70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef

Analysis

max time kernel
170s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe
Size

15.4MB
MD5

6d42060d389b5ed0691415239a0b7ab7
SHA1

ec943d471d7aeedf03c0efdd8d211fefaafc661f
SHA256

70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef
SHA512

0706b87723c299cd72d393f1e7ee5d4dfa1953b99986a512a0ba3560f31958c51f1ac575cc38531d8ad56b3033e2b08110ed6607d58d087adb2df8f10c2f78e8
SSDEEP

196608:xGU39Cjd24bhN1rHiTPT82qPsDv57muwx1VXq21fVkQCHmO6C07W6j3mpLPl2my2:FahHSeEbtSR1tklxAPjWpL921RX6cu

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\net_client.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\net_client.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\net_client.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\net_client.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\net_client.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\net_client.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\net_client.exe	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

net_client.exexfplay.exexfplay.tmp

pid process

1488 net_client.exe
628 xfplay.exe
1012 xfplay.tmp

pid	process
1488	net_client.exe
628	xfplay.exe
1012	xfplay.tmp

Loads dropped DLL 11 IoCs

Processes:

70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exenet_client.exexfplay.exexfplay.tmp

pid	process
1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe
1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe
1488	net_client.exe
1488	net_client.exe
1488	net_client.exe
1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe
628	xfplay.exe
628	xfplay.exe
628	xfplay.exe
1012	xfplay.tmp
1012	xfplay.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exexfplay.exe

description	pid	process	target process
PID 1844 wrote to memory of 1488	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1844 wrote to memory of 1488	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1844 wrote to memory of 1488	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1844 wrote to memory of 1488	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1844 wrote to memory of 1488	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1844 wrote to memory of 1488	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1844 wrote to memory of 1488	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1844 wrote to memory of 628	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 1844 wrote to memory of 628	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 1844 wrote to memory of 628	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 1844 wrote to memory of 628	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 1844 wrote to memory of 628	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 1844 wrote to memory of 628	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 1844 wrote to memory of 628	1844	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 628 wrote to memory of 1012	628	xfplay.exe	xfplay.tmp
PID 628 wrote to memory of 1012	628	xfplay.exe	xfplay.tmp
PID 628 wrote to memory of 1012	628	xfplay.exe	xfplay.tmp
PID 628 wrote to memory of 1012	628	xfplay.exe	xfplay.tmp
PID 628 wrote to memory of 1012	628	xfplay.exe	xfplay.tmp
PID 628 wrote to memory of 1012	628	xfplay.exe	xfplay.tmp
PID 628 wrote to memory of 1012	628	xfplay.exe	xfplay.tmp

C:\Users\Admin\AppData\Local\Temp\70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe
"C:\Users\Admin\AppData\Local\Temp\70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\net_client.exe
"C:\Users\Admin\AppData\Local\Temp\net_client.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488

C:\Users\Admin\AppData\Local\Temp\xfplay.exe
"C:\Users\Admin\AppData\Local\Temp\xfplay.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\is-817O3.tmp\xfplay.tmp
"C:\Users\Admin\AppData\Local\Temp\is-817O3.tmp\xfplay.tmp" /SL5="$70124,15413541,209920,C:\Users\Admin\AppData\Local\Temp\xfplay.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-817O3.tmp\xfplay.tmp

Filesize
1.2MB

MD5
2867865692da8ce34820ba19aa9383a3

SHA1
8f23a105bca893ee511bf2389018dca875b63fa6

SHA256
403c63c51d343e18762d7cd42239f5ed54022a9fbbc1de3de07fea0d0ba9d077

SHA512
92b25256f13874f3c32fd7ea58d1279c18022de979364bd70b5f90c4438437f86db67822a616904b9ce7ac0eba36f4c9d749a2339f5ff4d2de76ecaec7ea5957

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-817O3.tmp\xfplay.tmp

Filesize
1.2MB

MD5
2867865692da8ce34820ba19aa9383a3

SHA1
8f23a105bca893ee511bf2389018dca875b63fa6

SHA256
403c63c51d343e18762d7cd42239f5ed54022a9fbbc1de3de07fea0d0ba9d077

SHA512
92b25256f13874f3c32fd7ea58d1279c18022de979364bd70b5f90c4438437f86db67822a616904b9ce7ac0eba36f4c9d749a2339f5ff4d2de76ecaec7ea5957

Download Submit
C:\Users\Admin\AppData\Local\Temp\net_client.exe

Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\net_client.exe

Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfplay.exe

Filesize
15.2MB

MD5
0e03ff2ee978190f8501239afd52121d

SHA1
6eaef4ddab34c0a3946ec8e22bbb9b290f3fef26

SHA256
528226265594da1e6a17eff4b1c0667848c93681d37aa0467504e24d862821d3

SHA512
ab114e9a73dc73fc86f240784ed34d9d763dd262fdfee4034ca8e00e910719d85ca5e16488af8f5e26fd4f5572d199da01e8457b35f0e0bc01fb3ce059629d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfplay.exe

Filesize
15.2MB

MD5
0e03ff2ee978190f8501239afd52121d

SHA1
6eaef4ddab34c0a3946ec8e22bbb9b290f3fef26

SHA256
528226265594da1e6a17eff4b1c0667848c93681d37aa0467504e24d862821d3

SHA512
ab114e9a73dc73fc86f240784ed34d9d763dd262fdfee4034ca8e00e910719d85ca5e16488af8f5e26fd4f5572d199da01e8457b35f0e0bc01fb3ce059629d51

Download Submit
\Users\Admin\AppData\Local\Temp\is-1F2E9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1F2E9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-817O3.tmp\xfplay.tmp

Filesize
1.2MB

MD5
2867865692da8ce34820ba19aa9383a3

SHA1
8f23a105bca893ee511bf2389018dca875b63fa6

SHA256
403c63c51d343e18762d7cd42239f5ed54022a9fbbc1de3de07fea0d0ba9d077

SHA512
92b25256f13874f3c32fd7ea58d1279c18022de979364bd70b5f90c4438437f86db67822a616904b9ce7ac0eba36f4c9d749a2339f5ff4d2de76ecaec7ea5957

Download Submit
\Users\Admin\AppData\Local\Temp\net_client.exe

Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
\Users\Admin\AppData\Local\Temp\net_client.exe

Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
\Users\Admin\AppData\Local\Temp\net_client.exe

Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
\Users\Admin\AppData\Local\Temp\net_client.exe

Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
\Users\Admin\AppData\Local\Temp\net_client.exe

Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
\Users\Admin\AppData\Local\Temp\xfplay.exe

Filesize
15.2MB

MD5
0e03ff2ee978190f8501239afd52121d

SHA1
6eaef4ddab34c0a3946ec8e22bbb9b290f3fef26

SHA256
528226265594da1e6a17eff4b1c0667848c93681d37aa0467504e24d862821d3

SHA512
ab114e9a73dc73fc86f240784ed34d9d763dd262fdfee4034ca8e00e910719d85ca5e16488af8f5e26fd4f5572d199da01e8457b35f0e0bc01fb3ce059629d51

Download Submit
\Users\Admin\AppData\Local\Temp\xfplay.exe

Filesize
15.2MB

MD5
0e03ff2ee978190f8501239afd52121d

SHA1
6eaef4ddab34c0a3946ec8e22bbb9b290f3fef26

SHA256
528226265594da1e6a17eff4b1c0667848c93681d37aa0467504e24d862821d3

SHA512
ab114e9a73dc73fc86f240784ed34d9d763dd262fdfee4034ca8e00e910719d85ca5e16488af8f5e26fd4f5572d199da01e8457b35f0e0bc01fb3ce059629d51

Download Submit
\Users\Admin\AppData\Local\Temp\xfplay.exe

Filesize
15.2MB

MD5
0e03ff2ee978190f8501239afd52121d

SHA1
6eaef4ddab34c0a3946ec8e22bbb9b290f3fef26

SHA256
528226265594da1e6a17eff4b1c0667848c93681d37aa0467504e24d862821d3

SHA512
ab114e9a73dc73fc86f240784ed34d9d763dd262fdfee4034ca8e00e910719d85ca5e16488af8f5e26fd4f5572d199da01e8457b35f0e0bc01fb3ce059629d51

Download Submit
memory/628-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/628-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/628-73-0x0000000000000000-mapping.dmp

Download
memory/1012-82-0x0000000000000000-mapping.dmp

Download
memory/1488-70-0x00000000008E0000-0x0000000000951000-memory.dmp

Filesize
452KB

Download
memory/1488-69-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-65-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-72-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download
memory/1488-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-89-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1844-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download