87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0

Analysis

max time kernel
48s
max time network
72s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
Size

1.9MB
MD5

7c39481d6f7a9e6b5d13dcabb8e66a87
SHA1

cd38147395a8b87979c72f32f70f8b87ca81f6d7
SHA256

87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0
SHA512

dfb2f2f7b75ea0e0f020b92062232db45b6e7a53dee149d864b122eeeca9b7cb0d5b5a25e8f9ccd672b428d9da80829079da1498b4bad5451e9b411eeee672ca
SSDEEP

49152:HIbGWn+c26c85uTwbxsN5BhdNxfQ9kp8ijIF+zzA+fJtXRk/aS:H8+c2v85uTwbsx42bIY33tXRk/aS

Score

8^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000013359-55.dat	aspack_v212_v242
behavioral1/files/0x0007000000013359-58.dat	aspack_v212_v242
behavioral1/files/0x0007000000013359-60.dat	aspack_v212_v242
behavioral1/files/0x0007000000013359-61.dat	aspack_v212_v242
behavioral1/files/0x0007000000013359-62.dat	aspack_v212_v242
behavioral1/files/0x0007000000013359-63.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
520	update.exe
1684	unrar.exe

Loads dropped DLL 9 IoCs

pid	Process
1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
520	update.exe
520	update.exe
520	update.exe
520	update.exe
520	update.exe
1684	unrar.exe
1684	unrar.exe
1684	unrar.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lendsoft.txt	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
520	update.exe
520	update.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 520	1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	30
PID 1932 wrote to memory of 520	1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	30
PID 1932 wrote to memory of 520	1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	30
PID 1932 wrote to memory of 520	1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	30
PID 1932 wrote to memory of 520	1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	30
PID 1932 wrote to memory of 520	1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	30
PID 1932 wrote to memory of 520	1932	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	30
PID 520 wrote to memory of 1684	520	update.exe	31
PID 520 wrote to memory of 1684	520	update.exe	31
PID 520 wrote to memory of 1684	520	update.exe	31
PID 520 wrote to memory of 1684	520	update.exe	31
PID 520 wrote to memory of 1684	520	update.exe	31
PID 520 wrote to memory of 1684	520	update.exe	31
PID 520 wrote to memory of 1684	520	update.exe	31

C:\Users\Admin\AppData\Local\Temp\87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
"C:\Users\Admin\AppData\Local\Temp\87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\update.exe
  C:\Users\Admin\AppData\Local\Temp\update.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Users\Admin\AppData\Local\Temp\unrar.exe
    C:\Users\Admin\AppData\Local\Temp\unrar.exe x -y C:\Users\Admin\AppData\Local\Temp\WebDown2018.rar C:\Users\Admin\AppData\Local\Temp\rar\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WebDown2018.rar

Filesize
1.7MB

MD5
4adcad0c676c1ba564c7e4d40896b34b

SHA1
cb4a7a385163aa76076a38447ff16a0b3a32f5f1

SHA256
375860f0f06faebae0af54e60ff3008994dd1f5148352e3e0c803550c8dd5fa5

SHA512
c7b3272fe7d7200d055a27208ebf4dde35e230523eb273f12a41949503fae434ec6a36489cee5a6556fb28444492c70cf32e8b2458c751ed39d5a077cdf19d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\unrar.exe

Filesize
211KB

MD5
573f0ebcc10d874c292ae88e0c264280

SHA1
9cede5d4185b9f170047e70d57c11c648c6db4e2

SHA256
83fb59f6eb313da7edea631fc29b8825ad95cf1914835460a49e1ccbc6fe9327

SHA512
71d3d2de63a2e174e9f1f0ef3ce74e63c6ed652fc1c21e833b0752e1460bd205e2ef87b28591e722dc29c3dc9f5f72a15a23d34a92639668216e9dc14f32b163

Download Submit
C:\Users\Admin\AppData\Local\Temp\unrar.exe

Filesize
211KB

MD5
573f0ebcc10d874c292ae88e0c264280

SHA1
9cede5d4185b9f170047e70d57c11c648c6db4e2

SHA256
83fb59f6eb313da7edea631fc29b8825ad95cf1914835460a49e1ccbc6fe9327

SHA512
71d3d2de63a2e174e9f1f0ef3ce74e63c6ed652fc1c21e833b0752e1460bd205e2ef87b28591e722dc29c3dc9f5f72a15a23d34a92639668216e9dc14f32b163

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
352KB

MD5
45f7b737104474b7824d04626b11834b

SHA1
24614d75ea98fc673e38f221471fe1c159ef3565

SHA256
76b99c920bc83097df92f6cddade0347d2aaa6a71cb5b328e3107fc6e4a6c6fd

SHA512
a442f861fdbbc7206f636028d8ad364e18d68130b8b841692c32c50352205772b616db530aa44ce084be5a540d78ef26f3bcd3084cb17c2905bbff7bba7fd605

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
352KB

MD5
45f7b737104474b7824d04626b11834b

SHA1
24614d75ea98fc673e38f221471fe1c159ef3565

SHA256
76b99c920bc83097df92f6cddade0347d2aaa6a71cb5b328e3107fc6e4a6c6fd

SHA512
a442f861fdbbc7206f636028d8ad364e18d68130b8b841692c32c50352205772b616db530aa44ce084be5a540d78ef26f3bcd3084cb17c2905bbff7bba7fd605

