4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752

General

Target

4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe
Size

661KB
MD5

069568413fab8ca7929868493dc63910
SHA1

59a41d59eb314ceb9c2cd3bc9c5856389517b216
SHA256

4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752
SHA512

71c87b0624d145acea3469a324677c211de8c5f791635fef66a304e26c893e6362abe7d5d677a3f84ac2509824ec51843d5d6c6af81fc1fe73b6f99dfb25b9ec
SSDEEP

12288:xLfPi1dJU0L/vI9mOxPEUKRknYYJ2tHhyXxAeUgrSACI7XHgZQKhJgeCmAQLf:xLfPi1dJU43I98U7nYYJ2tHhADSANLHw

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000022f5e-134.dat	aspack_v212_v242
behavioral2/files/0x0008000000022f5e-135.dat	aspack_v212_v242
behavioral2/files/0x0008000000022f5e-137.dat	aspack_v212_v242
behavioral2/files/0x0008000000022f5e-145.dat	aspack_v212_v242
behavioral2/files/0x0007000000022f5f-146.dat	aspack_v212_v242
behavioral2/files/0x0007000000022f5f-148.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
5072	MSWDM.EXE
5044	MSWDM.EXE
5032	4EA3DE95C6DB98C38146ACB629CEB14DF3435D80066D2AE46D348CB49ADF1752.EXE
1544	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe
File opened for modification	C:\Windows\dev9E3.tmp	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe
File opened for modification	C:\Windows\dieA9F.tmp	MSWDM.EXE
File opened for modification	C:\Windows\dev9E3.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	MSWDM.EXE
5044	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 5072	4284	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe	78
PID 4284 wrote to memory of 5072	4284	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe	78
PID 4284 wrote to memory of 5072	4284	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe	78
PID 4284 wrote to memory of 5044	4284	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe	79
PID 4284 wrote to memory of 5044	4284	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe	79
PID 4284 wrote to memory of 5044	4284	4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe	79
PID 5044 wrote to memory of 5032	5044	MSWDM.EXE	80
PID 5044 wrote to memory of 5032	5044	MSWDM.EXE	80
PID 5044 wrote to memory of 5032	5044	MSWDM.EXE	80
PID 5044 wrote to memory of 1544	5044	MSWDM.EXE	81
PID 5044 wrote to memory of 1544	5044	MSWDM.EXE	81
PID 5044 wrote to memory of 1544	5044	MSWDM.EXE	81

C:\Users\Admin\AppData\Local\Temp\4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe
"C:\Users\Admin\AppData\Local\Temp\4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4284
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:5072
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9E3.tmp!C:\Users\Admin\AppData\Local\Temp\4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\4EA3DE95C6DB98C38146ACB629CEB14DF3435D80066D2AE46D348CB49ADF1752.EXE
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev9E3.tmp!C:\Users\Admin\AppData\Local\Temp\4EA3DE95C6DB98C38146ACB629CEB14DF3435D80066D2AE46D348CB49ADF1752.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4EA3DE95C6DB98C38146ACB629CEB14DF3435D80066D2AE46D348CB49ADF1752.EXE

Filesize
39KB

MD5
f6c9ed3f41a85c7e49cec2ef45d7d658

SHA1
a1b7af16486b5de7ee7d56917f04eecefd8634d1

SHA256
eb95ac2418c3b104c795015764218a9e780ec7ca123b44f19579390865147989

SHA512
40c30d4c525d77e56694b0e093e25d778db836f999291b4e1b457dd1e0a3486143b09e849e580ce98ad924897cf4d86190559ccec1c18a876050ca8b634701ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EA3DE95C6DB98C38146ACB629CEB14DF3435D80066D2AE46D348CB49ADF1752.EXE

Filesize
661KB

MD5
9881242640e3bf1e6db882d6f0390fa5

SHA1
b5aba429432a71d9822d37171db006d51346d9e5

SHA256
fdecc05cf1bde2e82e8c7352a547477d260109bb686c353dfbe00ad913779b3f

SHA512
7dcccc4a8cd9bfc1018f5a20d43615c1b11b5f1ab52d61193d2cdff6b62340b10496a1866842ef155227e22c4eac8d8051084651738a1059d45b69ad0722d56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ea3de95c6db98c38146acb629ceb14df3435d80066d2ae46d348cb49adf1752.exe

Filesize
622KB

MD5
a981419c39cc02259b8f2da3974000d9

SHA1
905d359e2c5e8330d39b746132fa9779f52c0b93

SHA256
6e9a4b2f2f62a5fc38c06c47c7ca6905276d05166da99b5fb70573934a0257b8

SHA512
ca08650618b15df511af16340448013f4aa09f7e4459cbe19d4c819255a30a37f54b03196356ca2ff98dade601cd811247a78382645ff53997f69aad962c3532

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
39KB

MD5
f6c9ed3f41a85c7e49cec2ef45d7d658

SHA1
a1b7af16486b5de7ee7d56917f04eecefd8634d1

SHA256
eb95ac2418c3b104c795015764218a9e780ec7ca123b44f19579390865147989

SHA512
40c30d4c525d77e56694b0e093e25d778db836f999291b4e1b457dd1e0a3486143b09e849e580ce98ad924897cf4d86190559ccec1c18a876050ca8b634701ca

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
f6c9ed3f41a85c7e49cec2ef45d7d658

SHA1
a1b7af16486b5de7ee7d56917f04eecefd8634d1

SHA256
eb95ac2418c3b104c795015764218a9e780ec7ca123b44f19579390865147989

SHA512
40c30d4c525d77e56694b0e093e25d778db836f999291b4e1b457dd1e0a3486143b09e849e580ce98ad924897cf4d86190559ccec1c18a876050ca8b634701ca

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
f6c9ed3f41a85c7e49cec2ef45d7d658

SHA1
a1b7af16486b5de7ee7d56917f04eecefd8634d1

SHA256
eb95ac2418c3b104c795015764218a9e780ec7ca123b44f19579390865147989

SHA512
40c30d4c525d77e56694b0e093e25d778db836f999291b4e1b457dd1e0a3486143b09e849e580ce98ad924897cf4d86190559ccec1c18a876050ca8b634701ca

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
f6c9ed3f41a85c7e49cec2ef45d7d658

SHA1
a1b7af16486b5de7ee7d56917f04eecefd8634d1

SHA256
eb95ac2418c3b104c795015764218a9e780ec7ca123b44f19579390865147989

SHA512
40c30d4c525d77e56694b0e093e25d778db836f999291b4e1b457dd1e0a3486143b09e849e580ce98ad924897cf4d86190559ccec1c18a876050ca8b634701ca

Download Submit
C:\Windows\dev9E3.tmp

Filesize
622KB

MD5
a981419c39cc02259b8f2da3974000d9

SHA1
905d359e2c5e8330d39b746132fa9779f52c0b93

SHA256
6e9a4b2f2f62a5fc38c06c47c7ca6905276d05166da99b5fb70573934a0257b8

SHA512
ca08650618b15df511af16340448013f4aa09f7e4459cbe19d4c819255a30a37f54b03196356ca2ff98dade601cd811247a78382645ff53997f69aad962c3532

Download Submit
memory/1544-144-0x0000000000000000-mapping.dmp

Download
memory/1544-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4284-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4284-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5032-140-0x0000000000000000-mapping.dmp

Download
memory/5044-143-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5044-136-0x0000000000000000-mapping.dmp

Download
memory/5044-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5072-142-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5072-133-0x0000000000000000-mapping.dmp

Download
memory/5072-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing