41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4

General

Target

41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe
Size

44KB
MD5

7136931e5fb1f3b5759a77b32dd522fe
SHA1

503cad17e04bbd2833837103aece2ec1a2ee416d
SHA256

41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4
SHA512

e4ee92d1cdf589685b3f63f0f4086e005eef8e862049a5fe98a2b2a0fb8930c888bcd87ee76c6b7b80a91ab78dc47c451b1e325a15c66a9013309f7443f12e24
SSDEEP

768:hfXKTHyY+h6ovFQGPL4vzZq2o9W7GsxBbPr:pX2SCoviGCq2iW7z

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\yvEAMj.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\yvEAMj.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

yvEAMj.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation yvEAMj.exe
Executes dropped EXE 1 IoCs

Processes:

yvEAMj.exe

pid process

2212 yvEAMj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	yvEAMj.exe

pid	process
2212	yvEAMj.exe

Drops file in Program Files directory 64 IoCs

Processes:

yvEAMj.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	yvEAMj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	yvEAMj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	yvEAMj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	yvEAMj.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	yvEAMj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	yvEAMj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	yvEAMj.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	yvEAMj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	yvEAMj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	yvEAMj.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	yvEAMj.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	yvEAMj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	yvEAMj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exeyvEAMj.exe

description	pid	process	target process
PID 5092 wrote to memory of 2212	5092	41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe	yvEAMj.exe
PID 5092 wrote to memory of 2212	5092	41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe	yvEAMj.exe
PID 5092 wrote to memory of 2212	5092	41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe	yvEAMj.exe
PID 2212 wrote to memory of 4460	2212	yvEAMj.exe	cmd.exe
PID 2212 wrote to memory of 4460	2212	yvEAMj.exe	cmd.exe
PID 2212 wrote to memory of 4460	2212	yvEAMj.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe
"C:\Users\Admin\AppData\Local\Temp\41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\yvEAMj.exe
C:\Users\Admin\AppData\Local\Temp\yvEAMj.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\380328b0.bat" "
3⤵
PID:4460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\380328b0.bat
Filesize
187B

MD5
2441ef95688be0e62e7cab75be6c7b43

SHA1
50b60791c9db2bb06378dc97f17c156e06fb3124

SHA256
d01b8a20f615d1068434f6f58aa385c0d2e2cff4426ab3d9b58c1e7218e2af2b

SHA512
102c063faf5ce0277372b3edcb80453e4f4c1a9dc08bbe940b965a05940374847757e699b6b9be83b7d50a423854ac1d695cde4de7355276674ed0e08daf0c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\674D6926.exe
Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\674D6926.exe
Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvEAMj.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvEAMj.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/2212-139-0x0000000000270000-0x0000000000279000-memory.dmp

Filesize
36KB

Download
memory/2212-180-0x0000000000270000-0x0000000000279000-memory.dmp

Filesize
36KB

Download
memory/5092-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads