Overview

overview

10

Static

static

8

401024b77a...16.exe

windows7-x64

10

401024b77a...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2022 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe

  • Size

    45KB

  • MD5

    0825a8dc788a065f6c83bac0198704a3

  • SHA1

    c5e6eb4acee804a0ae1e3a0cdbb4d40dc5f7d736

  • SHA256

    401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16

  • SHA512

    d98ac956c651a1a95c96f35bc4fcb4e44e22ef8ec716559cd951c5255169ee7c5dfde5712f43834b965bb5012f18e43984131393f889d026a60c15475479adf6

  • SSDEEP

    768:gAYG+lzc/ujL+yuSElTTrA7e/GMHZHfsOCawygumxmha5:r+9+yVWTI7eDNfsOCVbun

Score
10/10
aspackv2evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe
    "C:\Users\Admin\AppData\Local\Temp\401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Adds policy Run key to start application
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4392
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\temp\hujksrtjr.inf
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\SysWOW64\runonce.exe
        "C:\Windows\system32\runonce.exe" -r
        3⤵
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\SysWOW64\grpconv.exe
          "C:\Windows\System32\grpconv.exe" -o
          4⤵
            PID:3108
      • C:\Windows\temp\conima.exe
        C:\Windows\temp\conima.exe -sysrun
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:624
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\temp\PvOLAgIQ.bat
        2⤵
          PID:3348

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Hidden Files and Directories

      1
      T1158

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Hidden Files and Directories

      1
      T1158

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Temp\conima.exe
        Filesize

        45KB

        MD5

        0825a8dc788a065f6c83bac0198704a3

        SHA1

        c5e6eb4acee804a0ae1e3a0cdbb4d40dc5f7d736

        SHA256

        401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16

        SHA512

        d98ac956c651a1a95c96f35bc4fcb4e44e22ef8ec716559cd951c5255169ee7c5dfde5712f43834b965bb5012f18e43984131393f889d026a60c15475479adf6

        Download Submit
      • C:\Windows\temp\PvOLAgIQ.bat
        Filesize

        254B

        MD5

        115d9c2e2cad61389a11d505d63a2a5c

        SHA1

        b6057702b3ea4e3b704bf1e15512a467acc60413

        SHA256

        0b413b4fdbc849e420030b7d31b48e759979b48063fc543a474ff315ba2e7d18

        SHA512

        35867931b869b094264c23f62df34eb79c7e0662c015f1f4e92eb480a10bfb178d4dd4fc05892ce655750f16b77d34576d637b1752a52196577a59a60e199146

        Download Submit
      • C:\Windows\temp\conima.exe
        Filesize

        45KB

        MD5

        0825a8dc788a065f6c83bac0198704a3

        SHA1

        c5e6eb4acee804a0ae1e3a0cdbb4d40dc5f7d736

        SHA256

        401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16

        SHA512

        d98ac956c651a1a95c96f35bc4fcb4e44e22ef8ec716559cd951c5255169ee7c5dfde5712f43834b965bb5012f18e43984131393f889d026a60c15475479adf6

        Download Submit
      • C:\Windows\temp\hujksrtjr.inf
        Filesize

        371B

        MD5

        cddafe5b551b7c4cbc4fa67d5de6e1ad

        SHA1

        bde6279d749e7d0427dbe45d4094351c1f302dab

        SHA256

        d0f25a7019458f54409a446c9614d6df14864df1d5d148ea4e818a0813980eb9

        SHA512

        9e528dbaaf84cf4ef7a8931654e782a02396709311adcc756c42543d63966fd5517bb3f4c9dc9d99e7d6608ad676a44f388909ceac65bf98223167ab0a3a83e2

        Download Submit
      • memory/624-138-0x0000000000000000-mapping.dmp
        Download
      • memory/624-143-0x0000000000400000-0x000000000041F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/624-148-0x0000000000400000-0x000000000041F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1800-137-0x0000000000000000-mapping.dmp
        Download
      • memory/3108-146-0x0000000000000000-mapping.dmp
        Download
      • memory/3348-144-0x0000000000000000-mapping.dmp
        Download
      • memory/3736-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4392-134-0x0000000000400000-0x000000000041F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/4392-147-0x0000000000400000-0x000000000041F000-memory.dmp
        Filesize

        124KB

        Download