ac5444a3e3aa572ed541b69928587f41f1b428405be143ada8151ce843bc0c52

General

Target

noplic.exe
Size

1.4MB
MD5

50b74f796a6eb2c5336d204d6308ff69
SHA1

1f038238f413178dc53fb8e14326fc347e28b6b1
SHA256

ac5444a3e3aa572ed541b69928587f41f1b428405be143ada8151ce843bc0c52
SHA512

c65238906b32f3e206d2caf8eaff523e8635d66b9c886c623ef522483b030e8418691ec657f7334909e97b2dde543728eadf54af883cb2b34443b0cfc7382ee1
SSDEEP

24576:x6tlE0aJHcrbIfmIj8p0GVxXqAFGGFFADxrz2hXCRTEtIzkM1EZSA4UZZxVmHmqT:x0r8mZxXqAFJFaDlz2h+TEtIHtQZ

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	flegoiqihhvpqezkgbcdlmhpqoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\flegoiqihhvpqezkgbcdlmhpqoc = "C:\\ProgramData\\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\\flegoiqihhvpqezkgbcdlmhpqoc.exe"	flegoiqihhvpqezkgbcdlmhpqoc.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000700000002322e-7.dat	aspack_v212_v242
behavioral1/files/0x000700000002322e-6.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe

Loads dropped DLL 2 IoCs

pid	Process
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	flegoiqihhvpqezkgbcdlmhpqoc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
180	noplic.exe
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe
5104	flegoiqihhvpqezkgbcdlmhpqoc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 180 wrote to memory of 2720	180	noplic.exe	85
PID 180 wrote to memory of 2720	180	noplic.exe	85
PID 180 wrote to memory of 2720	180	noplic.exe	85
PID 180 wrote to memory of 4304	180	noplic.exe	87
PID 180 wrote to memory of 4304	180	noplic.exe	87
PID 180 wrote to memory of 4304	180	noplic.exe	87
PID 4304 wrote to memory of 5104	4304	cmd.exe	89
PID 4304 wrote to memory of 5104	4304	cmd.exe	89
PID 4304 wrote to memory of 5104	4304	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\noplic.exe
"C:\Users\Admin\AppData\Local\Temp\noplic.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\flegoiqihhvpqezkgbcdlmhpqoc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\flegoiqihhvpqezkgbcdlmhpqoc.exe
    C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\flegoiqihhvpqezkgbcdlmhpqoc.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\flegoiqihhvpqezkgbcdlmhpqoc.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\flegoiqihhvpqezkgbcdlmhpqoc.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\flegoiqihhvpqezkgbcdlmhpqoc.txt

Filesize
244B

MD5
ac2dd095e4ba729b5ee2b9658b8a60ea

SHA1
28406ad54ad556a16f3fa842184a14522e81a407

SHA256
bbd67bed871eb6ab54e62cf11cd55763d01f342960cdac8f2722cc3f781eaa9b

SHA512
7e365b02866ffa23650c4a6b895fe68718f559582294927c6c321872116b352adf03ee56c7d0849e8c40237f6302f6c5608c2764bd82d109ee1b966788fbdf0c

Download Submit
C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\flegoiqihhvpqezkgbcdlmhpqoc.txt

Filesize
244B

MD5
ac2dd095e4ba729b5ee2b9658b8a60ea

SHA1
28406ad54ad556a16f3fa842184a14522e81a407

SHA256
bbd67bed871eb6ab54e62cf11cd55763d01f342960cdac8f2722cc3f781eaa9b

SHA512
7e365b02866ffa23650c4a6b895fe68718f559582294927c6c321872116b352adf03ee56c7d0849e8c40237f6302f6c5608c2764bd82d109ee1b966788fbdf0c

Download Submit
C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\jli.dll

Filesize
427KB

MD5
b03b4a054a1606948a9e71c90295007a

SHA1
839d1541efbfc4fb5873457c06f221faf6960114

SHA256
0ec802cd39b1c71890621f31efdf9803715369f9a6e3bd2b063496821ed3424b

SHA512
7fb3acef27a2596a5fb24b22573036e776eb1133a6462e2c16c74aa26e274993263d84d1f93188b015f2c410f40d0c64301f275b9e0a4a7cefd9771d6b1c2991

Download Submit
C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\jli.dll

Filesize
427KB

MD5
b03b4a054a1606948a9e71c90295007a

SHA1
839d1541efbfc4fb5873457c06f221faf6960114

SHA256
0ec802cd39b1c71890621f31efdf9803715369f9a6e3bd2b063496821ed3424b

SHA512
7fb3acef27a2596a5fb24b22573036e776eb1133a6462e2c16c74aa26e274993263d84d1f93188b015f2c410f40d0c64301f275b9e0a4a7cefd9771d6b1c2991

Download Submit
C:\ProgramData\rrrpaxuegiukbyvuyyjnqkrorwzczxubljtruxnlwdulpxy\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
memory/5104-13-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/5104-30-0x0000000004400000-0x0000000004575000-memory.dmp

Filesize
1.5MB

Download
memory/5104-14-0x0000000002950000-0x0000000002A37000-memory.dmp

Filesize
924KB

Download
memory/5104-17-0x0000000002950000-0x0000000002A37000-memory.dmp

Filesize
924KB

Download
memory/5104-9-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/5104-18-0x00000000034F0000-0x00000000036F3000-memory.dmp

Filesize
2.0MB

Download
memory/5104-20-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/5104-21-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/5104-11-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/5104-26-0x00000000040C0000-0x00000000041AA000-memory.dmp

Filesize
936KB

Download
memory/5104-27-0x0000000003800000-0x0000000003855000-memory.dmp

Filesize
340KB

Download
memory/5104-25-0x0000000002950000-0x0000000002A37000-memory.dmp

Filesize
924KB

Download
memory/5104-29-0x0000000003E20000-0x0000000003EB9000-memory.dmp

Filesize
612KB

Download
memory/5104-15-0x0000000002950000-0x0000000002A37000-memory.dmp

Filesize
924KB

Download
memory/5104-31-0x0000000004400000-0x0000000004575000-memory.dmp

Filesize
1.5MB

Download
memory/5104-33-0x0000000004580000-0x00000000045D2000-memory.dmp

Filesize
328KB

Download
memory/5104-34-0x00000000034F0000-0x00000000036F3000-memory.dmp

Filesize
2.0MB

Download
memory/5104-36-0x00000000034F0000-0x00000000036F3000-memory.dmp

Filesize
2.0MB

Download
memory/5104-37-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/5104-39-0x0000000004580000-0x00000000045D2000-memory.dmp

Filesize
328KB

Download
memory/5104-12-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/5104-42-0x00000000034F0000-0x00000000036F3000-memory.dmp

Filesize
2.0MB

Download
memory/5104-46-0x0000000003800000-0x0000000003855000-memory.dmp

Filesize
340KB

Download
memory/5104-48-0x00000000040C0000-0x00000000041AA000-memory.dmp

Filesize
936KB

Download
memory/5104-49-0x0000000004400000-0x0000000004575000-memory.dmp

Filesize
1.5MB

Download
memory/5104-51-0x0000000003E20000-0x0000000003EB9000-memory.dmp

Filesize
612KB

Download
memory/5104-54-0x0000000004580000-0x00000000045D2000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads