078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf

General

Target

078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
Size

53KB
MD5

a3e04bbed3d52a5489f9c8f008f00abb
SHA1

53fbeab1b307d219a832dffce04ff6766a07123f
SHA256

078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf
SHA512

b9b348c008fc94c01fd27000f2990391a4682b83b865aefe74bdca700ad3d645f458d7ba36cef2d9ecc8d3e3ab2693ca809b85fae21f7c51d9466dbe630deae6
SSDEEP

768:al6Fe6EshVE1xoOhcK4dckK48hbjncEn1VInpUdPYCVkbsnnf5WLs1nNxmha5j:Re1shVEoyp4dg4+7cu1EWdNyswLs1mM

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\SysWOW64\SysAnti.exe	aspack_v212_v242
\Windows\SysWOW64\SysAnti.exe	aspack_v212_v242
C:\Windows\SysWOW64\SysAnti.exe	aspack_v212_v242
C:\Windows\SysWOW64\SysAnti.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

SysAnti.exe

pid process

564 SysAnti.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1528 cmd.exe

pid	process
564	SysAnti.exe

pid	process
1528	cmd.exe

Loads dropped DLL 4 IoCs

Processes:

Rundll32.exe078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exeRundll32.exe

pid	process
1376	Rundll32.exe
1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
696	Rundll32.exe

Drops file in System32 directory 3 IoCs

Processes:

078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exeSysAnti.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SysAnti.exe	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
File created	C:\Windows\SysWOW64\SysAnti.exe	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
File opened for modification	C:\Windows\SysWOW64\SysAnti.exe	SysAnti.exe

Drops file in Windows directory 6 IoCs

Processes:

Rundll32.exe078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exeRundll32.exeSysAnti.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\jikx.fon	Rundll32.exe
File created	C:\Windows\Fonts\tunsj.fon	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
File created	C:\Windows\Fonts\uods.fon	Rundll32.exe
File opened for modification	C:\Windows\Fonts\uods.fon	Rundll32.exe
File created	C:\Windows\Fonts\snnfl.fon	SysAnti.exe
File created	C:\Windows\Fonts\jikx.fon	Rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exeSysAnti.exe

pid process

1372 078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
564 SysAnti.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

464
464

pid	process
1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
564	SysAnti.exe

pid	process
464
464

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exeRundll32.exeSysAnti.exeRundll32.exe

description	pid	process
Token: SeDebugPrivilege	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
Token: SeDebugPrivilege	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
Token: SeDebugPrivilege	1376	Rundll32.exe
Token: SeDebugPrivilege	564	SysAnti.exe
Token: SeDebugPrivilege	564	SysAnti.exe
Token: SeDebugPrivilege	696	Rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exeSysAnti.exe

description	pid	process	target process
PID 1372 wrote to memory of 1376	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	Rundll32.exe
PID 1372 wrote to memory of 1376	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	Rundll32.exe
PID 1372 wrote to memory of 1376	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	Rundll32.exe
PID 1372 wrote to memory of 1376	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	Rundll32.exe
PID 1372 wrote to memory of 1376	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	Rundll32.exe
PID 1372 wrote to memory of 1376	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	Rundll32.exe
PID 1372 wrote to memory of 1376	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	Rundll32.exe
PID 1372 wrote to memory of 564	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	SysAnti.exe
PID 1372 wrote to memory of 564	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	SysAnti.exe
PID 1372 wrote to memory of 564	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	SysAnti.exe
PID 1372 wrote to memory of 564	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	SysAnti.exe
PID 564 wrote to memory of 696	564	SysAnti.exe	Rundll32.exe
PID 564 wrote to memory of 696	564	SysAnti.exe	Rundll32.exe
PID 564 wrote to memory of 696	564	SysAnti.exe	Rundll32.exe
PID 564 wrote to memory of 696	564	SysAnti.exe	Rundll32.exe
PID 564 wrote to memory of 696	564	SysAnti.exe	Rundll32.exe
PID 564 wrote to memory of 696	564	SysAnti.exe	Rundll32.exe
PID 564 wrote to memory of 696	564	SysAnti.exe	Rundll32.exe
PID 564 wrote to memory of 1464	564	SysAnti.exe	cmd.exe
PID 564 wrote to memory of 1464	564	SysAnti.exe	cmd.exe
PID 564 wrote to memory of 1464	564	SysAnti.exe	cmd.exe
PID 564 wrote to memory of 1464	564	SysAnti.exe	cmd.exe
PID 1372 wrote to memory of 1528	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	cmd.exe
PID 1372 wrote to memory of 1528	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	cmd.exe
PID 1372 wrote to memory of 1528	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	cmd.exe
PID 1372 wrote to memory of 1528	1372	078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe
"C:\Users\Admin\AppData\Local\Temp\078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\Rundll32.exe
C:\Windows\System32\Rundll32.exe "C:\Windows\Fonts\tunsj.fon",MyKILLEntry
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\SysAnti.exe
C:\Windows\System32\SysAnti.exe -One
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\Rundll32.exe
C:\Windows\System32\Rundll32.exe "C:\Windows\Fonts\snnfl.fon",MyKILLEntry
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c erase /F "C:\Windows\SysWOW64\SysAnti.exe" > nul
3⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf.exe" > nul
2⤵
- Deletes itself
PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\snnfl.fon
Filesize
14KB

MD5
2c0bb5c2c1f4a8ec217fd50867908b57

SHA1
4dd7f870ae7e7833059fd28fb900f3fe38bba64f

SHA256
bd200384b301a0ebccd42f1caa6543957a660f32120a02da3a53c4b9d9773bc4

SHA512
11fb5f717346c244484d8dd651cc9740dc368e1c6cf0efdfb8d91b6ebca6aa059214221e44ab712d6ebff7e605792ac5b38a5d0116f7ee503edcf438fb3c210b

Download Submit
C:\Windows\Fonts\tunsj.fon
Filesize
14KB

MD5
2c0bb5c2c1f4a8ec217fd50867908b57

SHA1
4dd7f870ae7e7833059fd28fb900f3fe38bba64f

SHA256
bd200384b301a0ebccd42f1caa6543957a660f32120a02da3a53c4b9d9773bc4

SHA512
11fb5f717346c244484d8dd651cc9740dc368e1c6cf0efdfb8d91b6ebca6aa059214221e44ab712d6ebff7e605792ac5b38a5d0116f7ee503edcf438fb3c210b

Download Submit
C:\Windows\SysWOW64\SysAnti.exe
Filesize
53KB

MD5
a3e04bbed3d52a5489f9c8f008f00abb

SHA1
53fbeab1b307d219a832dffce04ff6766a07123f

SHA256
078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf

SHA512
b9b348c008fc94c01fd27000f2990391a4682b83b865aefe74bdca700ad3d645f458d7ba36cef2d9ecc8d3e3ab2693ca809b85fae21f7c51d9466dbe630deae6

Download Submit
C:\Windows\SysWOW64\SysAnti.exe
Filesize
53KB

MD5
a3e04bbed3d52a5489f9c8f008f00abb

SHA1
53fbeab1b307d219a832dffce04ff6766a07123f

SHA256
078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf

SHA512
b9b348c008fc94c01fd27000f2990391a4682b83b865aefe74bdca700ad3d645f458d7ba36cef2d9ecc8d3e3ab2693ca809b85fae21f7c51d9466dbe630deae6

Download Submit
\Windows\Fonts\snnfl.fon
Filesize
14KB

MD5
2c0bb5c2c1f4a8ec217fd50867908b57

SHA1
4dd7f870ae7e7833059fd28fb900f3fe38bba64f

SHA256
bd200384b301a0ebccd42f1caa6543957a660f32120a02da3a53c4b9d9773bc4

SHA512
11fb5f717346c244484d8dd651cc9740dc368e1c6cf0efdfb8d91b6ebca6aa059214221e44ab712d6ebff7e605792ac5b38a5d0116f7ee503edcf438fb3c210b

Download Submit
\Windows\Fonts\tunsj.fon
Filesize
14KB

MD5
2c0bb5c2c1f4a8ec217fd50867908b57

SHA1
4dd7f870ae7e7833059fd28fb900f3fe38bba64f

SHA256
bd200384b301a0ebccd42f1caa6543957a660f32120a02da3a53c4b9d9773bc4

SHA512
11fb5f717346c244484d8dd651cc9740dc368e1c6cf0efdfb8d91b6ebca6aa059214221e44ab712d6ebff7e605792ac5b38a5d0116f7ee503edcf438fb3c210b

Download Submit
\Windows\SysWOW64\SysAnti.exe
Filesize
53KB

MD5
a3e04bbed3d52a5489f9c8f008f00abb

SHA1
53fbeab1b307d219a832dffce04ff6766a07123f

SHA256
078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf

SHA512
b9b348c008fc94c01fd27000f2990391a4682b83b865aefe74bdca700ad3d645f458d7ba36cef2d9ecc8d3e3ab2693ca809b85fae21f7c51d9466dbe630deae6

Download Submit
\Windows\SysWOW64\SysAnti.exe
Filesize
53KB

MD5
a3e04bbed3d52a5489f9c8f008f00abb

SHA1
53fbeab1b307d219a832dffce04ff6766a07123f

SHA256
078b88cbf4c1684e3a31cd0eefe589132cfb09560821e33c05e44d9bdd4feecf

SHA512
b9b348c008fc94c01fd27000f2990391a4682b83b865aefe74bdca700ad3d645f458d7ba36cef2d9ecc8d3e3ab2693ca809b85fae21f7c51d9466dbe630deae6

Download Submit
memory/564-65-0x0000000000000000-mapping.dmp

Download
memory/564-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/696-69-0x0000000000000000-mapping.dmp

Download
memory/696-78-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download
memory/696-76-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download
memory/1372-72-0x0000000002160000-0x0000000002184000-memory.dmp

Filesize
144KB

Download
memory/1372-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1372-73-0x0000000002160000-0x0000000002184000-memory.dmp

Filesize
144KB

Download
memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1372-77-0x0000000002160000-0x0000000002184000-memory.dmp

Filesize
144KB

Download
memory/1372-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1372-81-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1376-60-0x00000000000F0000-0x0000000000109000-memory.dmp

Filesize
100KB

Download
memory/1376-56-0x0000000000000000-mapping.dmp

Download
memory/1376-62-0x00000000000F0000-0x0000000000109000-memory.dmp

Filesize
100KB

Download
memory/1464-79-0x0000000000000000-mapping.dmp

Download
memory/1528-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads