Overview

overview

8

Static

static

8

b4db59d40c...ca.exe

windows7-x64

8

b4db59d40c...ca.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 10:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b4db59d40c2b586c0908be76e8d1db8a998afee13148184f11fa95f9fb9f54ca.exe

  • Size

    56KB

  • MD5

    3f31fe3d757bf0b599ee08af4339ac43

  • SHA1

    9c1c1e54f280006a5c47e9bd0f217e8007bdb484

  • SHA256

    b4db59d40c2b586c0908be76e8d1db8a998afee13148184f11fa95f9fb9f54ca

  • SHA512

    ce2dd310ccdbb05ec1a8100e7c915fb55242a7026432c7cb181c804dedbf7d0ef0e65b7437f69eaa2cabf757e608eab458306310fb5f543f746901e4316e3c36

  • SSDEEP

    768:EhNtJtqm0tJdWvHuHb2zrLZhunxSDgZjGjL8KDTY3mqQdTosytxnha5:Edqm4JdEHuHiXTnDgZSTkYdTosA

Score
8/10
aspackv2persistence

Malware Config

Signatures

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4db59d40c2b586c0908be76e8d1db8a998afee13148184f11fa95f9fb9f54ca.exe
    "C:\Users\Admin\AppData\Local\Temp\b4db59d40c2b586c0908be76e8d1db8a998afee13148184f11fa95f9fb9f54ca.exe"
    1⤵
    • Adds policy Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:2776
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        2⤵
        • Launches sc.exe
        PID:1912
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:1572
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          2⤵
          • Launches sc.exe
          PID:4664
        • C:\Users\Admin\AppData\Local\Temp\l6fqw.exe
          C:\Users\Admin\AppData\Local\Temp\l6fqw.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Security Center"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:920
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Security Center"
              4⤵
                PID:1748
            • C:\Windows\SysWOW64\sc.exe
              sc config wscsvc start= DISABLED
              3⤵
              • Launches sc.exe
              PID:1420
            • C:\Windows\SysWOW64\net.exe
              net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:916
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                4⤵
                  PID:4256
              • C:\Users\Admin\AppData\Local\Temp\l6fqw.exe
                C:\Users\Admin\AppData\Local\Temp\l6fqw.exe -d1E0D8268509722FD6A9B0720C48001045ECBBBCB3A5826EF98F45026EF39EB83DCA00D105E22F2AC1460C36C615FB890955603EB98336D31A49D8EF20E71037139700DA21A12846802430344847FAAA0AB9CFFB3E958A9A95DEF167E619550D685D290825E4050E0D610E2B5D714DB8E912CDCEFA7FC72450426246A304FF84F5046E34A43010AD87041BEED44819310779A080889739AA51982366904DA5FB76D0893EE2256A7B9F1A6346EF26C54C9CFA42F9C8AA8388D5F520887A6E22BCFEC936C7E93DF5BB4BBCB22B84CDDE4B449F73E7BE2AFA1DDD536980821E741961EA27C7070C29D2C6E6FA332F933480BD7E2624B0A7968DCBD0D22AABB40C5AE947A10BAD25A2094EB0C1529E3AAC600AA0A0930BB9464FF98AF246CFF521D27206CB542115ADAE7546A1669332DE20E32E4DF65EF6DAA8926155A2DB6CFEE84D191378EC71B00AB09D381A2529C60BC2102D1B3DE1F8EA66A88C265E8E71C98F97AA4E3CD9F07DFAB427511E9E847D467AA0C5F018BA5C7A3E998CEDE72CD292A1E49963B62A4471C7A4DC0E2E2DC7B36E9FECC1121C5B953D85A3E222E666833BAB3C56BC9CC997CEB
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3216
                • C:\Windows\SysWOW64\net.exe
                  net.exe stop "Security Center"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2504
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Security Center"
                    5⤵
                      PID:4512
                  • C:\Windows\SysWOW64\net.exe
                    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5088
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                      5⤵
                        PID:3372
                    • C:\Windows\SysWOW64\sc.exe
                      sc config SharedAccess start= DISABLED
                      4⤵
                      • Launches sc.exe
                      PID:1196
                    • C:\Windows\SysWOW64\sc.exe
                      sc config wscsvc start= DISABLED
                      4⤵
                      • Launches sc.exe
                      PID:1216
                  • C:\Windows\SysWOW64\sc.exe
                    sc config SharedAccess start= DISABLED
                    3⤵
                    • Launches sc.exe
                    PID:4688
                • C:\Windows\SysWOW64\Rundll32.exe
                  Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
                  2⤵
                  • Adds Run key to start application
                  • Suspicious use of WriteProcessMemory
                  PID:1040
                  • C:\Windows\SysWOW64\runonce.exe
                    "C:\Windows\system32\runonce.exe" -r
                    3⤵
                    • Checks processor information in registry
                    PID:3708
                    • C:\Windows\SysWOW64\grpconv.exe
                      "C:\Windows\System32\grpconv.exe" -o
                      4⤵
                        PID:2216
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\meslfpwk.bat
                    2⤵
                      PID:1144

