87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0

Analysis

max time kernel
136s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
Size

1.9MB
MD5

7c39481d6f7a9e6b5d13dcabb8e66a87
SHA1

cd38147395a8b87979c72f32f70f8b87ca81f6d7
SHA256

87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0
SHA512

dfb2f2f7b75ea0e0f020b92062232db45b6e7a53dee149d864b122eeeca9b7cb0d5b5a25e8f9ccd672b428d9da80829079da1498b4bad5451e9b411eeee672ca
SSDEEP

49152:HIbGWn+c26c85uTwbxsN5BhdNxfQ9kp8ijIF+zzA+fJtXRk/aS:H8+c2v85uTwbsx42bIY33tXRk/aS

Score

8^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022e4a-133.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e4a-134.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4936	update.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lendsoft.txt	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4776	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
4776	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
4776	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
4776	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
4936	update.exe
4936	update.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4936	4776	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	81
PID 4776 wrote to memory of 4936	4776	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	81
PID 4776 wrote to memory of 4936	4776	87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe	81

C:\Users\Admin\AppData\Local\Temp\87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe
"C:\Users\Admin\AppData\Local\Temp\87dd096b40d0aac83de1b54c276c0606a9934833b28c0cbfbbbc35397a36fae0.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\update.exe
  C:\Users\Admin\AppData\Local\Temp\update.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
352KB

MD5
45f7b737104474b7824d04626b11834b

SHA1
24614d75ea98fc673e38f221471fe1c159ef3565

SHA256
76b99c920bc83097df92f6cddade0347d2aaa6a71cb5b328e3107fc6e4a6c6fd

SHA512
a442f861fdbbc7206f636028d8ad364e18d68130b8b841692c32c50352205772b616db530aa44ce084be5a540d78ef26f3bcd3084cb17c2905bbff7bba7fd605

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
352KB

MD5
45f7b737104474b7824d04626b11834b

SHA1
24614d75ea98fc673e38f221471fe1c159ef3565

SHA256
76b99c920bc83097df92f6cddade0347d2aaa6a71cb5b328e3107fc6e4a6c6fd

SHA512
a442f861fdbbc7206f636028d8ad364e18d68130b8b841692c32c50352205772b616db530aa44ce084be5a540d78ef26f3bcd3084cb17c2905bbff7bba7fd605

Download Submit
C:\Windows\SysWOW64\Lendsoft.txt

Filesize
123B

MD5
89c7be53dfbc503757d0f9d21e5b86b5

SHA1
dad7369bd2faadf8666fe3123e9d57e4ba99f28d

SHA256
5b771a585b7450538ed68d66964f637b76690c53d1f9d7ad67529c6f2f46bc1b

SHA512
e37221d758b92d9be042e9586f1331cc47bb941e68fecf716fc4c5affda8c2c34e8abe0f94cad1311dddaf8613fd4d979e311cd45176c71d257b831000f084d1

Download Submit
memory/4936-132-0x0000000000000000-mapping.dmp

Download
memory/4936-136-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4936-137-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download