70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef

General

Target

70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe
Size

15.4MB
MD5

6d42060d389b5ed0691415239a0b7ab7
SHA1

ec943d471d7aeedf03c0efdd8d211fefaafc661f
SHA256

70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef
SHA512

0706b87723c299cd72d393f1e7ee5d4dfa1953b99986a512a0ba3560f31958c51f1ac575cc38531d8ad56b3033e2b08110ed6607d58d087adb2df8f10c2f78e8
SSDEEP

196608:xGU39Cjd24bhN1rHiTPT82qPsDv57muwx1VXq21fVkQCHmO6C07W6j3mpLPl2my2:FahHSeEbtSR1tklxAPjWpL921RX6cu

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\net_client.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\net_client.exe	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

net_client.exexfplay.exexfplay.tmp

pid process

3192 net_client.exe
1044 xfplay.exe
4696 xfplay.tmp

pid	process
3192	net_client.exe
1044	xfplay.exe
4696	xfplay.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exexfplay.exe

description	pid	process	target process
PID 1036 wrote to memory of 3192	1036	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1036 wrote to memory of 3192	1036	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1036 wrote to memory of 3192	1036	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	net_client.exe
PID 1036 wrote to memory of 1044	1036	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 1036 wrote to memory of 1044	1036	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 1036 wrote to memory of 1044	1036	70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe	xfplay.exe
PID 1044 wrote to memory of 4696	1044	xfplay.exe	xfplay.tmp
PID 1044 wrote to memory of 4696	1044	xfplay.exe	xfplay.tmp
PID 1044 wrote to memory of 4696	1044	xfplay.exe	xfplay.tmp

C:\Users\Admin\AppData\Local\Temp\70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe
"C:\Users\Admin\AppData\Local\Temp\70ee3617240d35ee1b2bfdf67a59c5c3f7accd2ac284416acd7afef1af8313ef.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\net_client.exe
"C:\Users\Admin\AppData\Local\Temp\net_client.exe"
2⤵
- Executes dropped EXE
PID:3192

C:\Users\Admin\AppData\Local\Temp\xfplay.exe
"C:\Users\Admin\AppData\Local\Temp\xfplay.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\is-R8QSH.tmp\xfplay.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R8QSH.tmp\xfplay.tmp" /SL5="$A0064,15413541,209920,C:\Users\Admin\AppData\Local\Temp\xfplay.exe"
3⤵
- Executes dropped EXE
PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-R8QSH.tmp\xfplay.tmp
Filesize
1.2MB

MD5
2867865692da8ce34820ba19aa9383a3

SHA1
8f23a105bca893ee511bf2389018dca875b63fa6

SHA256
403c63c51d343e18762d7cd42239f5ed54022a9fbbc1de3de07fea0d0ba9d077

SHA512
92b25256f13874f3c32fd7ea58d1279c18022de979364bd70b5f90c4438437f86db67822a616904b9ce7ac0eba36f4c9d749a2339f5ff4d2de76ecaec7ea5957

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R8QSH.tmp\xfplay.tmp
Filesize
1.2MB

MD5
2867865692da8ce34820ba19aa9383a3

SHA1
8f23a105bca893ee511bf2389018dca875b63fa6

SHA256
403c63c51d343e18762d7cd42239f5ed54022a9fbbc1de3de07fea0d0ba9d077

SHA512
92b25256f13874f3c32fd7ea58d1279c18022de979364bd70b5f90c4438437f86db67822a616904b9ce7ac0eba36f4c9d749a2339f5ff4d2de76ecaec7ea5957

Download Submit
C:\Users\Admin\AppData\Local\Temp\net_client.exe
Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\net_client.exe
Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfplay.exe
Filesize
15.2MB

MD5
0e03ff2ee978190f8501239afd52121d

SHA1
6eaef4ddab34c0a3946ec8e22bbb9b290f3fef26

SHA256
528226265594da1e6a17eff4b1c0667848c93681d37aa0467504e24d862821d3

SHA512
ab114e9a73dc73fc86f240784ed34d9d763dd262fdfee4034ca8e00e910719d85ca5e16488af8f5e26fd4f5572d199da01e8457b35f0e0bc01fb3ce059629d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfplay.exe
Filesize
15.2MB

MD5
0e03ff2ee978190f8501239afd52121d

SHA1
6eaef4ddab34c0a3946ec8e22bbb9b290f3fef26

SHA256
528226265594da1e6a17eff4b1c0667848c93681d37aa0467504e24d862821d3

SHA512
ab114e9a73dc73fc86f240784ed34d9d763dd262fdfee4034ca8e00e910719d85ca5e16488af8f5e26fd4f5572d199da01e8457b35f0e0bc01fb3ce059629d51

Download Submit
memory/1044-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1044-146-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1044-143-0x0000000000000000-mapping.dmp

Download
memory/3192-135-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-142-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-141-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-138-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-140-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-139-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-137-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-136-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3192-132-0x0000000000000000-mapping.dmp

Download
memory/3192-152-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4696-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads