Overview

overview

8

Static

static

8

a6fb51f37c...d8.exe

windows7-x64

8

a6fb51f37c...d8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6fb51f37c5d93e55bd0fdf2e40a3cb63f87c7600f0e528a6f3f992ff204a4d8.exe

  • Size

    647KB

  • MD5

    0e870a0e9fe930cd3a02d02ddf0d7ad0

  • SHA1

    01c7e22d895d9cd69e3ed50e81124f285ca42f02

  • SHA256

    a6fb51f37c5d93e55bd0fdf2e40a3cb63f87c7600f0e528a6f3f992ff204a4d8

  • SHA512

    cac78730d0e609d32bbde9ed28387c274d2dcaf8c42b7749591905564137386a7d7b272e8b9d8e6c105932f2598ff8f40808d4b1aa702abac503e284d953364e

  • SSDEEP

    12288:1pSrU96Qtnh2IUuyba+GbubYwAEkAVnQgqiaSgWQgVzLP2+2FDX1G:1mU9hthfaW+Iub7mAVnQ3XpDmzLP2PXo

Score
8/10
aspackv2spywarestealer

Malware Config

Signatures

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 54 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2596
      • C:\Users\Admin\AppData\Local\Temp\a6fb51f37c5d93e55bd0fdf2e40a3cb63f87c7600f0e528a6f3f992ff204a4d8.exe
        "C:\Users\Admin\AppData\Local\Temp\a6fb51f37c5d93e55bd0fdf2e40a3cb63f87c7600f0e528a6f3f992ff204a4d8.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:528
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\021531.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
            4⤵
              PID:384
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
              4⤵
                PID:1080
        • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
          "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
          1⤵
            PID:4940
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2116
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:17410 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:3560

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\021531.bat
            Filesize

            5KB

            MD5

            ad0d80bf6b4292dbada25f7f8fd6556c

            SHA1

            40133d1dea9905bf406fb88efcb57cd693e6cf43

            SHA256

            081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1

            SHA512

            76eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D392D2\DHovvFC.dll
            Filesize

            481KB

            MD5

            d8c8c9cac9130725ffbe0da3c6af9650

            SHA1

            b9c64e2f573ea97e47987e90726ca53da655d9f7

            SHA256

            78b9bce612935ef0306cc37b7922f321044b0a67f6842b1d628710b66779cdaa

            SHA512

            d7579560c22d1def17b14b23de8527aef0228f219e9c3bcd0cd0f71d53158f4abfca97119ca2f1bf09c3999904fb971d711d250e3323fd01f94815daf68dbbb7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D392D2\DHovvFC.dll
            Filesize

            481KB

            MD5

            d8c8c9cac9130725ffbe0da3c6af9650

            SHA1

            b9c64e2f573ea97e47987e90726ca53da655d9f7

            SHA256

            78b9bce612935ef0306cc37b7922f321044b0a67f6842b1d628710b66779cdaa

            SHA512

            d7579560c22d1def17b14b23de8527aef0228f219e9c3bcd0cd0f71d53158f4abfca97119ca2f1bf09c3999904fb971d711d250e3323fd01f94815daf68dbbb7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D392D2\vmttqoI.dll
            Filesize

            531KB

            MD5

            d5fd0b6ea7362eeadaea2c6e26bb655c

            SHA1

            38e1d4f73b95a065a24759a1888da01ab34a979d

            SHA256

            6735551f6f0e3fd2dacb889c02a6bbf229760bb1110f3859a0f1c334ea9e5d24

            SHA512

            1e6f3661626ac13fe0592902564d83939f7b5c4a34fb25cbce928c52c9989acffe8e701c905d45cc1a0030dd6185799109d560665eaa6f73cc749316ce1b91aa

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D392D2\vmttqoI.dll
            Filesize

            531KB

            MD5

            d5fd0b6ea7362eeadaea2c6e26bb655c

            SHA1

            38e1d4f73b95a065a24759a1888da01ab34a979d

            SHA256

            6735551f6f0e3fd2dacb889c02a6bbf229760bb1110f3859a0f1c334ea9e5d24

            SHA512

            1e6f3661626ac13fe0592902564d83939f7b5c4a34fb25cbce928c52c9989acffe8e701c905d45cc1a0030dd6185799109d560665eaa6f73cc749316ce1b91aa

            Download Submit