f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f

General

Target

f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe
Size

394KB
MD5

c3e196729803e6e30962b946d32c22ed
SHA1

6bd1e763006a42d7679530c30acc3c5248d1dbff
SHA256

f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f
SHA512

d4173c34c1cc54d1920a1087a50c3bb579ffee762523b2e1f718ac0325ff804027a0c00676ed384aef76a6119287fd75fc5b19cec5380d298c722f6dfcbe594c
SSDEEP

12288:6+g+HPUZHa8WU2aPIBMFrHgnUS2kTzDsA/Gtey:6J+vsHZiaeMVgT2KQA/Gt7

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000014145-54.dat	aspack_v212_v242
behavioral1/files/0x0008000000014145-57.dat	aspack_v212_v242
behavioral1/files/0x0008000000014145-55.dat	aspack_v212_v242
behavioral1/files/0x000a000000013a17-58.dat	aspack_v212_v242
behavioral1/files/0x000a000000013a17-59.dat	aspack_v212_v242

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msfali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msfali = "C:\\Windows\\SysWOW64\\msfali.exe"	msfali.exe

Executes dropped EXE 1 IoCs

pid	Process
1476	msfali.exe

Deletes itself 1 IoCs

pid	Process
1620	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe
1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe
1476	msfali.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msuadosat.dll	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe
File created	C:\Windows\SysWOW64\msfali.exe	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1476	msfali.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1476	1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe	28
PID 1772 wrote to memory of 1476	1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe	28
PID 1772 wrote to memory of 1476	1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe	28
PID 1772 wrote to memory of 1476	1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe	28
PID 1772 wrote to memory of 1620	1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe	29
PID 1772 wrote to memory of 1620	1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe	29
PID 1772 wrote to memory of 1620	1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe	29
PID 1772 wrote to memory of 1620	1772	f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe	29

C:\Users\Admin\AppData\Local\Temp\f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe
"C:\Users\Admin\AppData\Local\Temp\f5d4f4301bf7b94f80ac359d5f25942414fe018c245df71d7c72d55e1043bc6f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\msfali.exe
  C:\Windows\system32\msfali.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_deleteme.bat
  2⤵
  - Deletes itself
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_deleteme.bat

Filesize
248B

MD5
927e030da8837a5ca1f09682a71ed844

SHA1
db9e899c4534af112640ed6f764759b8f2c2e0ad

SHA256
041c900eb3d50dd41931628d17798c747ff1e611555f523833abb48af93cf447

SHA512
f5d467f10d131e75098bd7396f2592db5f448ac8bffbf586fce3a7a03328a944bc9ea69e5211114805041d6cde3d04c3ce4251bb1a412492dc0b6426e57eaaf3

Download Submit
C:\Windows\SysWOW64\msfali.exe

Filesize
56KB

MD5
037e08658134225a44448a2de2ee8578

SHA1
536a02bb1bd60f46bf71a255b9f217b7bc383427

SHA256
6ac5a734eb7746775d173537eeb0a937a8de776ff5d6b4e83f64fcb0c8fe0118

SHA512
4de5ec6cdc610ce0e117c42ed6c7407e0967e9719ab7c8d7056b97d49961d9c686a7d599df40862457296a27b840a29c5056bcbb6b694fbd3469e5c7bf37e481

Download Submit
C:\Windows\SysWOW64\msuadosat.dll

Filesize
218KB

MD5
29d0e16c8e82a8e0553b62ad705034ea

SHA1
f24246e805dfe07537854bbf1cf3f3b679e5cff9

SHA256
a91eec2951e42006d343156ee57b2535d31fc0002aa92e8bc8ac8ddb20c1792d

SHA512
ab039b8395f94b9b949fb3c0380f79f58e4e537f2eea69f8b423ffc3da12d00f7d29a5e579b4455fb16399c4c79c7b77a453b6a28f99538545108fbbadf55a5e

Download Submit
\Windows\SysWOW64\msfali.exe

Filesize
56KB

MD5
037e08658134225a44448a2de2ee8578

SHA1
536a02bb1bd60f46bf71a255b9f217b7bc383427

SHA256
6ac5a734eb7746775d173537eeb0a937a8de776ff5d6b4e83f64fcb0c8fe0118

SHA512
4de5ec6cdc610ce0e117c42ed6c7407e0967e9719ab7c8d7056b97d49961d9c686a7d599df40862457296a27b840a29c5056bcbb6b694fbd3469e5c7bf37e481

Download Submit
\Windows\SysWOW64\msfali.exe

Filesize
56KB

MD5
037e08658134225a44448a2de2ee8578

SHA1
536a02bb1bd60f46bf71a255b9f217b7bc383427

SHA256
6ac5a734eb7746775d173537eeb0a937a8de776ff5d6b4e83f64fcb0c8fe0118

SHA512
4de5ec6cdc610ce0e117c42ed6c7407e0967e9719ab7c8d7056b97d49961d9c686a7d599df40862457296a27b840a29c5056bcbb6b694fbd3469e5c7bf37e481

Download Submit
\Windows\SysWOW64\msuadosat.dll

Filesize
218KB

MD5
29d0e16c8e82a8e0553b62ad705034ea

SHA1
f24246e805dfe07537854bbf1cf3f3b679e5cff9

SHA256
a91eec2951e42006d343156ee57b2535d31fc0002aa92e8bc8ac8ddb20c1792d

SHA512
ab039b8395f94b9b949fb3c0380f79f58e4e537f2eea69f8b423ffc3da12d00f7d29a5e579b4455fb16399c4c79c7b77a453b6a28f99538545108fbbadf55a5e

Download Submit
memory/1476-56-0x0000000000000000-mapping.dmp

Download
memory/1476-60-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1620-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing