8df00b857596482b62820994557a0f71ab2607fa8d638728786b02a21ccd7915

General

Target

021c8d0fad8165948aa7cbfdc9dca304.exe
Size

2.2MB
MD5

021c8d0fad8165948aa7cbfdc9dca304
SHA1

d0791840f765cc95ce71bb063cbf75659aad7437
SHA256

8df00b857596482b62820994557a0f71ab2607fa8d638728786b02a21ccd7915
SHA512

da0fc73aec8e1aa2248b84539c840985930d20bc5dc9a7bba557ea8888c39de4552be8a1404be9e78577f3c66cc922b9ede29ceffa7d9ed1c5c3cb0c4234a9fe
SSDEEP

24576:F4YKL33onzQqK2vL+Jj/sRJF9PV6GrGkg0Rr5VkMrsTYhsCMAYQWfx5VNRem9Keo:F6HozTKvJsnFVMkgGdu4ndBWNzEeBpg

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Program Files\IPADTV6.EXE	aspack_v212_v242
C:\Program Files\IPADTV6.EXE	aspack_v212_v242
C:\Program Files\IPADTV6.EXE	aspack_v212_v242
\Program Files\IPADTV6.EXE	aspack_v212_v242
C:\Program Files\IPADTV6.EXE	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

IPADTV6.EXE

pid process

2340 IPADTV6.EXE
Loads dropped DLL 2 IoCs

Processes:

021c8d0fad8165948aa7cbfdc9dca304.exe

pid process

2368 021c8d0fad8165948aa7cbfdc9dca304.exe
2368 021c8d0fad8165948aa7cbfdc9dca304.exe
Drops file in Program Files directory 1 IoCs

Processes:

021c8d0fad8165948aa7cbfdc9dca304.exe

description ioc process

File created C:\Program Files\IPADTV6.EXE 021c8d0fad8165948aa7cbfdc9dca304.exe

pid	process
2340	IPADTV6.EXE

pid	process
2368	021c8d0fad8165948aa7cbfdc9dca304.exe
2368	021c8d0fad8165948aa7cbfdc9dca304.exe

description	ioc	process
File created	C:\Program Files\IPADTV6.EXE	021c8d0fad8165948aa7cbfdc9dca304.exe

Drops file in Windows directory 4 IoCs

Processes:

021c8d0fad8165948aa7cbfdc9dca304.exe

description	ioc	process
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	021c8d0fad8165948aa7cbfdc9dca304.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	021c8d0fad8165948aa7cbfdc9dca304.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	021c8d0fad8165948aa7cbfdc9dca304.exe
File created	C:\WINDOWS\Media\ActiveX.ocx	021c8d0fad8165948aa7cbfdc9dca304.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

IPADTV6.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IPADTV6.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IPADTV6.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IPADTV6.EXE

NTFS ADS 3 IoCs

Processes:

021c8d0fad8165948aa7cbfdc9dca304.exe

description	ioc	process
File created	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	021c8d0fad8165948aa7cbfdc9dca304.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.mdb	021c8d0fad8165948aa7cbfdc9dca304.exe
File opened for modification	C:\WINDOWS\Media\Desktop.ini:dbase.ldb	021c8d0fad8165948aa7cbfdc9dca304.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

021c8d0fad8165948aa7cbfdc9dca304.exe

pid process

2368 021c8d0fad8165948aa7cbfdc9dca304.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

IPADTV6.EXE

pid process

2340 IPADTV6.EXE
2340 IPADTV6.EXE

pid	process
2368	021c8d0fad8165948aa7cbfdc9dca304.exe

pid	process
2340	IPADTV6.EXE
2340	IPADTV6.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

021c8d0fad8165948aa7cbfdc9dca304.exe

description	pid	process	target process
PID 2368 wrote to memory of 2340	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	IPADTV6.EXE
PID 2368 wrote to memory of 2340	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	IPADTV6.EXE
PID 2368 wrote to memory of 2340	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	IPADTV6.EXE
PID 2368 wrote to memory of 2340	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	IPADTV6.EXE
PID 2368 wrote to memory of 2384	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	regsvr32.exe
PID 2368 wrote to memory of 2384	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	regsvr32.exe
PID 2368 wrote to memory of 2384	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	regsvr32.exe
PID 2368 wrote to memory of 2384	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	regsvr32.exe
PID 2368 wrote to memory of 2384	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	regsvr32.exe
PID 2368 wrote to memory of 2384	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	regsvr32.exe
PID 2368 wrote to memory of 2384	2368	021c8d0fad8165948aa7cbfdc9dca304.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\021c8d0fad8165948aa7cbfdc9dca304.exe
"C:\Users\Admin\AppData\Local\Temp\021c8d0fad8165948aa7cbfdc9dca304.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files\IPADTV6.EXE
  "C:\Program Files\IPADTV6.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2340
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s
  2⤵
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\IPADTV6.EXE

Filesize
304KB

MD5
b98bcc1c46673b77e7a4d214a7c2be51

SHA1
31382ca4ddd3f0eb9ffb542e834cebad1ae73e11

SHA256
9399dc52df64ea9d51585bd24f386c202a6b7fcfeececa5a6bc8e43e6ba93841

SHA512
a17fb97a411703a564dcbcec72d557b27ee31dc77f07098c976a3e36bb6138ea494785f1dd9c1daf1b1f7196c46e44d7c241b0068a7760472e082b974ebe6638

Download Submit
C:\Program Files\IPADTV6.EXE

Filesize
304KB

MD5
b98bcc1c46673b77e7a4d214a7c2be51

SHA1
31382ca4ddd3f0eb9ffb542e834cebad1ae73e11

SHA256
9399dc52df64ea9d51585bd24f386c202a6b7fcfeececa5a6bc8e43e6ba93841

SHA512
a17fb97a411703a564dcbcec72d557b27ee31dc77f07098c976a3e36bb6138ea494785f1dd9c1daf1b1f7196c46e44d7c241b0068a7760472e082b974ebe6638

Download Submit
C:\Program Files\IPADTV6.EXE

Filesize
304KB

MD5
b98bcc1c46673b77e7a4d214a7c2be51

SHA1
31382ca4ddd3f0eb9ffb542e834cebad1ae73e11

SHA256
9399dc52df64ea9d51585bd24f386c202a6b7fcfeececa5a6bc8e43e6ba93841

SHA512
a17fb97a411703a564dcbcec72d557b27ee31dc77f07098c976a3e36bb6138ea494785f1dd9c1daf1b1f7196c46e44d7c241b0068a7760472e082b974ebe6638

Download Submit
C:\WINDOWS\Media\ActiveX.ocx

Filesize
12B

MD5
ba334c8d3752fe26da4d9e80f8e225f1

SHA1
e2f55ba26bb0f575c5c83f3e9e423710a2deeeab

SHA256
02be703845947ac171eb15c45eec1d4efe52a02509e166b3e5fa000a643b4cff

SHA512
e1139d363244ad5c1a8ad6fae8e402aaf4c0f47f82ade2d0ba7f9b0de64efed6fea37376fa38320a78ff7e796752038870fe451047a0ef9e42a18a4d271a1f2a

Download Submit
\Program Files\IPADTV6.EXE

Filesize
304KB

MD5
b98bcc1c46673b77e7a4d214a7c2be51

SHA1
31382ca4ddd3f0eb9ffb542e834cebad1ae73e11

SHA256
9399dc52df64ea9d51585bd24f386c202a6b7fcfeececa5a6bc8e43e6ba93841

SHA512
a17fb97a411703a564dcbcec72d557b27ee31dc77f07098c976a3e36bb6138ea494785f1dd9c1daf1b1f7196c46e44d7c241b0068a7760472e082b974ebe6638

Download Submit
\Program Files\IPADTV6.EXE

Filesize
304KB

MD5
b98bcc1c46673b77e7a4d214a7c2be51

SHA1
31382ca4ddd3f0eb9ffb542e834cebad1ae73e11

SHA256
9399dc52df64ea9d51585bd24f386c202a6b7fcfeececa5a6bc8e43e6ba93841

SHA512
a17fb97a411703a564dcbcec72d557b27ee31dc77f07098c976a3e36bb6138ea494785f1dd9c1daf1b1f7196c46e44d7c241b0068a7760472e082b974ebe6638

Download Submit
memory/2340-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2340-104-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2340-105-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads