1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1

General

Target

1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe
Size

1.4MB
MD5

c37111f4c9f6d3c6d34fc462ae23f556
SHA1

492f0367621ec0e82f75d802c418f8f287be1306
SHA256

1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1
SHA512

68aaec3a78ddb532f7dd22d537b64284e19874e6e2b2fbd66802db88a72e973c8f974e29f1e9ea7db378d37bec3ee22254aa709e83f97f0d4b4c3aed8706571f
SSDEEP

24576:8aBOENN5HpKuJM2WbO72JWNs4cJlztMqAFGGFFADxrz2hXCRTEtIzkM1EZSA4UZG:8gJJM2WC74We4ctMqAFJFaDlz2h+TEth

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pmzzmbhyupplorzoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pmzzmbhyupplorzoj = "C:\\ProgramData\\zegpxnokg\\pmzzmbhyupplorzoj.exe"	pmzzmbhyupplorzoj.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0030000000015c4b-7.dat	aspack_v212_v242
behavioral1/files/0x0030000000015c4b-8.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2660	pmzzmbhyupplorzoj.exe

Loads dropped DLL 3 IoCs

pid	Process
2576	cmd.exe
2660	pmzzmbhyupplorzoj.exe
2660	pmzzmbhyupplorzoj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2660	pmzzmbhyupplorzoj.exe
2660	pmzzmbhyupplorzoj.exe
2660	pmzzmbhyupplorzoj.exe
2660	pmzzmbhyupplorzoj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	pmzzmbhyupplorzoj.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1920	1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe
2660	pmzzmbhyupplorzoj.exe
2660	pmzzmbhyupplorzoj.exe
2660	pmzzmbhyupplorzoj.exe
2660	pmzzmbhyupplorzoj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2960	1920	1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe	28
PID 1920 wrote to memory of 2960	1920	1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe	28
PID 1920 wrote to memory of 2960	1920	1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe	28
PID 1920 wrote to memory of 2960	1920	1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe	28
PID 1920 wrote to memory of 2576	1920	1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe	30
PID 1920 wrote to memory of 2576	1920	1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe	30
PID 1920 wrote to memory of 2576	1920	1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe	30
PID 1920 wrote to memory of 2576	1920	1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe	30
PID 2576 wrote to memory of 2660	2576	cmd.exe	32
PID 2576 wrote to memory of 2660	2576	cmd.exe	32
PID 2576 wrote to memory of 2660	2576	cmd.exe	32
PID 2576 wrote to memory of 2660	2576	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe
"C:\Users\Admin\AppData\Local\Temp\1a0d22cb06eb4cb2e046090620edd89caf655f19dd3ceb50ac0b7e5b7be4ddd1.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\ProgramData\zegpxnokg
  2⤵
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\ProgramData\zegpxnokg\pmzzmbhyupplorzoj.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\ProgramData\zegpxnokg\pmzzmbhyupplorzoj.exe
    C:\ProgramData\zegpxnokg\pmzzmbhyupplorzoj.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\zegpxnokg\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\ProgramData\zegpxnokg\jli.dll

Filesize
427KB

MD5
6ac64a36c9d84bfa838bb11dc1b780ee

SHA1
75620aeb07429911671d612332adce6ce8992b9d

SHA256
5a013d9775c669851048c996abf8e98d91daada683ae08427d4fc5f94bdecf71

SHA512
e2f8ab6544f1f0c4ec279134f456490c997157f07db8b1239ba1c7fc53fea6cd9da6033e409a7377d8b6a5b2eb38a54a8fd4b9ebedd6d3b29df394bd3113a769

Download Submit
C:\ProgramData\zegpxnokg\pmzzmbhyupplorzoj.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\zegpxnokg\pmzzmbhyupplorzoj.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\zegpxnokg\pmzzmbhyupplorzoj.txt

Filesize
914B

MD5
39ebf9b2d8867f24c034dafb79ab6897

SHA1
355a1d504477435e89d188b9d50e8528c2285835

SHA256
758f1725f918a4f1c49ea27fbf9ac052780c297adb5512f2fbc281643115ef6c

SHA512
150937852151a4b482667560c7d548ba18024e95abd862d612799c41134f7390589b240da3c2f8d539e75be214f990e14d0b6fc13408a53cee33faea408e732e

Download Submit
\ProgramData\zegpxnokg\jli.dll

Filesize
427KB

MD5
6ac64a36c9d84bfa838bb11dc1b780ee

SHA1
75620aeb07429911671d612332adce6ce8992b9d

SHA256
5a013d9775c669851048c996abf8e98d91daada683ae08427d4fc5f94bdecf71

SHA512
e2f8ab6544f1f0c4ec279134f456490c997157f07db8b1239ba1c7fc53fea6cd9da6033e409a7377d8b6a5b2eb38a54a8fd4b9ebedd6d3b29df394bd3113a769

Download Submit
\ProgramData\zegpxnokg\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\ProgramData\zegpxnokg\pmzzmbhyupplorzoj.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
memory/2660-22-0x0000000000D20000-0x0000000000E07000-memory.dmp

Filesize
924KB

Download
memory/2660-30-0x00000000031E0000-0x00000000032CB000-memory.dmp

Filesize
940KB

Download
memory/2660-14-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2660-15-0x0000000000D20000-0x0000000000E07000-memory.dmp

Filesize
924KB

Download
memory/2660-16-0x0000000000D20000-0x0000000000E07000-memory.dmp

Filesize
924KB

Download
memory/2660-12-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/2660-18-0x0000000000D20000-0x0000000000E07000-memory.dmp

Filesize
924KB

Download
memory/2660-19-0x0000000000D20000-0x0000000000E07000-memory.dmp

Filesize
924KB

Download
memory/2660-20-0x0000000000D20000-0x0000000000E07000-memory.dmp

Filesize
924KB

Download
memory/2660-21-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/2660-10-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/2660-24-0x00000000036D0000-0x00000000038E1000-memory.dmp

Filesize
2.1MB

Download
memory/2660-28-0x0000000002630000-0x0000000002686000-memory.dmp

Filesize
344KB

Download
memory/2660-13-0x0000000010000000-0x000000001009B000-memory.dmp

Filesize
620KB

Download
memory/2660-29-0x00000000031E0000-0x00000000032CB000-memory.dmp

Filesize
940KB

Download
memory/2660-32-0x00000000030C0000-0x0000000003159000-memory.dmp

Filesize
612KB

Download
memory/2660-34-0x0000000003CD0000-0x0000000003E45000-memory.dmp

Filesize
1.5MB

Download
memory/2660-33-0x0000000003CD0000-0x0000000003E45000-memory.dmp

Filesize
1.5MB

Download
memory/2660-36-0x0000000002C10000-0x0000000002C62000-memory.dmp

Filesize
328KB

Download
memory/2660-38-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2660-37-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2660-39-0x00000000036D0000-0x00000000038E1000-memory.dmp

Filesize
2.1MB

Download
memory/2660-40-0x0000000002630000-0x0000000002686000-memory.dmp

Filesize
344KB

Download
memory/2660-41-0x00000000031E0000-0x00000000032CB000-memory.dmp

Filesize
940KB

Download
memory/2660-43-0x00000000030C0000-0x0000000003159000-memory.dmp

Filesize
612KB

Download
memory/2660-44-0x0000000003CD0000-0x0000000003E45000-memory.dmp

Filesize
1.5MB

Download
memory/2660-45-0x0000000002C10000-0x0000000002C62000-memory.dmp

Filesize
328KB

Download
memory/2660-46-0x0000000002C10000-0x0000000002C62000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads