d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b

General

Target

d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe
Size

465KB
MD5

24344b0c7097f091affcc289e8029828
SHA1

2ee973416945a6b16387943f019260b26d96b2d7
SHA256

d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b
SHA512

e77b7c57616917c6e948f9521efc95235d4a1a9e985bda5387ee08ec37db7dad35102df98b0e9eab0c401cab7fe304f7a52cce0c790a32fdc252b38c945994c1
SSDEEP

12288:olJ+TFukCI+P9CcrmwEuBwUqA5qFbAGTALHaspq:00U9CcrmwEPA5qFxT7Cq

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000012321-87.dat	aspack_v212_v242
behavioral1/files/0x0009000000012321-90.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
1432	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1724	papuk.exe
1660	jofoj.exe

Loads dropped DLL 2 IoCs

pid	Process
920	d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe
1724	papuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe
1660	jofoj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1724	920	d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe	27
PID 920 wrote to memory of 1724	920	d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe	27
PID 920 wrote to memory of 1724	920	d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe	27
PID 920 wrote to memory of 1724	920	d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe	27
PID 920 wrote to memory of 1432	920	d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe	28
PID 920 wrote to memory of 1432	920	d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe	28
PID 920 wrote to memory of 1432	920	d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe	28
PID 920 wrote to memory of 1432	920	d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe	28
PID 1724 wrote to memory of 1660	1724	papuk.exe	30
PID 1724 wrote to memory of 1660	1724	papuk.exe	30
PID 1724 wrote to memory of 1660	1724	papuk.exe	30
PID 1724 wrote to memory of 1660	1724	papuk.exe	30

C:\Users\Admin\AppData\Local\Temp\d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe
"C:\Users\Admin\AppData\Local\Temp\d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\papuk.exe
  "C:\Users\Admin\AppData\Local\Temp\papuk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\jofoj.exe
    "C:\Users\Admin\AppData\Local\Temp\jofoj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
813cf771e373a1f421c2f048b52964a5

SHA1
f674189e8a820b149fc3498addc3c5d6b3968430

SHA256
1cd4a5e61b4c70b8f7da3e0d316bc97bd6d6ecb1878782c4191e70257f5f28f8

SHA512
9e95b22c9088e65f3fed8b12a4720efa4fe53ae66ff41bc9cb380b21a70cef452544af23a41c89780eb37c8c8e4712789fe1d01b6609e55c46c3a3411e65e120

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
813cf771e373a1f421c2f048b52964a5

SHA1
f674189e8a820b149fc3498addc3c5d6b3968430

SHA256
1cd4a5e61b4c70b8f7da3e0d316bc97bd6d6ecb1878782c4191e70257f5f28f8

SHA512
9e95b22c9088e65f3fed8b12a4720efa4fe53ae66ff41bc9cb380b21a70cef452544af23a41c89780eb37c8c8e4712789fe1d01b6609e55c46c3a3411e65e120

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1b260682abeeab7012d57f7439ce738c

SHA1
dc72398c9fccb51c1aa91285462158a4f35628c7

SHA256
1c7ee109a5369df28a9b3b15bc81ae8dda06d0db9488092c5d8045866633586e

SHA512
3d919a2259a5367ec4acc340184666d768f8c18d22582fbddf17a8cc97efdfbd0cc6db800cf92e95e67703fd9afcc6de0a53fd3e99c29b462a7009207871b38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jofoj.exe

Filesize
242KB

MD5
28b71ea31fa78b07c8c24cd177188c0e

SHA1
4de6d7b538b3cdc798ba00dce9798cb2a33cc514

SHA256
88734892ca6dbfb8d1253ae11b867485159cbc1a2d4da966d3acef381ccbe69f

SHA512
9ef9caf3f05520cd7fcd00332f41796e064c8df3a30b898e40104270a675ec219649715718508a89e6dfaa785edd40ab7633e7f5748840e38a3ca95e1d30c7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\papuk.exe

Filesize
465KB

MD5
34a6add63d5ad73f172e56ebf14ce972

SHA1
81c0f0a762765322e2f8f146582be4e43ed61429

SHA256
aca9c90aa21d3c5443b903802957df29ffa1f851f241df8916b7b8e5954d1d28

SHA512
777cbb8dd0ecd0ee9f5480cae9b34aeb049a8d2e72db4b9c808c94cf2cba93596d28862f07578fc3eae76d607e9bceb82b44682084125b0d7f2abd7ec061e19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\papuk.exe

Filesize
465KB

MD5
34a6add63d5ad73f172e56ebf14ce972

SHA1
81c0f0a762765322e2f8f146582be4e43ed61429

SHA256
aca9c90aa21d3c5443b903802957df29ffa1f851f241df8916b7b8e5954d1d28

SHA512
777cbb8dd0ecd0ee9f5480cae9b34aeb049a8d2e72db4b9c808c94cf2cba93596d28862f07578fc3eae76d607e9bceb82b44682084125b0d7f2abd7ec061e19b

Download Submit
\Users\Admin\AppData\Local\Temp\jofoj.exe

Filesize
242KB

MD5
28b71ea31fa78b07c8c24cd177188c0e

SHA1
4de6d7b538b3cdc798ba00dce9798cb2a33cc514

SHA256
88734892ca6dbfb8d1253ae11b867485159cbc1a2d4da966d3acef381ccbe69f

SHA512
9ef9caf3f05520cd7fcd00332f41796e064c8df3a30b898e40104270a675ec219649715718508a89e6dfaa785edd40ab7633e7f5748840e38a3ca95e1d30c7ec

Download Submit
\Users\Admin\AppData\Local\Temp\papuk.exe

Filesize
465KB

MD5
34a6add63d5ad73f172e56ebf14ce972

SHA1
81c0f0a762765322e2f8f146582be4e43ed61429

SHA256
aca9c90aa21d3c5443b903802957df29ffa1f851f241df8916b7b8e5954d1d28

SHA512
777cbb8dd0ecd0ee9f5480cae9b34aeb049a8d2e72db4b9c808c94cf2cba93596d28862f07578fc3eae76d607e9bceb82b44682084125b0d7f2abd7ec061e19b

Download Submit
memory/920-55-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/920-54-0x0000000000AD0000-0x0000000000B52000-memory.dmp

Filesize
520KB

Download
memory/920-71-0x0000000000AD0000-0x0000000000B52000-memory.dmp

Filesize
520KB

Download
memory/1660-94-0x00000000011A0000-0x000000000124D000-memory.dmp

Filesize
692KB

Download
memory/1660-92-0x00000000011A0000-0x000000000124D000-memory.dmp

Filesize
692KB

Download
memory/1660-93-0x00000000011A0000-0x000000000124D000-memory.dmp

Filesize
692KB

Download
memory/1660-95-0x00000000011A0000-0x000000000124D000-memory.dmp

Filesize
692KB

Download
memory/1660-96-0x00000000011A0000-0x000000000124D000-memory.dmp

Filesize
692KB

Download
memory/1660-98-0x00000000011A0000-0x000000000124D000-memory.dmp

Filesize
692KB

Download
memory/1660-99-0x00000000011A0000-0x000000000124D000-memory.dmp

Filesize
692KB

Download
memory/1660-100-0x00000000011A0000-0x000000000124D000-memory.dmp

Filesize
692KB

Download
memory/1660-101-0x00000000011A0000-0x000000000124D000-memory.dmp

Filesize
692KB

Download
memory/1724-73-0x0000000001150000-0x00000000011D2000-memory.dmp

Filesize
520KB

Download
memory/1724-91-0x0000000001150000-0x00000000011D2000-memory.dmp

Filesize
520KB

Download
memory/1724-74-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1724-76-0x0000000001150000-0x00000000011D2000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing