6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a

Analysis

max time kernel
90s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2023 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
Size

4.7MB
MD5

0b61703cfbd25e7ff2db298ff8b9eedd
SHA1

f09b378451d2a95c1426d6a3ecfc8ee496298df1
SHA256

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a
SHA512

2079d147e8cbe628d7a8c77d7b88760dfbd0023cdd74d8ab010b004da22830e31354c3ce23a01558762d0bb356feb64164d596ad1caaaa014d148824f13a0455
SSDEEP

98304:c9khSECw7hZ4tVzrkeUMhllE+3vBfHpFgeOS:5h8tpjDW+3vdj

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	aspack_v212_v242

Loads dropped DLL 14 IoCs

Processes:

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe

pid	process
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4052 PING.EXE

pid	process
4052	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe

pid	process
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.execmd.exe

description	pid	process	target process
PID 3036 wrote to memory of 4660	3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	cmd.exe
PID 3036 wrote to memory of 4660	3036	6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe	cmd.exe
PID 4660 wrote to memory of 4052	4660	cmd.exe	PING.EXE
PID 4660 wrote to memory of 4052	4660	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe
"C:\Users\Admin\AppData\Local\Temp\6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 127.0.0.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6fc2400e316a8da24c6a9ac40f44c258f7923d0919f2509f70048fb6d499629a.exe" & del /f /q "C:\Users\Admin\AppData\Local\Temp\Sbox.ini" & rd /s /q "C:\Users\Admin\AppData\Local\Temp\safe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.9MB

MD5
8538556dd4ed55ecf48470975df01e6e

SHA1
ba083460bb5786d0a2fbff32c74f7534a0ebf805

SHA256
309e15d652c863a0f188e99299a2e4d259d7de46d56123aa2052fee8057e666d

SHA512
d8e1cc93454a4c41934058570d65253ad39f4d9d7179985970ccda330a53f63a8a6b80bd682da4e7ebed18969bba4a3ef2f434af213668d4133302640d0e88ec

Download Submit
memory/3036-162-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-142-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-143-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-159-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-194-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-177-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-160-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-178-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-210-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-211-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/3036-213-0x0000000074A90000-0x0000000074D37000-memory.dmp

Filesize
2.7MB

Download
memory/4052-214-0x0000000000000000-mapping.dmp

Download
memory/4660-212-0x0000000000000000-mapping.dmp

Download