25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64

General

Target

25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
Size

2.0MB
MD5

e00a690d49c9e04126a1008947509746
SHA1

4f92021a4abe6b0e37535d1a82f17c16e23881c7
SHA256

25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64
SHA512

6a3c8e8cea1386f55a49dbc50933f1a2c02cc11f3a0340f7ed6eda208f9e1f46d4c1512ac0baac0f2d86e7dc2f6856355dc1030eca37b9d8966581854df3241d
SSDEEP

49152:V8ZTOpdNJQ/GAibqQyIVJfJ6b+9x8bVpnAI9lERm2H4bZoXghpwJXkQj:V82lQ/9imQJJob66bVpHlEVH4bZoXAiV

Score

8^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\{DAE0CFD2-5D86-4363-B2D6-25DD6EE36A5F}\isshell.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

SoftwareCenter.exe

pid process

568 SoftwareCenter.exe

pid	process
568	SoftwareCenter.exe

Loads dropped DLL 5 IoCs

Processes:

25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exeSoftwareCenter.exe

pid	process
1272	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
1272	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
1272	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
1272	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
568	SoftwareCenter.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 58 IoCs

Processes:

25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe

description	ioc	process
File created	C:\Program Files\Nsssoft\skin\7334.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\2913.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\4.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\软件中心.ico	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\5968.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\1502.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\Config.ini	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\12704_48_1394510720.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\13993_48_1397110476.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\minbtn.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\许可证.txt	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\7401.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\2555.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\8222.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\1810_48_1407311107.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\5342.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\6695.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\3936.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\9273.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\t015be67828ebe8a94f.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\SoftwareCenter.exe	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files (x86)\NSS电脑城装机工具\卸载 NSS电脑城装机工具.exe	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\5097.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\10283_48_1399879133.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\DuiLib.dll	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\5598.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\10599_48_1377244855.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\1006.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\4279.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\7316.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\DuiLib_d.dll	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\bk.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files (x86)\NSS电脑城装机工具\卸载 NSS电脑城装机工具.exe	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\6214.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\7352.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\5785.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\t01ca14efb39a139947.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\2524.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\2767.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\2.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\7298.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\3105.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\4130.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\13407_48_1396252362.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files (x86)\NSS电脑城装机工具\卸载 NSS电脑城装机工具.dat	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\1147.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\10432_48_1374119058.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\SoftWare.xml	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\10.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\10163_48_1372238016.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\5.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\btn_status.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\checkbox_check_status.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\closeicon.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\9553.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File opened for modification	C:\Program Files\Nsssoft\skin\logo.png	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
File created	C:\Program Files\Nsssoft\skin\6581.temp	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe

description	pid	process	target process
PID 1272 wrote to memory of 568	1272	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe	SoftwareCenter.exe
PID 1272 wrote to memory of 568	1272	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe	SoftwareCenter.exe
PID 1272 wrote to memory of 568	1272	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe	SoftwareCenter.exe
PID 1272 wrote to memory of 568	1272	25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe	SoftwareCenter.exe

C:\Users\Admin\AppData\Local\Temp\25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe
"C:\Users\Admin\AppData\Local\Temp\25785c538f75c7f30d6bc0c69f2e521c1bc2f6f3e8a7ca1ac50463972d94bd64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files\Nsssoft\SoftwareCenter.exe
"C:\Program Files\Nsssoft\SoftwareCenter.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Nsssoft\DuiLib.dll

Filesize
472KB

MD5
602020e69ad1b633539d995ad92ffdff

SHA1
1ce5cf3cc5d958f2b4e0821517f0f7f8e2dddfb9

SHA256
65d47d443a5d75c8a2e98e39c3326f14d7b7cf960328c1505dca70e241b40d3e

SHA512
2b770b612826f0838d1e1bfa73c6632ed8edfe2c44ac9f6252aac35b6fe51e88e72886012ae5fdad82582b4cebfe393aae9ad96ad26987a149c6aa24a3a37ef8

