109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
Size

1.9MB
MD5

7c99f3dc2f88e6dd058299252a2ee771
SHA1

39d44f01bf79b2af961c1cd94aa48b708fae8eda
SHA256

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde
SHA512

5634d1272aefdf9e6dc5bc8cc9c5b96ec4bfb118ae57108e08c7a6bb18824b5dce67bbbaaba3bab71b5b7dbd13c7a569a323fc73be37b820f423f3e5e09edeb0
SSDEEP

49152:9aNHFXVSrP1lbt9pcMj0KeTsYfOJBW+9Cb:9aNHFX+P1lhDcoEskoeb

Score

8^/10

aspackv2 upx

Malware Config

Signatures

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll	acprotect
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid process

4672 109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Loads dropped DLL 2 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll	upx
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll	upx
behavioral2/memory/4672-190-0x0000000011000000-0x0000000011179000-memory.dmp	upx
behavioral2/memory/4672-191-0x0000000012000000-0x000000001205F000-memory.dmp	upx
behavioral2/memory/4672-237-0x0000000011000000-0x0000000011179000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid process

4888 109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

pid	process
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
4672	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

description	pid	process	target process
PID 4888 wrote to memory of 4672	4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
PID 4888 wrote to memory of 4672	4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
PID 4888 wrote to memory of 4672	4888	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe	109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe

C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
"C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
"C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe" /afterupgrade
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
Filesize
1.9MB

MD5
0f648bdbca1e6733c9170b4f4cf6a5dd

SHA1
fd2a74e99a6fd0b331f45deeb2097a6a62f035a7

SHA256
8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081

SHA512
41b603d971f077a14b4c6f6349449669e81d864b91dc5fef6f6310086189d124a071c2f42ef1689ca2d13293f3d9b6ad795810cf81777e4969e5f48afb379990

Download Submit
C:\Users\Admin\AppData\Local\Temp\109c2259ca07adf9f316e385e753ffb21810a6de9b180ed0d3126ca5440c1cde.exe
Filesize
1.9MB

MD5
0f648bdbca1e6733c9170b4f4cf6a5dd

SHA1
fd2a74e99a6fd0b331f45deeb2097a6a62f035a7

SHA256
8113e95e0cfe047d9737f268cc6364583adecb191a33e4fae2e09d50862b0081

SHA512
41b603d971f077a14b4c6f6349449669e81d864b91dc5fef6f6310086189d124a071c2f42ef1689ca2d13293f3d9b6ad795810cf81777e4969e5f48afb379990

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\user.dat
Filesize
37B

MD5
ad601bc9c30dfa75b73ce37c2c030290

SHA1
7483000c79c254c1f59383141d66c51fb9e062c7

SHA256
97318b1bdb03bb5f67344abb4a4d524a3c2b2cda6fb4f84acc887df2db5ab9eb

SHA512
9318f858d97257e22f2a301409df726e8e4080be1d0133935a0d188a0acc4fd77fa374825d2ad1d2a76ef73d2158c22c8a59edfa045694638ce166dada1abb92

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\user.dat.tmp
Filesize
37B

MD5
8d245ecf10a359570a1ea905ae988c5d

SHA1
1385973abda419edf68afffb70dcc976818c12e6

SHA256
04fb39314f1a355e89f17da8647111589c72e47bb76d65d217991b4542677c0b

SHA512
8dd19cd40b18cb51146966b37cc35018a76ff1dca9de7ed0f45474977b4f61ad488a54eb266367d04ea681b199e7b6b0cb95ce58d572816b928426e52ef6b36e

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\NCaddon.xml
Filesize
20KB

MD5
a8116f70d9ab4f5eff658a2bb83b895b

SHA1
3af11c583aa0fce88a21a3802b662cccd5e6cfb8

SHA256
a2570fc9fbab44750f039fb093915e37f6fd27b151fe809f505377c5f4bb2c2c

SHA512
be5b17d5ec3ce09d6e6faababb49e97f839dbb3d9308e6e5af19982487dcddc9eb5730c84883c64e2f69803698ed67c79d3b3bc439a2c45996ceb4ccb2b8e913

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\activity.xml
Filesize
37KB

MD5
f621d587b49982f64cbb8da84cd27703

SHA1
436779e5f27accc193e657e29e7303ba49fa48e5

SHA256
b1d3ec62b4f451dca187de2903f8b2eb3dbda4fdcafc8765c31bef11c27b409c

SHA512
0bf06dc172290124330200627f0417073996e3a0474b15942d905733ec9419d247e119b89ac5cd6ca041d82909700f9ef8fd68eaeebcfeffa3dd23afe89a8d81

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\crop.xml
Filesize
2.5MB

MD5
e59a1bc1cd90fd0867ebd4344ce553ee

SHA1
aea2f2b18a611e9f911bb8406a7f3c9709627d31

SHA256
aeecb43355f0c1cace9abb776da17bf0db65a9557c08c886208e1cbb4b20e450

SHA512
8360a2ec7f15778515192d94ebba681087d5c7fc2dfa0b570438d9532c5dc27201ba39da12c931697d2848cf36ad866546acb4a3c306025858ee6d87bc3a6c62

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\encrypt.js
Filesize
17KB

MD5
22e3f774a84298c08e029ce9f2bf30aa

SHA1
7fd8795993f22a9daf86491e85b716749578b563

SHA256
724bdf78c747363b1d1302f58dd58838d6c7eefe6e7d26e30bf523577dc03eb8

SHA512
7c4ac8c4edd59a05b2c24714188b86d2f80c200ef6f1c7046fccb70df6a6152508f87907ea2c35c55e4d693e85785c0bddd8fa856da8ad8acc24a2364b24b230

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\libeay32.dll
Filesize
558KB

MD5
5f86d65a1686e6bb031048d04bb3fe04

SHA1
08052c7dda12c53971dd5600223cfb3a47283998

SHA256
39531152d763dd51da8ae6a50b206f296a07410602cdb399c991987e8a11f6b4

SHA512
970e9965236cfb827848e93de3ad0132cde0a57cbee38ad72441dc65fb824ea6c749e5993cd948231bb881d4cf6dfc735231b643d58b64de1f81caff91987e5b

Download Submit
C:\Users\Admin\Documents\QQÅ©ÄÁÖúÊÖ\xml\ssleay32.dll
Filesize
140KB

MD5
e503921a6061251302cb45772cb75f42

SHA1
b84a9daf1250dd33962feb6faaa122273a0b29a2

SHA256
970bfe2045464dfda89a1cd262f09813ab9c9ceb3c7375f02bca8aeecdc4cfcb

SHA512
d52b471d3e71e255d5bc7c9f04e141e80e750482183b770fdc35c08c0cc696c66643bc7074ebbeb2f9d95b6b728666414ad0ae5908f16e9a6e21d159dce33c48

Download Submit
\??\c:\users\admin\documents\QQÅ©ÄÁÖúÊÖ\user.dat
Filesize
37B

MD5
ad601bc9c30dfa75b73ce37c2c030290

SHA1
7483000c79c254c1f59383141d66c51fb9e062c7

SHA256
97318b1bdb03bb5f67344abb4a4d524a3c2b2cda6fb4f84acc887df2db5ab9eb

SHA512
9318f858d97257e22f2a301409df726e8e4080be1d0133935a0d188a0acc4fd77fa374825d2ad1d2a76ef73d2158c22c8a59edfa045694638ce166dada1abb92

Download Submit
\??\c:\users\admin\documents\QQÅ©ÄÁÖúÊÖ\user.dat.cnt
Filesize
41B

MD5
5fd4e9873e17f817341c917d8f86ffed

SHA1
27110c6f74cfeff6063f59ee3fd3e278cfa200d8

SHA256
e2c198500883919f18621995e51d3f49660683c7819298880c6e40ae69ebeb58

SHA512
b09fe864e993e846d1ef1a8f1d64ded13f3c1f7842226c0fef67e6781491ab44e669b6a5d3c17973ec90551e269d4a19132986c6b51c049c5c4fe51703e29b61

Download Submit
\??\c:\users\admin\documents\QQÅ©ÄÁÖúÊÖ\user.dat.tmp
Filesize
37B

MD5
ad601bc9c30dfa75b73ce37c2c030290

SHA1
7483000c79c254c1f59383141d66c51fb9e062c7

SHA256
97318b1bdb03bb5f67344abb4a4d524a3c2b2cda6fb4f84acc887df2db5ab9eb

SHA512
9318f858d97257e22f2a301409df726e8e4080be1d0133935a0d188a0acc4fd77fa374825d2ad1d2a76ef73d2158c22c8a59edfa045694638ce166dada1abb92

Download Submit
\??\c:\users\admin\documents\QQÅ©ÄÁÖúÊÖ\³£¼ûÎÊÌâ½â¾ö°ì·¨.url
Filesize
131B

MD5
274351ff6dfe283f0fc67ae7a8b1d0de

SHA1
3b2642b1ec99845c368fada7dcb5cd733677092f

SHA256
81cc8ebc5f87249ada3c1e2f8c1f61f1c4782974e603f4e21312e63006bc550c

SHA512
62279eea5d7b327b86cf32c648530ae9ab86c4176f7d00e60efd565c780c85bb8ad7dc04444b02351596ccb2d0b1d8508f644f1f73de98201b2b72b13f512b0a

Download Submit
\??\c:\users\admin\documents\QQÅ©ÄÁÖúÊÖ\¹Ù·½ÍøÕ¾.url
Filesize
127B

MD5
e7087bfe4c6dee47a5c0b64dace49392

SHA1
ac9084f171848620c94117e76f13e3c2ce6acccd

SHA256
67165d96fe685002147a4712ac93659faf3e2c122cb22faa68dd3ebe7dfb18f0

SHA512
ee8a7c181b582a7b9c7d58c91c262fd07d49cfbc69beebc4e6ea1bbbcecc2108047b064658c97a1bac150779937253a15f83c314a0a04681d9bca8d4c35eee51

Download Submit
memory/4672-242-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4672-253-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4672-239-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4672-256-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4672-175-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/4672-174-0x0000000006430000-0x0000000006431000-memory.dmp

Filesize
4KB

Download
memory/4672-245-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4672-184-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4672-259-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4672-163-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4672-236-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4672-185-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4672-177-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/4672-237-0x0000000011000000-0x0000000011179000-memory.dmp

Filesize
1.5MB

Download
memory/4672-190-0x0000000011000000-0x0000000011179000-memory.dmp

Filesize
1.5MB

Download
memory/4672-191-0x0000000012000000-0x000000001205F000-memory.dmp

Filesize
380KB

Download
memory/4672-192-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/4888-155-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4888-135-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/4888-153-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/4888-152-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/4888-154-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download
memory/4888-151-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4888-147-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/4888-156-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4888-178-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4888-148-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/4888-157-0x0000000000400000-0x000000000095F000-memory.dmp

Filesize
5.4MB

Download
memory/4888-149-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download