78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17

Analysis

max time kernel
327s
max time network
405s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
Size

276KB
MD5

994262eb5c673e0a26590ed768f4a056
SHA1

821dac1ef772e56657937ae7c77e63d2a855eb49
SHA256

78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17
SHA512

8f1dc270d8eecac7a8c6c302ec96aa284b015eec5b43f514c648728ebe571a41a489ee56facbfec538f04d9e700667cbfadb9968208d0f449a6e38bcf13c557f
SSDEEP

6144:N+a5fF7UysWVDykH3p5HnUufLZIS03jMLOHvXSqqDL6XV0RW1pTqPbrNIQ:N+a5fGpW/XLZIS03jWOHvXnqn6lZmIQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1776	Logo1_.exe
4408	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4652	ASPLnchr.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AhnLab\ASP\Components\ASPLnchr.exe	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
File opened for modification	C:\Program Files (x86)\AhnLab\ASP\Components\ASPLnchr.exe	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
File created	C:\Windows\Logo1_.exe	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe
1776	Logo1_.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 4640	4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	78
PID 4360 wrote to memory of 4640	4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	78
PID 4360 wrote to memory of 4640	4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	78
PID 4640 wrote to memory of 4752	4640	net.exe	80
PID 4640 wrote to memory of 4752	4640	net.exe	80
PID 4640 wrote to memory of 4752	4640	net.exe	80
PID 4360 wrote to memory of 4020	4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	82
PID 4360 wrote to memory of 4020	4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	82
PID 4360 wrote to memory of 4020	4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	82
PID 4360 wrote to memory of 1776	4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	83
PID 4360 wrote to memory of 1776	4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	83
PID 4360 wrote to memory of 1776	4360	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	83
PID 1776 wrote to memory of 988	1776	Logo1_.exe	85
PID 1776 wrote to memory of 988	1776	Logo1_.exe	85
PID 1776 wrote to memory of 988	1776	Logo1_.exe	85
PID 988 wrote to memory of 4148	988	net.exe	87
PID 988 wrote to memory of 4148	988	net.exe	87
PID 988 wrote to memory of 4148	988	net.exe	87
PID 1776 wrote to memory of 4500	1776	Logo1_.exe	88
PID 1776 wrote to memory of 4500	1776	Logo1_.exe	88
PID 1776 wrote to memory of 4500	1776	Logo1_.exe	88
PID 4500 wrote to memory of 1416	4500	net.exe	90
PID 4500 wrote to memory of 1416	4500	net.exe	90
PID 4500 wrote to memory of 1416	4500	net.exe	90
PID 1776 wrote to memory of 676	1776	Logo1_.exe	32
PID 1776 wrote to memory of 676	1776	Logo1_.exe	32
PID 4020 wrote to memory of 4408	4020	cmd.exe	91
PID 4020 wrote to memory of 4408	4020	cmd.exe	91
PID 4020 wrote to memory of 4408	4020	cmd.exe	91
PID 4408 wrote to memory of 4652	4408	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	92
PID 4408 wrote to memory of 4652	4408	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	92
PID 4408 wrote to memory of 4652	4408	78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:676
- C:\Users\Admin\AppData\Local\Temp\78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
  "C:\Users\Admin\AppData\Local\Temp\78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a16C1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe
      "C:\Users\Admin\AppData\Local\Temp\78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Program Files (x86)\AhnLab\ASP\Components\ASPLnchr.exe
        
        "C:\Program Files (x86)\AhnLab\ASP\Components\ASPLnchr.exe"
        5⤵
        Executes dropped EXE
        
        PID:4652
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4148
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AhnLab\ASP\Components\ASPLnchr.exe

Filesize
242KB

MD5
e9875335576ffd748985beb5f8265869

SHA1
811db75e754e18626650aa5f669afdd0e6c93209

SHA256
31c31f31a21d2eb2c040ea93fbe9bf79b730d7c740a8925e78bf2357d585359c

SHA512
d4d0c954489dc1f77eef0a655701df94751b67d7e06eb5e4885558a28d47bced17ec8c92a26bc831066052e3b53681c475d52de8e42f6efd61b47a891d540c4f

Download Submit
C:\Program Files (x86)\AhnLab\ASP\Components\ASPLnchr.exe

Filesize
242KB

MD5
e9875335576ffd748985beb5f8265869

SHA1
811db75e754e18626650aa5f669afdd0e6c93209

SHA256
31c31f31a21d2eb2c040ea93fbe9bf79b730d7c740a8925e78bf2357d585359c

SHA512
d4d0c954489dc1f77eef0a655701df94751b67d7e06eb5e4885558a28d47bced17ec8c92a26bc831066052e3b53681c475d52de8e42f6efd61b47a891d540c4f

Download Submit
C:\Users\Admin\AppData\LocalLow\AhnLab\ASP\Smart Update i\ASPLnchr.log

Filesize
1KB

MD5
fe52b81b441ec1096d52a07cd7321d9a

SHA1
a060e62baa618117a3f0b5794037624131f41618

SHA256
02031941d959cd03932e0074ebf23695117a1279b9a8ef973aa90cb54b64c9a3

SHA512
f61c4e03d9becc43f33916289aaf1bddbb5bb24b6834d7a141306ce9f1346876fd94e7663437afe7a8616e095b02d62fc99c8736de34446751f8b84b4ccee5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\AhnLab\ASP\Smart Update i\ASPLnchr.log

Filesize
1KB

MD5
fe52b81b441ec1096d52a07cd7321d9a

SHA1
a060e62baa618117a3f0b5794037624131f41618

SHA256
02031941d959cd03932e0074ebf23695117a1279b9a8ef973aa90cb54b64c9a3

SHA512
f61c4e03d9becc43f33916289aaf1bddbb5bb24b6834d7a141306ce9f1346876fd94e7663437afe7a8616e095b02d62fc99c8736de34446751f8b84b4ccee5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\AhnLab\ASP\Smart Update i\ASPLnchr.log

Filesize
1KB

MD5
fe52b81b441ec1096d52a07cd7321d9a

SHA1
a060e62baa618117a3f0b5794037624131f41618

SHA256
02031941d959cd03932e0074ebf23695117a1279b9a8ef973aa90cb54b64c9a3

SHA512
f61c4e03d9becc43f33916289aaf1bddbb5bb24b6834d7a141306ce9f1346876fd94e7663437afe7a8616e095b02d62fc99c8736de34446751f8b84b4ccee5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a16C1.bat

Filesize
722B

MD5
f0824294180ee3d2e97dfe5f7bc5c937

SHA1
9d162c70cbc4460c9d0ac04508e9d15b3e3de6dc

SHA256
c273d9846f0c55cc829ad982f89766cd3f780cf5be4933bb2963d43e73a12b7a

SHA512
3fb20f654dadf3bd2c0b95170ae1839f4f1ed0eea2d96fbb3c910cb5f2651cd23cd1bb2657694319816fdd838716c10ef0bb90d999a8639ec73f3798b5a020c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe

Filesize
242KB

MD5
e9875335576ffd748985beb5f8265869

SHA1
811db75e754e18626650aa5f669afdd0e6c93209

SHA256
31c31f31a21d2eb2c040ea93fbe9bf79b730d7c740a8925e78bf2357d585359c

SHA512
d4d0c954489dc1f77eef0a655701df94751b67d7e06eb5e4885558a28d47bced17ec8c92a26bc831066052e3b53681c475d52de8e42f6efd61b47a891d540c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\78ef00d4e042d1cce4af5899c4dd809f38ff7f339a09225c28d7e69109144e17.exe.exe

Filesize
242KB

MD5
e9875335576ffd748985beb5f8265869

SHA1
811db75e754e18626650aa5f669afdd0e6c93209

SHA256
31c31f31a21d2eb2c040ea93fbe9bf79b730d7c740a8925e78bf2357d585359c

SHA512
d4d0c954489dc1f77eef0a655701df94751b67d7e06eb5e4885558a28d47bced17ec8c92a26bc831066052e3b53681c475d52de8e42f6efd61b47a891d540c4f

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
4f3f8a9a1d95970e2a1bc5aff47c94aa

SHA1
f2d6345c7091461352b3211a9fa64851d7f42739

SHA256
a033b08532305a759d95823863e33714b27da4c6729a9bad3faaafb68919b0e0

SHA512
36d75ebd7bde30ad5c25ac2c286feed9d3fb5556bcc356800debced5d5c961ee2aaaeb3b5e97a1244132dc8537bdec36feb86d15dfd5b8359cff599d9646ccd4

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
4f3f8a9a1d95970e2a1bc5aff47c94aa

SHA1
f2d6345c7091461352b3211a9fa64851d7f42739

SHA256
a033b08532305a759d95823863e33714b27da4c6729a9bad3faaafb68919b0e0

SHA512
36d75ebd7bde30ad5c25ac2c286feed9d3fb5556bcc356800debced5d5c961ee2aaaeb3b5e97a1244132dc8537bdec36feb86d15dfd5b8359cff599d9646ccd4

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
4f3f8a9a1d95970e2a1bc5aff47c94aa

SHA1
f2d6345c7091461352b3211a9fa64851d7f42739

SHA256
a033b08532305a759d95823863e33714b27da4c6729a9bad3faaafb68919b0e0

SHA512
36d75ebd7bde30ad5c25ac2c286feed9d3fb5556bcc356800debced5d5c961ee2aaaeb3b5e97a1244132dc8537bdec36feb86d15dfd5b8359cff599d9646ccd4

Download Submit
memory/1776-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download