bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe
Size

5.1MB
MD5

24f50b04771abd5acb21d3c7e895595f
SHA1

e9b1d7429a399cf40a4280d742becae2fd2cad8c
SHA256

bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c
SHA512

f89ace9168be202da4f50c2c9d8d784d3d6dfa3dc2a8a50c1b709421116bfe93f9564b982288fb801c90ba251a659dbf37455485d1f77d066eb2e1af59c3ed98
SSDEEP

98304:eSqj0iqMNjm/sQDu6/oG5I7dbDNuajw9f91BJNkkVmzIr:eS+pQD2+EdbDbjCBNpr

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\client.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\client.exe	aspack_v212_v242
C:\Windows\SysWOW64\svohost.exe	aspack_v212_v242
C:\Windows\SysWOW64\svohost.exe	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 4 IoCs

Processes:

player.execlient.exeplayer.tmpsvohost.exe

pid process

5012 player.exe
4960 client.exe
4904 player.tmp
440 svohost.exe

pid	process
5012	player.exe
4960	client.exe
4904	player.tmp
440	svohost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe

Drops file in System32 directory 6 IoCs

Processes:

client.exesvohost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\s_svost.ini	client.exe
File created	C:\Windows\SysWOW64\svohost.exe	client.exe
File opened for modification	C:\Windows\SysWOW64\svohost.exe	client.exe
File created	C:\Windows\SysWOW64\svohost.txt	client.exe
File opened for modification	C:\Windows\SysWOW64\svohost.txt	svohost.exe
File opened for modification	C:\Windows\SysWOW64\s_svost.ini	svohost.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

736 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

pid	process
736	sc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exeplayer.execlient.exenet.exe

description	pid	process	target process
PID 2400 wrote to memory of 5012	2400	bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe	player.exe
PID 2400 wrote to memory of 5012	2400	bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe	player.exe
PID 2400 wrote to memory of 5012	2400	bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe	player.exe
PID 2400 wrote to memory of 4960	2400	bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe	client.exe
PID 2400 wrote to memory of 4960	2400	bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe	client.exe
PID 2400 wrote to memory of 4960	2400	bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe	client.exe
PID 5012 wrote to memory of 4904	5012	player.exe	player.tmp
PID 5012 wrote to memory of 4904	5012	player.exe	player.tmp
PID 5012 wrote to memory of 4904	5012	player.exe	player.tmp
PID 4960 wrote to memory of 736	4960	client.exe	sc.exe
PID 4960 wrote to memory of 736	4960	client.exe	sc.exe
PID 4960 wrote to memory of 736	4960	client.exe	sc.exe
PID 4960 wrote to memory of 4444	4960	client.exe	net.exe
PID 4960 wrote to memory of 4444	4960	client.exe	net.exe
PID 4960 wrote to memory of 4444	4960	client.exe	net.exe
PID 4444 wrote to memory of 2860	4444	net.exe	net1.exe
PID 4444 wrote to memory of 2860	4444	net.exe	net1.exe
PID 4444 wrote to memory of 2860	4444	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe
"C:\Users\Admin\AppData\Local\Temp\bee03bc05372ef7c1ed5db7609f6f6478c5409a895c9c06815e49ff6e5dedb4c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\player.exe
"C:\Users\Admin\AppData\Local\Temp\player.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\is-0QH3V.tmp\player.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0QH3V.tmp\player.tmp" /SL5="$90062,4766696,78336,C:\Users\Admin\AppData\Local\Temp\player.exe"
3⤵
- Executes dropped EXE
PID:4904

C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\sc.exe
sc.exe create svohost binpath= "C:\Windows\system32\svohost.exe internal_start" DisplayName= svohost start= auto
3⤵
- Launches sc.exe
PID:736

C:\Windows\SysWOW64\net.exe
net start svohost
3⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start svohost
4⤵
PID:2860

C:\Windows\SysWOW64\svohost.exe
C:\Windows\SysWOW64\svohost.exe internal_start
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\client.exe
Filesize
355KB

MD5
635091785cedb895be32f9f8f47f86e2

SHA1
d850e157dc2e9e37449e9a825a99240bd0d56a4a

SHA256
7ced369e6003ada01c674fa5aa2f56d5cd6d08d85e351af9c8d3352f5884b8d3

SHA512
6d0c2cb1504954af0b19d5664601427462ef5c221f8aadac72ed9db366426006fa3958aafb3e6b451ec4d550bc9c6f8c0dd22c4dd68e133ee26eebe5de04c842

Download Submit
C:\Users\Admin\AppData\Local\Temp\client.exe
Filesize
355KB

MD5
635091785cedb895be32f9f8f47f86e2

SHA1
d850e157dc2e9e37449e9a825a99240bd0d56a4a

SHA256
7ced369e6003ada01c674fa5aa2f56d5cd6d08d85e351af9c8d3352f5884b8d3

SHA512
6d0c2cb1504954af0b19d5664601427462ef5c221f8aadac72ed9db366426006fa3958aafb3e6b451ec4d550bc9c6f8c0dd22c4dd68e133ee26eebe5de04c842

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0QH3V.tmp\player.tmp
Filesize
725KB

MD5
84ff6c3d5d724babe0e5d2a750ae9905

SHA1
61820b938fc6ecafec092bfb698735142a5d5e9a

SHA256
9b6d2904239f60398d1fb6735387ab81311dfe2d24a1ecd95fa805f46b328057

SHA512
548fcc1676eed26647f3a4ebe4f2af0e5b681140351422527a9eeb87c4e41591e667ce03d5c6784121f4d653811bda93ff90f1f5e0120ec45f7e92af0b219c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0QH3V.tmp\player.tmp
Filesize
725KB

MD5
84ff6c3d5d724babe0e5d2a750ae9905

SHA1
61820b938fc6ecafec092bfb698735142a5d5e9a

SHA256
9b6d2904239f60398d1fb6735387ab81311dfe2d24a1ecd95fa805f46b328057

SHA512
548fcc1676eed26647f3a4ebe4f2af0e5b681140351422527a9eeb87c4e41591e667ce03d5c6784121f4d653811bda93ff90f1f5e0120ec45f7e92af0b219c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\player.exe
Filesize
4.8MB

MD5
cacba2a9d0099583c7c402e121318a47

SHA1
316548a0c6fa059cb0455ac2e3cc08413313733a

SHA256
860351e5e9176ba6bf81e8f40bd7829e0cba8b569de54ecbc75582abe18862be

SHA512
93f966bd075b3d3acf5a26159b69d21eaeb37988782df7f4d488b85600f4c2e751e5604ba71a421b973e2e71bbf31f7f1fc66206ea977794f9095bd620c4e8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\player.exe
Filesize
4.8MB

MD5
cacba2a9d0099583c7c402e121318a47

SHA1
316548a0c6fa059cb0455ac2e3cc08413313733a

SHA256
860351e5e9176ba6bf81e8f40bd7829e0cba8b569de54ecbc75582abe18862be

SHA512
93f966bd075b3d3acf5a26159b69d21eaeb37988782df7f4d488b85600f4c2e751e5604ba71a421b973e2e71bbf31f7f1fc66206ea977794f9095bd620c4e8ba

Download Submit
C:\Windows\SysWOW64\s_svost.ini
Filesize
11B

MD5
f4338843d79c55ada1a9944016c7af32

SHA1
7f788caeac507878ac8e4db85d74b5e16e736f3a

SHA256
70062e503a19e939ec15122abbb81bbffc074c3e1ab6a603c22e01d5c8b6771b

SHA512
2ecaebf09a4735dd524c668770dfcd47344d95dd5852c7226aa2ac696c94f8a1773c10197ec57ceca8ba5ef2718142338d93e298c721a58899743b4c46623917

Download Submit
C:\Windows\SysWOW64\svohost.exe
Filesize
355KB

MD5
635091785cedb895be32f9f8f47f86e2

SHA1
d850e157dc2e9e37449e9a825a99240bd0d56a4a

SHA256
7ced369e6003ada01c674fa5aa2f56d5cd6d08d85e351af9c8d3352f5884b8d3

SHA512
6d0c2cb1504954af0b19d5664601427462ef5c221f8aadac72ed9db366426006fa3958aafb3e6b451ec4d550bc9c6f8c0dd22c4dd68e133ee26eebe5de04c842

Download Submit
C:\Windows\SysWOW64\svohost.exe
Filesize
355KB

MD5
635091785cedb895be32f9f8f47f86e2

SHA1
d850e157dc2e9e37449e9a825a99240bd0d56a4a

SHA256
7ced369e6003ada01c674fa5aa2f56d5cd6d08d85e351af9c8d3352f5884b8d3

SHA512
6d0c2cb1504954af0b19d5664601427462ef5c221f8aadac72ed9db366426006fa3958aafb3e6b451ec4d550bc9c6f8c0dd22c4dd68e133ee26eebe5de04c842

Download Submit
C:\Windows\SysWOW64\svohost.txt
Filesize
45B

MD5
440b2c92cd9c4b7037c74b9bead264b3

SHA1
bfe96981bbcbae5bd94ae20a60545c7932899df8

SHA256
1688cea0c4e9c182925c5b677eeacbb17bc1d4fd81dbe1123c79dc2b46017768

SHA512
1e59390125c50bbca9c3ee34187e7f5d7c8e044965af563d2d89012605db3ade0743dd6432b10f6b35fceb13eae31d5cb8b313d881066d7a83de509cedf3b2ea

Download Submit
memory/440-161-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/440-164-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/440-159-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/440-160-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/440-158-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/440-157-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/440-156-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/440-166-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/736-150-0x0000000000000000-mapping.dmp

Download
memory/2860-153-0x0000000000000000-mapping.dmp

Download
memory/4444-152-0x0000000000000000-mapping.dmp

Download
memory/4904-141-0x0000000000000000-mapping.dmp

Download
memory/4960-147-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4960-148-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4960-151-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4960-143-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4960-146-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4960-142-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4960-136-0x0000000000000000-mapping.dmp

Download
memory/4960-165-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4960-140-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5012-132-0x0000000000000000-mapping.dmp

Download
memory/5012-149-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5012-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download