29d3dd3546a98286c0e6c3d6e1cd11850fe9494e894e92f7db9b6af840c55c98

Resubmissions

08/01/2023, 02:22

230108-ctnccsga4v 8

06/01/2023, 03:21

230106-dwmz2seb44 8

06/01/2023, 00:25

230106-aq5fcsdg52 8

06/01/2023, 00:18

230106-alts3ahc8y 8

Analysis

max time kernel
133s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2023, 00:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AdoPPrCC.exe
Size

1.4MB
MD5

dcb8835c6751a8bc9f3ea8cc32e2befc
SHA1

b5a1cce8126930ac4da6cfec6864b1494c9a90b8
SHA256

ad65f66ee948e60822e2b14fdf95820ba688300c2b7a9fe994ee4800074ac51a
SHA512

5d5e727e3e27068d2401b363c8a53bd1c86671ecfbfd8b1c2d420895b6489eb355af14df2ce055811cba38aa54b2a5f61793555dd71cf47509b78f5c5a45675b
SSDEEP

24576:ayCmOXRlMCZahQQ7RtlxfkpV8r6wJlh8Ni7EKBxMW3QWwjby7vhgxKySdN6kF:apmOXNZahhHllkr+6U6q73Q3vmgxKyS7

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000022e29-137.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e29-141.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4700	$$.tmp

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4224-133-0x0000000000AD0000-0x0000000000CC2000-memory.dmp	autoit_exe
behavioral2/memory/4224-134-0x0000000000AD0000-0x0000000000CC2000-memory.dmp	autoit_exe
behavioral2/memory/4224-135-0x0000000000AD0000-0x0000000000CC2000-memory.dmp	autoit_exe
behavioral2/memory/4224-132-0x0000000000AD0000-0x0000000000CC2000-memory.dmp	autoit_exe
behavioral2/memory/4700-138-0x0000000000DE0000-0x0000000000EF8000-memory.dmp	autoit_exe
behavioral2/memory/4700-139-0x0000000000DE0000-0x0000000000EF8000-memory.dmp	autoit_exe
behavioral2/memory/4700-140-0x0000000000DE0000-0x0000000000EF8000-memory.dmp	autoit_exe
behavioral2/memory/4700-143-0x0000000000DE0000-0x0000000000EF8000-memory.dmp	autoit_exe
behavioral2/memory/4700-144-0x0000000000DE0000-0x0000000000EF8000-memory.dmp	autoit_exe
behavioral2/memory/4224-145-0x0000000000AD0000-0x0000000000CC2000-memory.dmp	autoit_exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\$$.tmp	AdoPPrCC.exe
File created	C:\Program Files (x86)\Common Files\Splash.png	AdoPPrCC.exe
File opened for modification	C:\Program Files (x86)\Common Files\Splash.png	AdoPPrCC.exe
File created	C:\Program Files (x86)\Common Files\$$.tmp	AdoPPrCC.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2680	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4700	$$.tmp
4072	OpenWith.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe
4224	AdoPPrCC.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe
4072	OpenWith.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4700	4224	AdoPPrCC.exe	80
PID 4224 wrote to memory of 4700	4224	AdoPPrCC.exe	80
PID 4224 wrote to memory of 4700	4224	AdoPPrCC.exe	80
PID 4072 wrote to memory of 2680	4072	OpenWith.exe	95
PID 4072 wrote to memory of 2680	4072	OpenWith.exe	95

C:\Users\Admin\AppData\Local\Temp\AdoPPrCC.exe
"C:\Users\Admin\AppData\Local\Temp\AdoPPrCC.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Program Files (x86)\Common Files\$$.tmp
  "C:\Program Files (x86)\Common Files\$$.tmp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1995327916\payload.dat
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\$$.tmp

Filesize
589KB

MD5
fd0c8ecd900dd9ffe7ecbef111b39428

SHA1
eb2e5e2d845fede860094fb7f9c4c2fb79c568c9

SHA256
1f29dd571e09e18704750995f72ad3c7a73e7e4763fa786e1a68f0e02f3db42b

SHA512
cc6910eebac09057a43e44240c45d7518c5e46c98d0bba3236802f7d08d91c12212ddb3b3bd9d31a494ba92186734567047dd162c68c398121242019752f2283

Download Submit
C:\Program Files (x86)\Common Files\$$.tmp

Filesize
589KB

MD5
fd0c8ecd900dd9ffe7ecbef111b39428

SHA1
eb2e5e2d845fede860094fb7f9c4c2fb79c568c9

SHA256
1f29dd571e09e18704750995f72ad3c7a73e7e4763fa786e1a68f0e02f3db42b

SHA512
cc6910eebac09057a43e44240c45d7518c5e46c98d0bba3236802f7d08d91c12212ddb3b3bd9d31a494ba92186734567047dd162c68c398121242019752f2283

Download Submit
C:\Program Files (x86)\Common Files\splash.png

Filesize
122KB

MD5
b5889966782b2a503684be3dbbd2df79

SHA1
65bf4192b97a464a6381ba3393c33e72e121da92

SHA256
56d676494b2b95e8fa53d5d8b78f61a5940e95809772b194a8b71939fc408e27

SHA512
4cc342ff21a92fc748bee390772ab9af880688689c1713886b7f9946863dfc7421c8a514954fbb0c825b2aae2c5e9c32fa327e88019c6140ab06c3390b3d98cb

Download Submit
memory/4224-132-0x0000000000AD0000-0x0000000000CC2000-memory.dmp

Filesize
1.9MB

Download
memory/4224-133-0x0000000000AD0000-0x0000000000CC2000-memory.dmp

Filesize
1.9MB

Download
memory/4224-135-0x0000000000AD0000-0x0000000000CC2000-memory.dmp

Filesize
1.9MB

Download
memory/4224-145-0x0000000000AD0000-0x0000000000CC2000-memory.dmp

Filesize
1.9MB

Download
memory/4224-134-0x0000000000AD0000-0x0000000000CC2000-memory.dmp

Filesize
1.9MB

Download
memory/4700-138-0x0000000000DE0000-0x0000000000EF8000-memory.dmp

Filesize
1.1MB

Download
memory/4700-139-0x0000000000DE0000-0x0000000000EF8000-memory.dmp

Filesize
1.1MB

Download
memory/4700-140-0x0000000000DE0000-0x0000000000EF8000-memory.dmp

Filesize
1.1MB

Download
memory/4700-143-0x0000000000DE0000-0x0000000000EF8000-memory.dmp

Filesize
1.1MB

Download
memory/4700-144-0x0000000000DE0000-0x0000000000EF8000-memory.dmp

Filesize
1.1MB

Download