Overview

overview

7

Static

static

1

6c8f19c4db...46.exe

windows7-x64

7

6c8f19c4db...46.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2023 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c8f19c4db622e70dddace4fe95112275e8ebd42b5289938129f7e31a7011946.exe

  • Size

    6.8MB

  • MD5

    8286e5426d7fb79fd9a3e896d1e74351

  • SHA1

    c88d3c7fca6c0f162677e01e367f6321074b9dc8

  • SHA256

    6c8f19c4db622e70dddace4fe95112275e8ebd42b5289938129f7e31a7011946

  • SHA512

    d4143baf1a4a0496ce33aacbe486d3b168c20eeba94471b55fd8c3fbab2aa688983e5338bff49352c21f1f364d036f36f11e772d11bb731a2b98d19baab3cbfb

  • SSDEEP

    196608:bANEZb+3LHEI9GJyN0hs2g+V9VvRJlxwXb+I63TYS:b5abkI9GlRzvTX

Score
7/10
aspackv2bootkitpersistence

Malware Config

Signatures

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c8f19c4db622e70dddace4fe95112275e8ebd42b5289938129f7e31a7011946.exe
    "C:\Users\Admin\AppData\Local\Temp\6c8f19c4db622e70dddace4fe95112275e8ebd42b5289938129f7e31a7011946.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\setgshi.exe
      "C:\Windows\system32\setgshi.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\SetGshi.exe
    Filesize

    486KB

    MD5

    efa5b544e085e48a6bb3e3f7025f6e16

    SHA1

    3cb658c0f08c1f22869896f15e787723a6e542d5

    SHA256

    578603fdb12edb4d89394a2a839065b26ff41b763e2ce86b65b85440871a6bc8

    SHA512

    abdd5966721b68be11e7c58a6f668f266227b6325d93009f8c9ba7870ec0471fbb2008980a6155f72812958ed0c41a1cf2f28c0fc730119dd1de6f2be8e54c1c

    Download Submit
  • C:\Windows\SysWOW64\SetGshi.exe
    Filesize

    486KB

    MD5

    efa5b544e085e48a6bb3e3f7025f6e16

    SHA1

    3cb658c0f08c1f22869896f15e787723a6e542d5

    SHA256

    578603fdb12edb4d89394a2a839065b26ff41b763e2ce86b65b85440871a6bc8

    SHA512

    abdd5966721b68be11e7c58a6f668f266227b6325d93009f8c9ba7870ec0471fbb2008980a6155f72812958ed0c41a1cf2f28c0fc730119dd1de6f2be8e54c1c

    Download Submit
  • C:\Windows\SysWOW64\apimsw9w.dll
    Filesize

    1.3MB

    MD5

    ad1e75ce559f189ec7dcd915e831865d

    SHA1

    ae976b1dd13f9b43f533cd9195d35f947f8f200a

    SHA256

    d1ef226f9f603a3e486bd0d428e09178c482b907c647934da597771a7f4c2072

    SHA512

    e6e631ea5d9e4d251bfc3f05acd7430bfdc870eea82a8f382a1a98b49def4f506ba5fe1575ed1a14984a1fcc12b1663b610c2c048d18134db6edc7c62df2d238

    Download Submit
  • C:\Windows\SysWOW64\setgshi.exe
    Filesize

    486KB

    MD5

    efa5b544e085e48a6bb3e3f7025f6e16

    SHA1

    3cb658c0f08c1f22869896f15e787723a6e542d5

    SHA256

    578603fdb12edb4d89394a2a839065b26ff41b763e2ce86b65b85440871a6bc8

    SHA512

    abdd5966721b68be11e7c58a6f668f266227b6325d93009f8c9ba7870ec0471fbb2008980a6155f72812958ed0c41a1cf2f28c0fc730119dd1de6f2be8e54c1c

    Download Submit
  • \Windows\SysWOW64\SetGshi.exe
    Filesize

    486KB

    MD5

    efa5b544e085e48a6bb3e3f7025f6e16

    SHA1

    3cb658c0f08c1f22869896f15e787723a6e542d5

    SHA256

    578603fdb12edb4d89394a2a839065b26ff41b763e2ce86b65b85440871a6bc8

    SHA512

    abdd5966721b68be11e7c58a6f668f266227b6325d93009f8c9ba7870ec0471fbb2008980a6155f72812958ed0c41a1cf2f28c0fc730119dd1de6f2be8e54c1c

    Download Submit
  • \Windows\SysWOW64\apimsw9w.dll
    Filesize

    1.3MB

    MD5

    ad1e75ce559f189ec7dcd915e831865d

    SHA1

    ae976b1dd13f9b43f533cd9195d35f947f8f200a

    SHA256

    d1ef226f9f603a3e486bd0d428e09178c482b907c647934da597771a7f4c2072

    SHA512

    e6e631ea5d9e4d251bfc3f05acd7430bfdc870eea82a8f382a1a98b49def4f506ba5fe1575ed1a14984a1fcc12b1663b610c2c048d18134db6edc7c62df2d238

    Download Submit
  • memory/1188-86-0x00000000749B0000-0x0000000074C05000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/1188-88-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-89-0x00000000003D0000-0x00000000003D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-87-0x0000000000AD0000-0x0000000000AD4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1188-90-0x00000000003E0000-0x00000000003E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-91-0x00000000749B0000-0x0000000074C05000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/1188-92-0x00000000749B0000-0x0000000074C05000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/1188-96-0x00000000749B0000-0x0000000074C05000-memory.dmp
    Filesize

    2.3MB

    Download