Overview

overview

7

Static

static

7

731e1a4986...17.exe

windows7-x64

7

731e1a4986...17.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2023 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe

  • Size

    2.2MB

  • MD5

    20136843871cbf97f966bd27c9522108

  • SHA1

    96f6129e9103be1317236380079bbb3bbdb58d2d

  • SHA256

    731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117

  • SHA512

    2ab6a87949c11b33c8060794bee6b93c8cf668396398fa8817e59b4c8a706bfe01e3a7100cee9e575b32233624fb159cb038342ca2abfc11e46a0474b293c04b

  • SSDEEP

    49152:Wf4JYjtvbdDUDYTSN4x1PjcvJ5dfSObPXAbVoE56ij:JI5wDYy4f7wdLbQVoEc

Score
7/10
aspackv2persistencespywarestealerupx

Malware Config

Signatures

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe
    "C:\Users\Admin\AppData\Local\Temp\731e1a498611e33e76f3e69386fd70281168da539d0005212bc3bd4d0ce1b117.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe
      C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7a6648fc.bat" "
        3⤵
          PID:2124
      • C:\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe
        "C:\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe" CAOSOFT_WEB_PRINT_lodop64.ocx
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Registers COM server for autorun
        • Modifies registry class
        PID:2004

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop64.ocx
      Filesize

      6.0MB

      MD5

      167734e8f770e73bd8baf046caff17d6

      SHA1

      e84dac6c9cc7d4a42635cae46941e55c637b3e3d

      SHA256

      311eef48ed6ed5e930f193b3f62e45d91a075ac4c80b315b18add79e57a867a0

      SHA512

      aab9ef67c3a476974f7003f9c90806c76a220e9c9f1b62c65a1bc8f8b86e188d88dbb4f0476a2bcd658e06898576197c34c0cff3f66633a7f26316bae6635bc1

      Download Submit
    • C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop64.ocx
      Filesize

      6.0MB

      MD5

      167734e8f770e73bd8baf046caff17d6

      SHA1

      e84dac6c9cc7d4a42635cae46941e55c637b3e3d

      SHA256

      311eef48ed6ed5e930f193b3f62e45d91a075ac4c80b315b18add79e57a867a0

      SHA512

      aab9ef67c3a476974f7003f9c90806c76a220e9c9f1b62c65a1bc8f8b86e188d88dbb4f0476a2bcd658e06898576197c34c0cff3f66633a7f26316bae6635bc1

      Download Submit
    • C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop64.ocx
      Filesize

      6.0MB

      MD5

      167734e8f770e73bd8baf046caff17d6

      SHA1

      e84dac6c9cc7d4a42635cae46941e55c637b3e3d

      SHA256

      311eef48ed6ed5e930f193b3f62e45d91a075ac4c80b315b18add79e57a867a0

      SHA512

      aab9ef67c3a476974f7003f9c90806c76a220e9c9f1b62c65a1bc8f8b86e188d88dbb4f0476a2bcd658e06898576197c34c0cff3f66633a7f26316bae6635bc1

      Download Submit
    • C:\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe
      Filesize

      475KB

      MD5

      129c19761074529f21e9b58760018538

      SHA1

      dc44d7184927adcb7ae2d509a56624f320c0ce94

      SHA256

      27b84c2b92bbea719f96769cfa287b94a48ab13c7c3ba6c4907a1886f3a6940a

      SHA512

      3dabfdda728aa6db59f5499b2500cecc7e332bef899f2c728213d48d96eee9fefa8720c91597c8223be4b1631ec0211c17c6d546f2ea330b7c458bdb56fc224e

      Download Submit
    • C:\Program Files (x86)\MountTaiSoftware\Lodop\LodopDllInstall64.exe
      Filesize

      475KB

      MD5

      129c19761074529f21e9b58760018538

      SHA1

      dc44d7184927adcb7ae2d509a56624f320c0ce94

      SHA256

      27b84c2b92bbea719f96769cfa287b94a48ab13c7c3ba6c4907a1886f3a6940a

      SHA512

      3dabfdda728aa6db59f5499b2500cecc7e332bef899f2c728213d48d96eee9fefa8720c91597c8223be4b1631ec0211c17c6d546f2ea330b7c458bdb56fc224e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ0AI98S\k2[1].rar
      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\408823A0.exe
      Filesize

      4B

      MD5

      20879c987e2f9a916e578386d499f629

      SHA1

      c7b33ddcc42361fdb847036fc07e880b81935d5d

      SHA256

      9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

      SHA512

      bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7a6648fc.bat
      Filesize

      187B

      MD5

      463c15808e0883233e1d898dd25c3ca9

      SHA1

      5d4380feed832695ca4bdcc9d957cfd7164e5429

      SHA256

      f43769876752e1223748daff87ae1ccd9a8fe3a1c80331b924244bd1c8f063c2

      SHA512

      63af9f7f25422bc9b50265a30763ce7c5b6c30c898bf48854d574c5fd47ad680cd4da3030f0e36b1440e348685e3ace3479349ee808883df9100b86fd7c3c97c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe
      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\OqmBIi.exe
      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

      Download Submit
    • memory/1072-141-0x0000000000DC0000-0x0000000000DC9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1072-192-0x0000000000DC0000-0x0000000000DC9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2004-155-0x0000000002240000-0x0000000002855000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2004-157-0x0000000000400000-0x0000000000486000-memory.dmp
      Filesize

      536KB

      Download
    • memory/2004-164-0x0000000000560000-0x0000000000561000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5024-145-0x0000000002A70000-0x0000000002A71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/5024-138-0x0000000000400000-0x0000000000B8C000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/5024-194-0x0000000000400000-0x0000000000B8C000-memory.dmp
      Filesize

      7.5MB

      Download