f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877

Analysis

max time kernel
142s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2023 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877.exe
Size

1.9MB
MD5

6c03deee41ba485de5f38e524879ed24
SHA1

bf08f04f062ffd2684242d34c6d5f048b60d3aae
SHA256

f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877
SHA512

192c99f97b5c41a894e38498f25b53393359c35c94949c9cd5627b784aa502b343e414271ad5686dd81b2eb2cea097ac559c1f3b7e6eb0179cece4af2480aaff
SSDEEP

49152:II9fJYs3uf7Ja+u/jDx6iOD+IVuWRaNeZn5Sj3fL:7is3UJa+u/jl6rD+IVuWpsL

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\bdck\bdck.exe	aspack_v212_v242
C:\bdck\bdck.exe	aspack_v212_v242
C:\bdck\bdck.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation	f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877.exe

Executes dropped EXE 1 IoCs

Processes:

bdck.exe

pid process

3372 bdck.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3372	bdck.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877.exe

description	pid	process	target process
PID 4540 wrote to memory of 3372	4540	f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877.exe	bdck.exe
PID 4540 wrote to memory of 3372	4540	f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877.exe	bdck.exe
PID 4540 wrote to memory of 3372	4540	f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877.exe	bdck.exe

C:\Users\Admin\AppData\Local\Temp\f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877.exe
"C:\Users\Admin\AppData\Local\Temp\f6a79c53c47dc2656df56dff26d24b3b4403ad082dcaa00d425f4ca4bd579877.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4540

C:\bdck\bdck.exe
"C:\bdck\bdck.exe"
2⤵
- Executes dropped EXE
PID:3372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\bdck\bdck.exe

Filesize
1.8MB

MD5
4d4d6781c024c289482f0a7586a0a15e

SHA1
a930699d1ad4d8cf67dc07f7590a5eddeed47a17

SHA256
de0e700141803b331c21718fad81342e18eff87ba42d3b4bce9d9191040ac1bf

SHA512
56681c9f2a320fc1e0fa022500714ff9a5c667a05c9612ea34a45beb2d0bda4c11b893604aeecd0aa23716dcfcea2e9cca9b3d9e5cb473c55dec4415284d2283

Download Submit
C:\bdck\bdck.exe

Filesize
1.8MB

MD5
4d4d6781c024c289482f0a7586a0a15e

SHA1
a930699d1ad4d8cf67dc07f7590a5eddeed47a17

SHA256
de0e700141803b331c21718fad81342e18eff87ba42d3b4bce9d9191040ac1bf

SHA512
56681c9f2a320fc1e0fa022500714ff9a5c667a05c9612ea34a45beb2d0bda4c11b893604aeecd0aa23716dcfcea2e9cca9b3d9e5cb473c55dec4415284d2283

Download Submit
C:\bdck\bdck.exe

Filesize
1.8MB

MD5
4d4d6781c024c289482f0a7586a0a15e

SHA1
a930699d1ad4d8cf67dc07f7590a5eddeed47a17

SHA256
de0e700141803b331c21718fad81342e18eff87ba42d3b4bce9d9191040ac1bf

SHA512
56681c9f2a320fc1e0fa022500714ff9a5c667a05c9612ea34a45beb2d0bda4c11b893604aeecd0aa23716dcfcea2e9cca9b3d9e5cb473c55dec4415284d2283

Download Submit
memory/3372-143-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3372-144-0x0000000000400000-0x0000000000A62000-memory.dmp

Filesize
6.4MB

Download
memory/4540-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download