109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde

Analysis

max time kernel
148s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
Size

1.9MB
MD5

7c99f3dc2f88e6dd058299252a2ee771
SHA1

39d44f01bf79b2af961c1cd94aa48b708fae8eda
SHA256

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde
SHA512

5634d1272aefdf9e6dc5bc8cc9c5b96ec4bfb118ae57108e08c7a6bb18824b5dce67bbbaaba3bab71b5b7dbd13c7a569a323fc73be37b820f423f3e5e09edeb0
SSDEEP

49152:9aNHFXVSrP1lbt9pcMj0KeTsYfOJBW+9Cb:9aNHFX+P1lhDcoEskoeb

Score

8^/10

aspackv2 upx

Malware Config

Signatures

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll	acprotect
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll	acprotect

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid process

392 109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Loads dropped DLL 3 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll	upx
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll	upx
behavioral1/memory/392-114-0x0000000011000000-0x0000000011179000-memory.dmp	upx
behavioral1/memory/392-115-0x0000000012000000-0x000000001205F000-memory.dmp	upx
behavioral1/memory/392-137-0x0000000011000000-0x0000000011179000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid process

2040 109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
392	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

description	pid	process	target process
PID 2040 wrote to memory of 392	2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
PID 2040 wrote to memory of 392	2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
PID 2040 wrote to memory of 392	2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
PID 2040 wrote to memory of 392	2040	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
"C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
"C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe" /afterupgrade
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
Filesize
1.9MB

MD5
0f648bdbca1e6733c9170b4f4cf6a5dd

SHA1
fd2a74e99a6fd0b331f45deeb2097a6a62f035a7

SHA256
8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081

SHA512
41b603d971f077a14b4c6f6349449669e81d864b91dc5fef6f6310086189d124a071c2f42ef1689ca2d13293f3d9b6ad795810cf81777e4969e5f48afb379990

Download Submit
C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
Filesize
1.9MB

MD5
0f648bdbca1e6733c9170b4f4cf6a5dd

SHA1
fd2a74e99a6fd0b331f45deeb2097a6a62f035a7

SHA256
8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081

SHA512
41b603d971f077a14b4c6f6349449669e81d864b91dc5fef6f6310086189d124a071c2f42ef1689ca2d13293f3d9b6ad795810cf81777e4969e5f48afb379990

Download Submit
C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
Filesize
1.9MB

MD5
0f648bdbca1e6733c9170b4f4cf6a5dd

SHA1
fd2a74e99a6fd0b331f45deeb2097a6a62f035a7

SHA256
8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081

SHA512
41b603d971f077a14b4c6f6349449669e81d864b91dc5fef6f6310086189d124a071c2f42ef1689ca2d13293f3d9b6ad795810cf81777e4969e5f48afb379990

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\user.dat.tmp
Filesize
37B

MD5
3b989ed70a2245c1428e73625ce774f2

SHA1
d78768e17164c5887d360cbda16b3eb645b448f6

SHA256
1c0a167b1f84087e9ba41230443426485a58884ceaab2be1e3997a78ee52f3e9

SHA512
56ec6365404a5fad3320b5d9bacce4243078b0abfb73f4f29a4d142e44fe5f189e2901d43bd2ec1445cfafc4e27f33a309bbd2a45a421fd43c702a8939a8fa0e

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\NCaddon.xml
Filesize
20KB

MD5
a8116f70d9ab4f5eff658a2bb83b895b

SHA1
3af11c583aa0fce88a21a3802b662cccd5e6cfb8

SHA256
a2570fc9fbab44750f039fb093915e37f6fd27b151fe809f505377c5f4bb2c2c

SHA512
be5b17d5ec3ce09d6e6faababb49e97f839dbb3d9308e6e5af19982487dcddc9eb5730c84883c64e2f69803698ed67c79d3b3bc439a2c45996ceb4ccb2b8e913

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\activity.xml
Filesize
37KB

MD5
f621d587b49982f64cbb8da84cd27703

SHA1
436779e5f27accc193e657e29e7303ba49fa48e5

SHA256
b1d3ec62b4f451dca187de2903f8b2eb3dbda4fdcafc8765c31bef11c27b409c

SHA512
0bf06dc172290124330200627f0417073996e3a0474b15942d905733ec9419d247e119b89ac5cd6ca041d82909700f9ef8fd68eaeebcfeffa3dd23afe89a8d81

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\crop.xml
Filesize
2.5MB

MD5
e59a1bc1cd90fd0867ebd4344ce553ee

SHA1
aea2f2b18a611e9f911bb8406a7f3c9709627d31

SHA256
aeecb43355f0c1cace9abb776da17bf0db65a9557c08c886208e1cbb4b20e450

SHA512
8360a2ec7f15778515192d94ebba681087d5c7fc2dfa0b570438d9532c5dc27201ba39da12c931697d2848cf36ad866546acb4a3c306025858ee6d87bc3a6c62

Download Submit
\??\c:\users\admin\documents\QQÅ©ÄÁÖúÊÖ\user.dat.cnt
Filesize
33B

MD5
048f289b413f3da6929589d5070fdbf4

SHA1
65deed652c24fd1e62a21091d71fbe181b0e7bcb

SHA256
9533e10dad875eaf15a481af9ca0115dcdceaae3c08ab7a72bc207f496ccde04

SHA512
aa83f77937834d96c450137e517b576aa39c0e307ab1bbd1d4253a2fd939628903c34527fd4fa57984c5a37fbaed4b148a9aebaa1c9a182490632df529875834

Download Submit
\??\c:\users\admin\documents\QQÅ©ÄÁÖúÊÖ\user.dat.tmp
Filesize
37B

MD5
3b989ed70a2245c1428e73625ce774f2

SHA1
d78768e17164c5887d360cbda16b3eb645b448f6

SHA256
1c0a167b1f84087e9ba41230443426485a58884ceaab2be1e3997a78ee52f3e9

SHA512
56ec6365404a5fad3320b5d9bacce4243078b0abfb73f4f29a4d142e44fe5f189e2901d43bd2ec1445cfafc4e27f33a309bbd2a45a421fd43c702a8939a8fa0e

Download Submit
\??\c:\users\admin\documents\QQÅ©ÄÁÖúÊÖ\³£¼ûÎÊÌâ½â¾ö°ì·¨.url
Filesize
131B

MD5
274351ff6dfe283f0fc67ae7a8b1d0de

SHA1
3b2642b1ec99845c368fada7dcb5cd733677092f

SHA256
81cc8ebc5f87249ada3c1e2f8c1f61f1c4782974e603f4e21312e63006bc550c

SHA512
62279eea5d7b327b86cf32c648530ae9ab86c4176f7d00e60efd565c780c85bb8ad7dc04444b02351596ccb2d0b1d8508f644f1f73de98201b2b72b13f512b0a

Download Submit
\??\c:\users\admin\documents\QQÅ©ÄÁÖúÊÖ\¹Ù·½ÍøÕ¾.url
Filesize
127B

MD5
e7087bfe4c6dee47a5c0b64dace49392

SHA1
ac9084f171848620c94117e76f13e3c2ce6acccd

SHA256
67165d96fe685002147a4712ac93659faf3e2c122cb22faa68dd3ebe7dfb18f0

SHA512
ee8a7c181b582a7b9c7d58c91c262fd07d49cfbc69beebc4e6ea1bbbcecc2108047b064658c97a1bac150779937253a15f83c314a0a04681d9bca8d4c35eee51

Download Submit
\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
Filesize
1.9MB

MD5
0f648bdbca1e6733c9170b4f4cf6a5dd

SHA1
fd2a74e99a6fd0b331f45deeb2097a6a62f035a7

SHA256
8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081

SHA512
41b603d971f077a14b4c6f6349449669e81d864b91dc5fef6f6310086189d124a071c2f42ef1689ca2d13293f3d9b6ad795810cf81777e4969e5f48afb379990

Download Submit
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll
Filesize
558KB

MD5
5f86d65a1686e6bb031048d04bb3fe04

SHA1
08052c7dda12c53971dd5600223cfb3a47283998

SHA256
39531152d763dd51da8ae6a50b206f296a07410602cdb399c991987e8a11f6b4

SHA512
970e9965236cfb827848e93de3ad0132cde0a57cbee38ad72441dc65fb824ea6c749e5993cd948231bb881d4cf6dfc735231b643d58b64de1f81caff91987e5b

Download Submit
\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll
Filesize
140KB

MD5
e503921a6061251302cb45772cb75f42

SHA1
b84a9daf1250dd33962feb6faaa122273a0b29a2

SHA256
970bfe2045464dfda89a1cd262f09813ab9c9ceb3c7375f02bca8aeecdc4cfcb

SHA512
d52b471d3e71e255d5bc7c9f04e141e80e750482183b770fdc35c08c0cc696c66643bc7074ebbeb2f9d95b6b728666414ad0ae5908f16e9a6e21d159dce33c48

Download Submit
memory/392-96-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/392-105-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/392-103-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/392-104-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/392-95-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/392-102-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/392-137-0x0000000011000000-0x0000000011179000-memory.dmp

Filesize
1.5MB

Download
memory/392-135-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/392-115-0x0000000012000000-0x000000001205F000-memory.dmp

Filesize
380KB

Download
memory/392-114-0x0000000011000000-0x0000000011179000-memory.dmp

Filesize
1.5MB

Download
memory/392-100-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/392-99-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/392-165-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/2040-70-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/2040-86-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/2040-73-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/2040-56-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2040-75-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/2040-68-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/2040-69-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2040-67-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/2040-66-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2040-74-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/2040-72-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/2040-65-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2040-76-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download