13e6ff5cb9fdf2ba6560edda8afa17724d14122dd087af29004c7684cb6c4252

Analysis

max time kernel
149s
max time network
246s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37de64b99682484279f81911840da0e9.exe
Size

700KB
MD5

37de64b99682484279f81911840da0e9
SHA1

77508881129ba06fcc0f99633900cb25d17f2e19
SHA256

13e6ff5cb9fdf2ba6560edda8afa17724d14122dd087af29004c7684cb6c4252
SHA512

73df3a16038fe07126e8b39da5f2e88170d3e312890f25d5f2d371bbcaab516bb5b25220d5ff4e2bd5bade5c343136b0893e8304927c865fadd71f0a50e230b4
SSDEEP

12288:LjuRRtahe+F+8OxQa3FxvNW5RtAlwc3hr6xkH:LqRTao+cxLVpCRtUwckxm

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\E_N60005\krnln.fnr	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\E_N60005\eAPI.fne	aspack_v212_v242

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

AMS.exe

pid process

808 AMS.exe

pid	process
808	AMS.exe

Loads dropped DLL 9 IoCs

Processes:

37de64b99682484279f81911840da0e9.exeAMS.exe

pid	process
1492	37de64b99682484279f81911840da0e9.exe
1492	37de64b99682484279f81911840da0e9.exe
808	AMS.exe
808	AMS.exe
808	AMS.exe
808	AMS.exe
808	AMS.exe
808	AMS.exe
808	AMS.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

37de64b99682484279f81911840da0e9.exeAMS.exe

pid process

1492 37de64b99682484279f81911840da0e9.exe
808 AMS.exe
808 AMS.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

37de64b99682484279f81911840da0e9.exeAMS.exe

pid	process
1492	37de64b99682484279f81911840da0e9.exe
1492	37de64b99682484279f81911840da0e9.exe
808	AMS.exe
808	AMS.exe
808	AMS.exe
808	AMS.exe
808	AMS.exe
808	AMS.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

37de64b99682484279f81911840da0e9.exe

description	pid	process	target process
PID 1492 wrote to memory of 808	1492	37de64b99682484279f81911840da0e9.exe	AMS.exe
PID 1492 wrote to memory of 808	1492	37de64b99682484279f81911840da0e9.exe	AMS.exe
PID 1492 wrote to memory of 808	1492	37de64b99682484279f81911840da0e9.exe	AMS.exe
PID 1492 wrote to memory of 808	1492	37de64b99682484279f81911840da0e9.exe	AMS.exe
PID 1492 wrote to memory of 808	1492	37de64b99682484279f81911840da0e9.exe	AMS.exe
PID 1492 wrote to memory of 808	1492	37de64b99682484279f81911840da0e9.exe	AMS.exe
PID 1492 wrote to memory of 808	1492	37de64b99682484279f81911840da0e9.exe	AMS.exe

C:\Users\Admin\AppData\Local\Temp\37de64b99682484279f81911840da0e9.exe
"C:\Users\Admin\AppData\Local\Temp\37de64b99682484279f81911840da0e9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\AMS.exe
C:\Users\Admin\AppData\Local\Temp\AMS.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AMS.exe

Filesize
7.3MB

MD5
9dcf15542011cbfeb49c2081dc7b2cb5

SHA1
639616c735fedda841f9ff6e366298181604e632

SHA256
af627addc0146dfa2e5c4c60e755397245d74469b5898f1887ba8db82afb37c5

SHA512
f992aaad4fb5af0e6843dc35230841880e33405220ed57fc4d508ca1b85f38d69fc78bce32c909422c6ee9a43da18439955186f10988b942b0a6db0779c3dc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMS.exe

Filesize
7.3MB

MD5
9dcf15542011cbfeb49c2081dc7b2cb5

SHA1
639616c735fedda841f9ff6e366298181604e632

SHA256
af627addc0146dfa2e5c4c60e755397245d74469b5898f1887ba8db82afb37c5

SHA512
f992aaad4fb5af0e6843dc35230841880e33405220ed57fc4d508ca1b85f38d69fc78bce32c909422c6ee9a43da18439955186f10988b942b0a6db0779c3dc4e

Download Submit
\Users\Admin\AppData\Local\Temp\AMS.exe

Filesize
7.3MB

MD5
9dcf15542011cbfeb49c2081dc7b2cb5

SHA1
639616c735fedda841f9ff6e366298181604e632

SHA256
af627addc0146dfa2e5c4c60e755397245d74469b5898f1887ba8db82afb37c5

SHA512
f992aaad4fb5af0e6843dc35230841880e33405220ed57fc4d508ca1b85f38d69fc78bce32c909422c6ee9a43da18439955186f10988b942b0a6db0779c3dc4e

Download Submit
\Users\Admin\AppData\Local\Temp\AMS.exe

Filesize
7.3MB

MD5
9dcf15542011cbfeb49c2081dc7b2cb5

SHA1
639616c735fedda841f9ff6e366298181604e632

SHA256
af627addc0146dfa2e5c4c60e755397245d74469b5898f1887ba8db82afb37c5

SHA512
f992aaad4fb5af0e6843dc35230841880e33405220ed57fc4d508ca1b85f38d69fc78bce32c909422c6ee9a43da18439955186f10988b942b0a6db0779c3dc4e

Download Submit
\Users\Admin\AppData\Local\Temp\AMS.exe

Filesize
7.3MB

MD5
9dcf15542011cbfeb49c2081dc7b2cb5

SHA1
639616c735fedda841f9ff6e366298181604e632

SHA256
af627addc0146dfa2e5c4c60e755397245d74469b5898f1887ba8db82afb37c5

SHA512
f992aaad4fb5af0e6843dc35230841880e33405220ed57fc4d508ca1b85f38d69fc78bce32c909422c6ee9a43da18439955186f10988b942b0a6db0779c3dc4e

Download Submit
\Users\Admin\AppData\Local\Temp\AMS.exe

Filesize
7.3MB

MD5
9dcf15542011cbfeb49c2081dc7b2cb5

SHA1
639616c735fedda841f9ff6e366298181604e632

SHA256
af627addc0146dfa2e5c4c60e755397245d74469b5898f1887ba8db82afb37c5

SHA512
f992aaad4fb5af0e6843dc35230841880e33405220ed57fc4d508ca1b85f38d69fc78bce32c909422c6ee9a43da18439955186f10988b942b0a6db0779c3dc4e

Download Submit
\Users\Admin\AppData\Local\Temp\AMS.exe

Filesize
7.3MB

MD5
9dcf15542011cbfeb49c2081dc7b2cb5

SHA1
639616c735fedda841f9ff6e366298181604e632

SHA256
af627addc0146dfa2e5c4c60e755397245d74469b5898f1887ba8db82afb37c5

SHA512
f992aaad4fb5af0e6843dc35230841880e33405220ed57fc4d508ca1b85f38d69fc78bce32c909422c6ee9a43da18439955186f10988b942b0a6db0779c3dc4e

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\ExuiKrnln.fne

Filesize
1.9MB

MD5
37366c1f3b98360ad781499cf90b02e9

SHA1
ac6c292a9528730c46c3e5c901fc98b4db687f1c

SHA256
6a6a1c72016470034c8ad3ce8abd4a2322e113fc500f0de40c5bb1100e4179f3

SHA512
530b80af23d75535f0aa9aebe7c84f3c09aee7a6075a338546a634efccbc675874e7ad7e46ca2bee523bba4deadf3a4e6fc70b3d549b7144a8667c0d19f607e9

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\eAPI.fne

Filesize
156KB

MD5
4bfd2196a035808bc2108909d70f40e0

SHA1
2055e2f5faebe89c39bb54000cabd77f2f684294

SHA256
b8c03b0f0dfdde3fe33ac63b9322a1f72ef56748c8cde860a320ac9d6f868adc

SHA512
b845d2b6309434600a5e922bebb43d9305d4316fff0b7d59aa0615e5aa68a3a112737f733d141e56a1b87b0631d6c66ca18a0273e16632598ccf3bee99d4da46

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\krnln.fnr

Filesize
597KB

MD5
e20929ea2cd3cc34b3b6f30cc6a4d723

SHA1
31793f3f10f0964b50826e10df74e36002e2f9e5

SHA256
96e1778537df3ce9868806f4ff4b9b1eb682a7f52e33497cfa4f6fefbd164584

SHA512
cd6f7e914bdff45977c058b49a60cd25f6a8d12838096ff63fb433de23a3705a679ede6be628c298ede5c9a42465a26864b6bbff03fc4bca6128cec764614931

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\shellEx.fne

Filesize
14KB

MD5
cbe7b9dbe063b6f94b1b53e936f6c0a4

SHA1
9dc41d44da76f65f00bd74e59cfb2be07f19756a

SHA256
f7f2a1dee67bb04b990d04eae4fd5d83a4b415b0ccfba83d557f1373b0119f36

SHA512
81580a1beb8594ec8687b680338f2ff7cec5af312ff28cab4aaa63ce3aeac6d5cf26b00e8bd42cfce29439d65a41211bbb796f6d80498642de3271c834a7a129

Download Submit
memory/808-71-0x0000000010000000-0x000000001014E000-memory.dmp

Filesize
1.3MB

Download
memory/808-67-0x0000000000EF0000-0x000000000142D000-memory.dmp

Filesize
5.2MB

Download
memory/808-68-0x0000000000EF0000-0x000000000142D000-memory.dmp

Filesize
5.2MB

Download
memory/808-69-0x0000000000EF0000-0x000000000142D000-memory.dmp

Filesize
5.2MB

Download
memory/808-73-0x0000000003530000-0x000000000363D000-memory.dmp

Filesize
1.1MB

Download
memory/808-57-0x0000000000000000-mapping.dmp

Download
memory/808-78-0x0000000003C20000-0x0000000003C80000-memory.dmp

Filesize
384KB

Download
memory/808-66-0x0000000000400000-0x000000000093D000-memory.dmp

Filesize
5.2MB

Download
memory/808-80-0x0000000000400000-0x000000000093D000-memory.dmp

Filesize
5.2MB

Download
memory/1492-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/1492-60-0x0000000003280000-0x00000000037BD000-memory.dmp

Filesize
5.2MB

Download
memory/1492-65-0x0000000003280000-0x00000000037BD000-memory.dmp

Filesize
5.2MB

Download