                  Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\l6fqw.exe
                          Filesize

                          56KB

                          MD5

                          3f31fe3d757bf0b599ee08af4339ac43

                          SHA1

                          9c1c1e54f280006a5c47e9bd0f217e8007bdb484

                          SHA256

                          b4db59d40c2b586c0908be76e8d1db8a998afee13148184f11fa95f9fb9f54ca

                          SHA512

                          ce2dd310ccdbb05ec1a8100e7c915fb55242a7026432c7cb181c804dedbf7d0ef0e65b7437f69eaa2cabf757e608eab458306310fb5f543f746901e4316e3c36

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\l6fqw.exe
                          Filesize

                          56KB

                          MD5

                          3f31fe3d757bf0b599ee08af4339ac43

                          SHA1

                          9c1c1e54f280006a5c47e9bd0f217e8007bdb484

                          SHA256

                          b4db59d40c2b586c0908be76e8d1db8a998afee13148184f11fa95f9fb9f54ca

                          SHA512

                          ce2dd310ccdbb05ec1a8100e7c915fb55242a7026432c7cb181c804dedbf7d0ef0e65b7437f69eaa2cabf757e608eab458306310fb5f543f746901e4316e3c36

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\l6fqw.exe
                          Filesize

                          56KB

                          MD5

                          3f31fe3d757bf0b599ee08af4339ac43

                          SHA1

                          9c1c1e54f280006a5c47e9bd0f217e8007bdb484

                          SHA256

                          b4db59d40c2b586c0908be76e8d1db8a998afee13148184f11fa95f9fb9f54ca

                          SHA512

                          ce2dd310ccdbb05ec1a8100e7c915fb55242a7026432c7cb181c804dedbf7d0ef0e65b7437f69eaa2cabf757e608eab458306310fb5f543f746901e4316e3c36

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
                          Filesize

                          413B

                          MD5

                          ce1f2d7c8e36f3c085a5d281b9ebeb2f

                          SHA1

                          bbbfae948d625afe50f66f34282bda3974cfdce5

                          SHA256

                          312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c

                          SHA512

                          89f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\meslfpwk.bat
                          Filesize

                          254B

                          MD5

                          e7af7b1d4e2452b5fb4cabe22afeac27

                          SHA1

                          23e9f51a40c617cfddb52838b1ecfdb059961d6b

                          SHA256

                          0b0f2ce60566d5ffb1a9b8734e2924caa05554c9af11aaec3d6969cb4f54d390

                          SHA512

                          889194472bf7e14630d6da8052a260df59d8720946249a94a57c11de97b9f1bcee1e9175ce7b8bc9210810916bb832be3a1f28b0c73753120b73335005ece054

                          Download Submit

                        • memory/3032-146-0x0000000000400000-0x0000000000430000-memory.dmp

                          Filesize

                          192KB

                          Download

                        • memory/3032-171-0x0000000000400000-0x0000000000430000-memory.dmp

                          Filesize

                          192KB

                          Download

                        • memory/3216-160-0x0000000000400000-0x0000000000430000-memory.dmp

                          Filesize

                          192KB

                          Download

                        • memory/3216-173-0x0000000000400000-0x0000000000430000-memory.dmp

                          Filesize

                          192KB

                          Download

                        • memory/3216-172-0x0000000000400000-0x0000000000430000-memory.dmp

                          Filesize

                          192KB

                          Download

                        • memory/4448-169-0x0000000000400000-0x0000000000430000-memory.dmp

                          Filesize

                          192KB

                          Download

                        • memory/4448-132-0x0000000000400000-0x0000000000430000-memory.dmp

                          Filesize

                          192KB

                          Download