Overview

overview

8

Static

static

ffd2cd3152...ba.exe

windows7-x64

8

ffd2cd3152...ba.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    171s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 15:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba.exe

  • Size

    373KB

  • MD5

    81db7c4a75845432c6465d971fc0c160

  • SHA1

    fea0ae4caa595a9b444ace4b64f0d35b3f8b78ce

  • SHA256

    ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba

  • SHA512

    23464d2c56d74825238565b5855b66fd5e9dd6f4abbb2eec46020b2d966fa3ad91fc4333a51bc57d54826d383bc6139405a5a1cccf208136ed857956561ae30e

  • SSDEEP

    6144:dcIhoZH+MWDYLZvzN5V+pOrVXl7HWrE+icB8aa36OCwb7eEk8vEE+M1P:2IhEWDYLZvEEXVHGbKaW60b7eX8vEkP

Score
8/10
aspackv2persistenceupx

Malware Config

Signatures

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba.exe
    "C:\Users\Admin\AppData\Local\Temp\ffd2cd3152d78a2c7dd8815696095820ef52b30640dd04928165a831048e22ba.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\4c856ba6.exe
      C:\4c856ba6.exe
      2⤵
      • Executes dropped EXE
      • Sets DLL path for service in the registry
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2088
  • C:\Windows\SysWOW64\Svchost.exe
    C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
    1⤵
    • Loads dropped DLL
    PID:392

Network

  • flag-us
    DNS
    151.122.125.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    151.122.125.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • 93.184.220.29:80
    46 B
     40 B
     1
    1
  • 52.109.13.62:443
    40 B
     1
  • 93.184.220.29:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 20.189.173.13:443
    322 B
     7
  • 87.248.202.1:80
    322 B
     7
  • 87.248.202.1:80
    322 B
     7
  • 87.248.202.1:80
    322 B
     7
  • 93.184.220.29:80
    260 B
     5
  • 8.8.8.8:53
    151.122.125.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    151.122.125.40.in-addr.arpa

  • 8.8.8.8:53
    d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\4c856ba6.exe
    Filesize

    222KB

    MD5

    585c2390e02463e6711265e605eff0c7

    SHA1

    d076affdb51cb988509555f866d576aa309cf380

    SHA256

    09b7625008038ff223761acf9bac6bc4794700f336b99b1d1891b58c293bb082

    SHA512

    c829a8b6e70dcf42f6586a8cb0026b7289db55c56d39c7f712b3e43addb7a66eb83fd89cfa39fb306edc1b3db10c0dda7d05aeceddac94fe4a393427c60277f6

    Download Submit

  • C:\4c856ba6.exe
    Filesize

    222KB

    MD5

    585c2390e02463e6711265e605eff0c7

    SHA1

    d076affdb51cb988509555f866d576aa309cf380

    SHA256

    09b7625008038ff223761acf9bac6bc4794700f336b99b1d1891b58c293bb082

    SHA512

    c829a8b6e70dcf42f6586a8cb0026b7289db55c56d39c7f712b3e43addb7a66eb83fd89cfa39fb306edc1b3db10c0dda7d05aeceddac94fe4a393427c60277f6

    Download Submit

  • C:\Users\Infotmp.txt
    Filesize

    724B

    MD5

    006395c5626bbe5c01fd2fa62e11ded7

    SHA1

    1a69c87cf48265cb5573262b497bc2c6cbd06733

    SHA256

    e46d3754e4a30a79917cec26b0efd760bfb3575c010a616625db55543c3f4600

    SHA512

    5f2cf3227d23dc366ec13c64148ffab1777f061b1fe17e5f32fdab9f9b9e69b30de4796c4c685934559c16ae99467fa135f4db753f3e065f1ac77551c7337367

    Download Submit

  • C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll
    Filesize

    222KB

    MD5

    eca252e84ada8d896458393bfb62d022

    SHA1

    5f200c89df8d196e64987c3f6b61da52dcead693

    SHA256

    b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

    SHA512

    dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

    Download Submit

  • \??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll
    Filesize

    222KB

    MD5

    eca252e84ada8d896458393bfb62d022

    SHA1

    5f200c89df8d196e64987c3f6b61da52dcead693

    SHA256

    b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

    SHA512

    dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

    Download Submit

  • memory/392-144-0x0000000075340000-0x0000000075388000-memory.dmp

    Filesize

    288KB

    Download

  • memory/392-142-0x0000000075340000-0x0000000075388000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2088-135-0x0000000000DD0000-0x0000000000E18000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2088-139-0x0000000002DC0000-0x0000000006DC0000-memory.dmp

    Filesize

    64.0MB

    Download

  • memory/2088-138-0x0000000002DC0000-0x0000000006DC0000-memory.dmp

    Filesize

    64.0MB

    Download

  • memory/2088-137-0x0000000000DD0000-0x0000000000E18000-memory.dmp

    Filesize

    288KB

    Download

  • memory/4244-136-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.