6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-02-2023 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
Size

4.7MB
MD5

0b61703cfbd25e7ff2db298ff8b9eedd
SHA1

f09b378451d2a95c1426d6a3ecfc8ee496298df1
SHA256

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a
SHA512

2079d147e8cbe628d7a8c77d7b88760dfbd0023cdd74d8ab010b004da22830e31354c3ce23a01558762d0bb356feb64164d596ad1caaaa014d148824f13a0455
SSDEEP

98304:c9khSECw7hZ4tVzrkeUMhllE+3vBfHpFgeOS:5h8tpjDW+3vdj

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

820 cmd.exe

pid	process
820	cmd.exe

Loads dropped DLL 14 IoCs

Processes:

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe

pid	process
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

108 PING.EXE

pid	process
108	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe

pid	process
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.execmd.exe

description	pid	process	target process
PID 112 wrote to memory of 360	112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	ose00000.exe
PID 112 wrote to memory of 360	112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	ose00000.exe
PID 112 wrote to memory of 360	112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	ose00000.exe
PID 112 wrote to memory of 360	112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	ose00000.exe
PID 112 wrote to memory of 820	112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	cmd.exe
PID 112 wrote to memory of 820	112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	cmd.exe
PID 112 wrote to memory of 820	112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	cmd.exe
PID 112 wrote to memory of 820	112	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	cmd.exe
PID 820 wrote to memory of 108	820	cmd.exe	PING.EXE
PID 820 wrote to memory of 108	820	cmd.exe	PING.EXE
PID 820 wrote to memory of 108	820	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
"C:\Users\Admin\AppData\Local\Temp\6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Temp\ose00000.exe
C:\Users\Admin\AppData\Local\Temp\ose00000.exe
2⤵
PID:360

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\Sbox.ini" & rd /s /q "C:\Users\Admin\AppData\Local\Temp\safe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\system32\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:108

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
memory/108-137-0x0000000000000000-mapping.dmp

Download
memory/112-91-0x0000000074CE0000-0x0000000074F87000-memory.dmp

Filesize
2.7MB

Download
memory/112-100-0x0000000074CE0000-0x0000000074F87000-memory.dmp

Filesize
2.7MB

Download
memory/112-103-0x0000000074CE0000-0x0000000074F87000-memory.dmp

Filesize
2.7MB

Download
memory/112-105-0x0000000074A30000-0x0000000074CD7000-memory.dmp

Filesize
2.7MB

Download
memory/112-104-0x0000000074A30000-0x0000000074CD7000-memory.dmp

Filesize
2.7MB

Download
memory/112-95-0x0000000074CE0000-0x0000000074F87000-memory.dmp

Filesize
2.7MB

Download
memory/112-92-0x0000000074CE0000-0x0000000074F87000-memory.dmp

Filesize
2.7MB

Download
memory/112-102-0x0000000074A30000-0x0000000074CD7000-memory.dmp

Filesize
2.7MB

Download
memory/112-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/112-127-0x0000000074CE0000-0x0000000074F87000-memory.dmp

Filesize
2.7MB

Download
memory/112-128-0x0000000074A30000-0x0000000074CD7000-memory.dmp

Filesize
2.7MB

Download
memory/112-129-0x0000000074CE0000-0x0000000074F87000-memory.dmp

Filesize
2.7MB

Download
memory/112-60-0x0000000074CE0000-0x0000000074F87000-memory.dmp

Filesize
2.7MB

Download
memory/112-97-0x0000000074CE0000-0x0000000074F87000-memory.dmp

Filesize
2.7MB

Download
memory/360-135-0x0000000000000000-mapping.dmp

Download
memory/820-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads