acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4

General

Target

acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe
Size

401KB
MD5

7a29ddb2f7d7143a99315341ad435430
SHA1

daa15b09037d433b02ea7892cdb6f85546da6f4e
SHA256

acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4
SHA512

c59086730e4b05e90fdd4fb8cffcd9e97516c8291246fd5a40e95e1ddc82a0c19f3fb1e6f37650bef0f84cb6c2dd5491772c829f9bd34ef772dd2f62323e58c2
SSDEEP

6144:AxRJ8ZktkaYRPeaHUNsS/WBlFz1yplKBVr82zjLQ1dJ6cg8CXqa+hpvdlXT+aC:4RaZqkaYZlplGpMn84cg8mqtjT+j

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000400000001da42-136.dat	aspack_v212_v242
behavioral2/files/0x000400000001da42-135.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3284	sruealse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\MeSkin\acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.txt	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe
File created	C:\Program Files\MeSkin\sruealse.exe	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe
File opened for modification	C:\Program Files\MeSkin\sruealse.exenet	sruealse.exe
File opened for modification	C:\Program Files\MeSkin\sruealse.ldb	sruealse.exe
File created	C:\Program Files\MeSkin\sruealse.chm	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe
File created	C:\Program Files\MeSkin\sruealse0.txt	sruealse.exe
File created	C:\Program Files\MeSkin\sruealse.exenet	sruealse.exe
File created	C:\Program Files\MeSkin\sruealse.exe_b	sruealse.exe
File opened for modification	C:\Program Files\MeSkin\sruealse.exe_b	sruealse.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\win32.btl	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4796	2588	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe	81
PID 2588 wrote to memory of 4796	2588	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe	81
PID 2588 wrote to memory of 4796	2588	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe	81
PID 2588 wrote to memory of 3284	2588	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe	82
PID 2588 wrote to memory of 3284	2588	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe	82
PID 2588 wrote to memory of 3284	2588	acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe	82

C:\Users\Admin\AppData\Local\Temp\acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe
"C:\Users\Admin\AppData\Local\Temp\acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\MeSkin\acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.txt
  2⤵
  PID:4796
- C:\Program Files\MeSkin\sruealse.exe
  "C:\Program Files\MeSkin\sruealse.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MeSkin\acc1a0879c13b3d2c3a0d0f18e530468d8ea087564fdc4a73dfdd2d88cec4af4.txt

Filesize
78B

MD5
f77d3174b7f79925edb7106daf92281a

SHA1
8111e9c8796b94c7c51974f2ecd7062afd681047

SHA256
07e6a2a1d03bd173cb4f00899d6c749c227bd095f8b26aeeba47d398febb764f

SHA512
8298dca82192499393709ad815b30ab2d74be41d6ad0d5f1f5f440beb29f9808a064b8db9de3413dd57295de21d4d32c384d186ae055255aaaa4ac85c0141045

Download Submit
C:\Program Files\MeSkin\sruealse.chm

Filesize
43B

MD5
8aef11632b2a53da23f78f536242981a

SHA1
3245d55fc9e731303c0ed76e16319122d7f0108b

SHA256
bfbe11694817318827d0b3d9214a7993ba512093983e1e0474bc6f795cde2e29

SHA512
01bafe2dfee94da5c0965fb7047308f65bb3cea36265187b745264fe8230458b9db7a0077af92a914c4758a4efe40cc634a8aa13d319e85410bccc155b54f775

Download Submit
C:\Program Files\MeSkin\sruealse.exe

Filesize
4.1MB

MD5
e11d2a58729a67cc23b2798cf7f50525

SHA1
262af3f88e05cba8b22ba714edf631d99ddf2883

SHA256
618474d62337524b547863d24ad3c9f1524706751f6100329cdc5a50902a90d5

SHA512
3ddf932bede61ec0db75d6c4abae6c4f5934d7f846102797e04f73fc912f9c15b031588a71faa7266c3de0ecfdfb24d7f948e94e59774fa7d28c63bfb864c8d1

Download Submit
C:\Program Files\MeSkin\sruealse.exe

Filesize
4.1MB

MD5
e11d2a58729a67cc23b2798cf7f50525

SHA1
262af3f88e05cba8b22ba714edf631d99ddf2883

SHA256
618474d62337524b547863d24ad3c9f1524706751f6100329cdc5a50902a90d5

SHA512
3ddf932bede61ec0db75d6c4abae6c4f5934d7f846102797e04f73fc912f9c15b031588a71faa7266c3de0ecfdfb24d7f948e94e59774fa7d28c63bfb864c8d1

Download Submit

Analysis

Sharing