f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e

General

Target

f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe
Size

631KB
MD5

4358bb63469e9e205ef72aba86120e40
SHA1

7f11f731388196803b361af76d507d8139024d2d
SHA256

f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e
SHA512

1925a37d6ef8964e2a00d5cee397255340b1e31ed69c904e6bc29f80887febe94fef43c9c7d25a20cad0a823a479628c7b8e59ad6e955e9e3cf7eb7fe6c8526b
SSDEEP

12288:Ak86ojENhJ9KCJnxnm/HF3Z4mxx+nUqGGGkYThd5UcOCk:bVojENscBm/HQmXaUVGGk6PrOh

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\smlogsvc.exe	aspack_v212_v242
C:\Windows\SysWOW64\smlogsvc.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

smlogsvc.exe

pid process

860 smlogsvc.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

896 cmd.exe

pid	process
860	smlogsvc.exe

pid	process
896	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exesmlogsvc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\smlogsvc.exe	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe
File opened for modification	C:\Windows\SysWOW64\smlogsvc.exe	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	smlogsvc.exe
File opened for modification	C:\Windows\SysWOW64\smlogsvc.exe	smlogsvc.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe

Drops file in Windows directory 1 IoCs

Processes:

f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe

description ioc process

File created C:\Windows\uninstal.bat f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe

description	ioc	process
File created	C:\Windows\uninstal.bat	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exesmlogsvc.exe

description	pid	process
Token: SeDebugPrivilege	1832	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe
Token: SeDebugPrivilege	860	smlogsvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe

description	pid	process	target process
PID 1832 wrote to memory of 896	1832	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe	cmd.exe
PID 1832 wrote to memory of 896	1832	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe	cmd.exe
PID 1832 wrote to memory of 896	1832	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe	cmd.exe
PID 1832 wrote to memory of 896	1832	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe	cmd.exe
PID 1832 wrote to memory of 896	1832	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe	cmd.exe
PID 1832 wrote to memory of 896	1832	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe	cmd.exe
PID 1832 wrote to memory of 896	1832	f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe
"C:\Users\Admin\AppData\Local\Temp\f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\uninstal.bat
2⤵
- Deletes itself
PID:896

C:\Windows\SysWOW64\smlogsvc.exe
C:\Windows\SysWOW64\smlogsvc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\smlogsvc.exe

Filesize
631KB

MD5
4358bb63469e9e205ef72aba86120e40

SHA1
7f11f731388196803b361af76d507d8139024d2d

SHA256
f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e

SHA512
1925a37d6ef8964e2a00d5cee397255340b1e31ed69c904e6bc29f80887febe94fef43c9c7d25a20cad0a823a479628c7b8e59ad6e955e9e3cf7eb7fe6c8526b

Download Submit
C:\Windows\SysWOW64\smlogsvc.exe

Filesize
631KB

MD5
4358bb63469e9e205ef72aba86120e40

SHA1
7f11f731388196803b361af76d507d8139024d2d

SHA256
f3d00b85306e0a16238e2a47f09683d7771a3177662231dab2268e77d363ac9e

SHA512
1925a37d6ef8964e2a00d5cee397255340b1e31ed69c904e6bc29f80887febe94fef43c9c7d25a20cad0a823a479628c7b8e59ad6e955e9e3cf7eb7fe6c8526b

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
6cea32472deba9de9126ab9ad5fec2c5

SHA1
8bab7b8b3f93ca0dc91ddef49ce56a8f976a5f49

SHA256
5fe582ad86eab9de5d152e20617a605149168d33ed3bbc17c4bf7b09820c9047

SHA512
c812a946bf9a68909aa09f8e8b33bb8585d2c33b3cbaf423ae5487c0f881c2183cbfbafb49e278eabf18b22cca91382195ba0e2cc536988c82f13364b5ac32a6

Download Submit
memory/860-65-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/860-63-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/896-66-0x0000000000000000-mapping.dmp

Download
memory/1832-56-0x0000000001D20000-0x0000000001D74000-memory.dmp

Filesize
336KB

Download
memory/1832-60-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/1832-59-0x0000000001D20000-0x0000000001D74000-memory.dmp

Filesize
336KB

Download
memory/1832-58-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/1832-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1832-57-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/1832-67-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/1832-68-0x0000000001D20000-0x0000000001D74000-memory.dmp

Filesize
336KB

Download
memory/1832-55-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads