71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f

General

Target

71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe
Size

791KB
MD5

385a5478ea84a7ad68151cb65e13b47d
SHA1

952d6b3789d055376f38351a2ff3f8aa911e5df4
SHA256

71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f
SHA512

30d753499a11ed943846b4691ec2e941c7ed5b17628b57fcf1ce490e0d22e230796a043dbe1f33af0005f59ca98971dfe7436fb6ac38e5a973d311bb42382647
SSDEEP

12288:YV+mzA28UpWFkjt//zBYVICCPJHUqYTilBSEg36XkTCzGeIBhN+0AEYYRd:Y8UTjt/9CChhPrFYQkmVJmd

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

ebook.exe

pid process

912 ebook.exe

pid	process
912	ebook.exe

Loads dropped DLL 2 IoCs

Processes:

71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe

pid	process
1148	71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe
1148	71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

ebook.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main ebook.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	ebook.exe

Modifies registry class 13 IoCs

Processes:

ebook.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ProgID	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\LocalServer32	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\ebook.exe"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol\ = "Embedded Async Pluggable Protocol"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol\Clsid	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ebook.EAPProtocol\Clsid\ = "{5902C4EB-8397-4FF6-B5D8-741A51D26543}"	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ProgID\ = "ebook.EAPProtocol"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG\CLSID	ebook.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5902C4EB-8397-4FF6-B5D8-741A51D26543}\ = "Embedded Async Pluggable Protocol"	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG\CLSID\{e26d50e6-31fe-40f5-835b-8ea21da1e2ed}	ebook.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ImagesPPG.ImagesPPG	ebook.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ebook.exe

pid process

912 ebook.exe
912 ebook.exe

pid	process
912	ebook.exe
912	ebook.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe

description	pid	process	target process
PID 1148 wrote to memory of 912	1148	71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe	ebook.exe
PID 1148 wrote to memory of 912	1148	71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe	ebook.exe
PID 1148 wrote to memory of 912	1148	71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe	ebook.exe
PID 1148 wrote to memory of 912	1148	71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe	ebook.exe

C:\Users\Admin\AppData\Local\Temp\71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe
"C:\Users\Admin\AppData\Local\Temp\71c7fddbc2cd2239d732914940af04310f0b27d28ce3c7286de5bef8b1ce024f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:912

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe
Filesize
693KB

MD5
3c5e3102dee1add4eef7f5c10617b976

SHA1
38989399fc28d88fad3229e37231e9304fd93322

SHA256
71d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404

SHA512
ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe
Filesize
693KB

MD5
3c5e3102dee1add4eef7f5c10617b976

SHA1
38989399fc28d88fad3229e37231e9304fd93322

SHA256
71d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404

SHA512
ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe
Filesize
693KB

MD5
3c5e3102dee1add4eef7f5c10617b976

SHA1
38989399fc28d88fad3229e37231e9304fd93322

SHA256
71d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404

SHA512
ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s_chinese.ini
Filesize
7KB

MD5
143557d65a22ef084f95fff54e37b831

SHA1
e5082324acb8348c1c7f4d78f90a7cc2a2252dd2

SHA256
e22f912400b3e66c079d3bccf7deabd8be724759b55d903e9b2aa1a85d7b1b7d

SHA512
20d934e6ca5720d6894f208b3371d866136df1c7186ca62a43addc544f98b8ad6efef07d183f93436954dd130cd056391a0a860403c5893aff623647ae04b0ce

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe
Filesize
693KB

MD5
3c5e3102dee1add4eef7f5c10617b976

SHA1
38989399fc28d88fad3229e37231e9304fd93322

SHA256
71d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404

SHA512
ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ebook.exe
Filesize
693KB

MD5
3c5e3102dee1add4eef7f5c10617b976

SHA1
38989399fc28d88fad3229e37231e9304fd93322

SHA256
71d3b69afb0e347d6384288bb65af5ffa3d4ea16e33423ff738a5fe770b6a404

SHA512
ecf6994036a44df69bdee5670de375c9604267920b881e781234b2520b042c4a66a82b60c40b824b594232e9e6b8719df3510e02cd57ce641d531f2870ca4e7a

Download Submit
memory/912-65-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/912-134-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/912-135-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/912-143-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1148-56-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1148-116-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1148-132-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads