Overview

overview

7

Static

static

1

6c8f19c4db...46.exe

windows7-x64

7

6c8f19c4db...46.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2023 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c8f19c4db622e70dddace4fe95112275e8ebd42b5289938129f7e31a7011946.exe

  • Size

    6.8MB

  • MD5

    8286e5426d7fb79fd9a3e896d1e74351

  • SHA1

    c88d3c7fca6c0f162677e01e367f6321074b9dc8

  • SHA256

    6c8f19c4db622e70dddace4fe95112275e8ebd42b5289938129f7e31a7011946

  • SHA512

    d4143baf1a4a0496ce33aacbe486d3b168c20eeba94471b55fd8c3fbab2aa688983e5338bff49352c21f1f364d036f36f11e772d11bb731a2b98d19baab3cbfb

  • SSDEEP

    196608:bANEZb+3LHEI9GJyN0hs2g+V9VvRJlxwXb+I63TYS:b5abkI9GlRzvTX

Score
7/10
aspackv2

Malware Config

Signatures

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c8f19c4db622e70dddace4fe95112275e8ebd42b5289938129f7e31a7011946.exe
    "C:\Users\Admin\AppData\Local\Temp\6c8f19c4db622e70dddace4fe95112275e8ebd42b5289938129f7e31a7011946.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Windows\SysWOW64\setgshi.exe
      "C:\Windows\system32\setgshi.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\SetGshi.exe
    Filesize

    486KB

    MD5

    efa5b544e085e48a6bb3e3f7025f6e16

    SHA1

    3cb658c0f08c1f22869896f15e787723a6e542d5

    SHA256

    578603fdb12edb4d89394a2a839065b26ff41b763e2ce86b65b85440871a6bc8

    SHA512

    abdd5966721b68be11e7c58a6f668f266227b6325d93009f8c9ba7870ec0471fbb2008980a6155f72812958ed0c41a1cf2f28c0fc730119dd1de6f2be8e54c1c

    Download Submit
  • C:\Windows\SysWOW64\SetGshi.exe
    Filesize

    486KB

    MD5

    efa5b544e085e48a6bb3e3f7025f6e16

    SHA1

    3cb658c0f08c1f22869896f15e787723a6e542d5

    SHA256

    578603fdb12edb4d89394a2a839065b26ff41b763e2ce86b65b85440871a6bc8

    SHA512

    abdd5966721b68be11e7c58a6f668f266227b6325d93009f8c9ba7870ec0471fbb2008980a6155f72812958ed0c41a1cf2f28c0fc730119dd1de6f2be8e54c1c

    Download Submit
  • C:\Windows\SysWOW64\apimsw9w.dll
    Filesize

    1.3MB

    MD5

    ad1e75ce559f189ec7dcd915e831865d

    SHA1

    ae976b1dd13f9b43f533cd9195d35f947f8f200a

    SHA256

    d1ef226f9f603a3e486bd0d428e09178c482b907c647934da597771a7f4c2072

    SHA512

    e6e631ea5d9e4d251bfc3f05acd7430bfdc870eea82a8f382a1a98b49def4f506ba5fe1575ed1a14984a1fcc12b1663b610c2c048d18134db6edc7c62df2d238

    Download Submit
  • C:\Windows\SysWOW64\apimsw9w.dll
    Filesize

    1.3MB

    MD5

    ad1e75ce559f189ec7dcd915e831865d

    SHA1

    ae976b1dd13f9b43f533cd9195d35f947f8f200a

    SHA256

    d1ef226f9f603a3e486bd0d428e09178c482b907c647934da597771a7f4c2072

    SHA512

    e6e631ea5d9e4d251bfc3f05acd7430bfdc870eea82a8f382a1a98b49def4f506ba5fe1575ed1a14984a1fcc12b1663b610c2c048d18134db6edc7c62df2d238

    Download Submit
  • C:\Windows\SysWOW64\setgshi.exe
    Filesize

    486KB

    MD5

    efa5b544e085e48a6bb3e3f7025f6e16

    SHA1

    3cb658c0f08c1f22869896f15e787723a6e542d5

    SHA256

    578603fdb12edb4d89394a2a839065b26ff41b763e2ce86b65b85440871a6bc8

    SHA512

    abdd5966721b68be11e7c58a6f668f266227b6325d93009f8c9ba7870ec0471fbb2008980a6155f72812958ed0c41a1cf2f28c0fc730119dd1de6f2be8e54c1c

    Download Submit
  • memory/3308-169-0x0000000074540000-0x0000000074795000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/3308-170-0x00000000023D0000-0x00000000023D4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3308-172-0x00000000022C0000-0x00000000022C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3308-171-0x00000000023C0000-0x00000000023C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3308-176-0x0000000074540000-0x0000000074795000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/3308-186-0x0000000074540000-0x0000000074795000-memory.dmp
    Filesize

    2.3MB

    Download