Download Submit
C:\Windows\SysWOW64\Lendsoft.txt

Filesize
123B

MD5
89c7be53dfbc503757d0f9d21e5b86b5

SHA1
dad7369bd2faadf8666fe3123e9d57e4ba99f28d

SHA256
5b771a585b7450538ed68d66964f637b76690c53d1f9d7ad67529c6f2f46bc1b

SHA512
e37221d758b92d9be042e9586f1331cc47bb941e68fecf716fc4c5affda8c2c34e8abe0f94cad1311dddaf8613fd4d979e311cd45176c71d257b831000f084d1

Download Submit
\Users\Admin\AppData\Local\Temp\unrar.exe

Filesize
211KB

MD5
573f0ebcc10d874c292ae88e0c264280

SHA1
9cede5d4185b9f170047e70d57c11c648c6db4e2

SHA256
83fb59f6eb313da7edea631fc29b8825ad95cf1914835460a49e1ccbc6fe9327

SHA512
71d3d2de63a2e174e9f1f0ef3ce74e63c6ed652fc1c21e833b0752e1460bd205e2ef87b28591e722dc29c3dc9f5f72a15a23d34a92639668216e9dc14f32b163

Download Submit
\Users\Admin\AppData\Local\Temp\unrar.exe

Filesize
211KB

MD5
573f0ebcc10d874c292ae88e0c264280

SHA1
9cede5d4185b9f170047e70d57c11c648c6db4e2

SHA256
83fb59f6eb313da7edea631fc29b8825ad95cf1914835460a49e1ccbc6fe9327

SHA512
71d3d2de63a2e174e9f1f0ef3ce74e63c6ed652fc1c21e833b0752e1460bd205e2ef87b28591e722dc29c3dc9f5f72a15a23d34a92639668216e9dc14f32b163

Download Submit
\Users\Admin\AppData\Local\Temp\unrar.exe

Filesize
211KB

MD5
573f0ebcc10d874c292ae88e0c264280

SHA1
9cede5d4185b9f170047e70d57c11c648c6db4e2

SHA256
83fb59f6eb313da7edea631fc29b8825ad95cf1914835460a49e1ccbc6fe9327

SHA512
71d3d2de63a2e174e9f1f0ef3ce74e63c6ed652fc1c21e833b0752e1460bd205e2ef87b28591e722dc29c3dc9f5f72a15a23d34a92639668216e9dc14f32b163

Download Submit
\Users\Admin\AppData\Local\Temp\unrar.exe

Filesize
211KB

MD5
573f0ebcc10d874c292ae88e0c264280

SHA1
9cede5d4185b9f170047e70d57c11c648c6db4e2

SHA256
83fb59f6eb313da7edea631fc29b8825ad95cf1914835460a49e1ccbc6fe9327

SHA512
71d3d2de63a2e174e9f1f0ef3ce74e63c6ed652fc1c21e833b0752e1460bd205e2ef87b28591e722dc29c3dc9f5f72a15a23d34a92639668216e9dc14f32b163

Download Submit
\Users\Admin\AppData\Local\Temp\unrar.exe

Filesize
211KB

MD5
573f0ebcc10d874c292ae88e0c264280

SHA1
9cede5d4185b9f170047e70d57c11c648c6db4e2

SHA256
83fb59f6eb313da7edea631fc29b8825ad95cf1914835460a49e1ccbc6fe9327

SHA512
71d3d2de63a2e174e9f1f0ef3ce74e63c6ed652fc1c21e833b0752e1460bd205e2ef87b28591e722dc29c3dc9f5f72a15a23d34a92639668216e9dc14f32b163

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
352KB

MD5
45f7b737104474b7824d04626b11834b

SHA1
24614d75ea98fc673e38f221471fe1c159ef3565

SHA256
76b99c920bc83097df92f6cddade0347d2aaa6a71cb5b328e3107fc6e4a6c6fd

SHA512
a442f861fdbbc7206f636028d8ad364e18d68130b8b841692c32c50352205772b616db530aa44ce084be5a540d78ef26f3bcd3084cb17c2905bbff7bba7fd605

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
352KB

MD5
45f7b737104474b7824d04626b11834b

SHA1
24614d75ea98fc673e38f221471fe1c159ef3565

SHA256
76b99c920bc83097df92f6cddade0347d2aaa6a71cb5b328e3107fc6e4a6c6fd

SHA512
a442f861fdbbc7206f636028d8ad364e18d68130b8b841692c32c50352205772b616db530aa44ce084be5a540d78ef26f3bcd3084cb17c2905bbff7bba7fd605

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
352KB

MD5
45f7b737104474b7824d04626b11834b

SHA1
24614d75ea98fc673e38f221471fe1c159ef3565

SHA256
76b99c920bc83097df92f6cddade0347d2aaa6a71cb5b328e3107fc6e4a6c6fd

SHA512
a442f861fdbbc7206f636028d8ad364e18d68130b8b841692c32c50352205772b616db530aa44ce084be5a540d78ef26f3bcd3084cb17c2905bbff7bba7fd605

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
352KB

MD5
45f7b737104474b7824d04626b11834b

SHA1
24614d75ea98fc673e38f221471fe1c159ef3565

SHA256
76b99c920bc83097df92f6cddade0347d2aaa6a71cb5b328e3107fc6e4a6c6fd

SHA512
a442f861fdbbc7206f636028d8ad364e18d68130b8b841692c32c50352205772b616db530aa44ce084be5a540d78ef26f3bcd3084cb17c2905bbff7bba7fd605

Download Submit
memory/520-65-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/520-66-0x00000000008D0000-0x00000000009AE000-memory.dmp

Filesize
888KB

Download
memory/520-77-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1932-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1932-56-0x0000000005760000-0x000000000583E000-memory.dmp

Filesize
888KB

Download