Download Submit
C:\Program Files\Nsssoft\SoftwareCenter.exe

Filesize
164KB

MD5
4fbf0562d3ab47f6da50641b877ad004

SHA1
71fe434df2c9b718bae2cb53fd418279883b4ae0

SHA256
3f2aeb8c3e6f83ee09c61de22243d8e82478b2266fca1e4c79876085bd30947a

SHA512
c898f9da6ca864633076bc2fdd68a517361b170518be301c01f3f11442eacb15661941f1ac96c781a88fd29ffbf2e63e92839d8c49eeb32f39cba36d4dbcf42f

Download Submit
\Program Files (x86)\NSS电脑城装机工具\卸载 NSS电脑城装机工具.exe

Filesize
190KB

MD5
44b73f0b3108c156385b53d4ce0ae44d

SHA1
d312e76e6145e3fe1ce9a3f8ce95ef3762686077

SHA256
b1afeb33e8d496f6d5a0b49d4ca348dcab862cdd16ecaeb0cb1c9d4acebab723

SHA512
3b91e979a179c39d548b1e96c07e957b62dcd0b6ed1e92f093262a0e1f760f55c34e41ae654337a7ce1f861482c72468df75b5d7944ee22ac5f380fc2f64d424

Download Submit
\Program Files\Nsssoft\DuiLib.dll

Filesize
472KB

MD5
602020e69ad1b633539d995ad92ffdff

SHA1
1ce5cf3cc5d958f2b4e0821517f0f7f8e2dddfb9

SHA256
65d47d443a5d75c8a2e98e39c3326f14d7b7cf960328c1505dca70e241b40d3e

SHA512
2b770b612826f0838d1e1bfa73c6632ed8edfe2c44ac9f6252aac35b6fe51e88e72886012ae5fdad82582b4cebfe393aae9ad96ad26987a149c6aa24a3a37ef8

Download Submit
\Program Files\Nsssoft\SoftwareCenter.exe

Filesize
164KB

MD5
4fbf0562d3ab47f6da50641b877ad004

SHA1
71fe434df2c9b718bae2cb53fd418279883b4ae0

SHA256
3f2aeb8c3e6f83ee09c61de22243d8e82478b2266fca1e4c79876085bd30947a

SHA512
c898f9da6ca864633076bc2fdd68a517361b170518be301c01f3f11442eacb15661941f1ac96c781a88fd29ffbf2e63e92839d8c49eeb32f39cba36d4dbcf42f

Download Submit
\Program Files\Nsssoft\SoftwareCenter.exe

Filesize
164KB

MD5
4fbf0562d3ab47f6da50641b877ad004

SHA1
71fe434df2c9b718bae2cb53fd418279883b4ae0

SHA256
3f2aeb8c3e6f83ee09c61de22243d8e82478b2266fca1e4c79876085bd30947a

SHA512
c898f9da6ca864633076bc2fdd68a517361b170518be301c01f3f11442eacb15661941f1ac96c781a88fd29ffbf2e63e92839d8c49eeb32f39cba36d4dbcf42f

Download Submit
\Users\Admin\AppData\Local\Temp\{DAE0CFD2-5D86-4363-B2D6-25DD6EE36A5F}\isshell.dat

Filesize
840KB

MD5
4cbd8a1333afb118f00f2a56d7e11782

SHA1
02483c6d2a2b55ccd179629da201493f3d8f7633

SHA256
99734cee1bc5c3e00c79a1eae4e26015c088ae07ca490a77ccddca87c6f25cdc

SHA512
499517b5477407a45964b705794b41837f33bcb544cb248ce3e81c9a824253f46cf9af7e662432226ec667a7bf5acd48893a4e4acb5edcde7c4e2196eaca6e8a

Download Submit
memory/568-59-0x0000000000000000-mapping.dmp

Download
memory/1272-55-0x0000000074C41000-0x0000000074C43000-memory.dmp

Filesize
8KB

Download
memory/1272-56-0x0000000001DC0000-0x0000000002060000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads