06733

    SHA256

    e46d3754e4a30a79917cec26b0efd760bfb3575c010a616625db55543c3f4600

    SHA512

    5f2cf3227d23dc366ec13c64148ffab1777f061b1fe17e5f32fdab9f9b9e69b30de4796c4c685934559c16ae99467fa135f4db753f3e065f1ac77551c7337367

    Download Submit

  • C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll
    Filesize

    222KB

    MD5

    eca252e84ada8d896458393bfb62d022

    SHA1

    5f200c89df8d196e64987c3f6b61da52dcead693

    SHA256

    b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

    SHA512

    dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

    Download Submit

  • \??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll
    Filesize

    222KB

    MD5

    eca252e84ada8d896458393bfb62d022

    SHA1

    5f200c89df8d196e64987c3f6b61da52dcead693

    SHA256

    b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

    SHA512

    dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

    Download Submit

  • memory/392-144-0x0000000075340000-0x0000000075388000-memory.dmp

    Filesize

    288KB

    Download

  • memory/392-142-0x0000000075340000-0x0000000075388000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2088-135-0x0000000000DD0000-0x0000000000E18000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2088-139-0x0000000002DC0000-0x0000000006DC0000-memory.dmp

    Filesize

    64.0MB

    Download

  • memory/2088-138-0x0000000002DC0000-0x0000000006DC0000-memory.dmp

    Filesize

    64.0MB

    Download

  • memory/2088-137-0x0000000000DD0000-0x0000000000E18000-memory.dmp

    Filesize

    288KB

    Download

  • memory/4244-136-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download