94421be3f113142c7f2703720069fbe8cbf24bca5d415255ec732a7963ec37b0

Analysis

max time kernel
135s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17820a3f5b449a18367048096f35e07e.exe
Size

187KB
MD5

17820a3f5b449a18367048096f35e07e
SHA1

ac1b5befc490f4ebaa0276e17f18918d002892a3
SHA256

94421be3f113142c7f2703720069fbe8cbf24bca5d415255ec732a7963ec37b0
SHA512

578a2e3048d2cbc8fd4d1b1f0e8542418ef6ba920380690a4311ca9978c662d2897a41d2c36ac6669d9b26520e15eac17f3517f7cdfa781954074afb32b7cd3c
SSDEEP

3072:GYpYkfmmuJDJMCrUEk0WLLBjMw26RVTk3V2r65W2/YRPHAp7nvSozjFur:G4YSjuoCrfs2EW3Mr61aHAhnvDR

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}	svcr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe"	svcr.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000d00000001233d-10.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2780	svcr.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	svcr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe"	17820a3f5b449a18367048096f35e07e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe"	17820a3f5b449a18367048096f35e07e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svcr.exe	17820a3f5b449a18367048096f35e07e.exe
File created	C:\Windows\svcr.exe	17820a3f5b449a18367048096f35e07e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4ECF31D1-A2E8-11EE-B908-CA8D9A91D956} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409644783"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	17820a3f5b449a18367048096f35e07e.exe
2780	svcr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	svcr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2232	2416	17820a3f5b449a18367048096f35e07e.exe	22
PID 2416 wrote to memory of 2232	2416	17820a3f5b449a18367048096f35e07e.exe	22
PID 2416 wrote to memory of 2232	2416	17820a3f5b449a18367048096f35e07e.exe	22
PID 2416 wrote to memory of 2232	2416	17820a3f5b449a18367048096f35e07e.exe	22
PID 2232 wrote to memory of 2184	2232	IEXPLORE.EXE	16
PID 2232 wrote to memory of 2184	2232	IEXPLORE.EXE	16
PID 2232 wrote to memory of 2184	2232	IEXPLORE.EXE	16
PID 2232 wrote to memory of 2184	2232	IEXPLORE.EXE	16
PID 2184 wrote to memory of 2816	2184	IEXPLORE.EXE	21
PID 2184 wrote to memory of 2816	2184	IEXPLORE.EXE	21
PID 2184 wrote to memory of 2816	2184	IEXPLORE.EXE	21
PID 2184 wrote to memory of 2816	2184	IEXPLORE.EXE	21
PID 2416 wrote to memory of 2780	2416	17820a3f5b449a18367048096f35e07e.exe	20
PID 2416 wrote to memory of 2780	2416	17820a3f5b449a18367048096f35e07e.exe	20
PID 2416 wrote to memory of 2780	2416	17820a3f5b449a18367048096f35e07e.exe	20
PID 2416 wrote to memory of 2780	2416	17820a3f5b449a18367048096f35e07e.exe	20
PID 2780 wrote to memory of 2848	2780	svcr.exe	19
PID 2780 wrote to memory of 2848	2780	svcr.exe	19
PID 2780 wrote to memory of 2848	2780	svcr.exe	19
PID 2780 wrote to memory of 2848	2780	svcr.exe	19
PID 2848 wrote to memory of 2812	2848	IEXPLORE.EXE	17
PID 2848 wrote to memory of 2812	2848	IEXPLORE.EXE	17
PID 2848 wrote to memory of 2812	2848	IEXPLORE.EXE	17
PID 2848 wrote to memory of 2812	2848	IEXPLORE.EXE	17
PID 2184 wrote to memory of 2916	2184	IEXPLORE.EXE	18
PID 2184 wrote to memory of 2916	2184	IEXPLORE.EXE	18
PID 2184 wrote to memory of 2916	2184	IEXPLORE.EXE	18
PID 2184 wrote to memory of 2916	2184	IEXPLORE.EXE	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18
PID 2780 wrote to memory of 2916	2780	svcr.exe	18

C:\Users\Admin\AppData\Local\Temp\17820a3f5b449a18367048096f35e07e.exe
"C:\Users\Admin\AppData\Local\Temp\17820a3f5b449a18367048096f35e07e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\svcr.exe
  "C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\17820a3f5b449a18367048096f35e07e.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:5518339 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2816

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:2812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bb43ac456db100176a9ef431ca7920d

SHA1
18ecf013ad3dd454f7f7dd948523c00ab582f5a1

SHA256
c88ffc1ed31557177f81b18012cbb712512d19b00a8b4c8adb2333a8f008e7f9

SHA512
a1dfd9ca95210a182cfa0f5d5bc0a0c0a228da6c27ad09f8424e9546ff2af4f48b6c60f90f13b7bc1cd9152b83941c2aa429a7ce598824a382a24ee95c2692b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ada6b4a360bdc9265e19949654d8b070

SHA1
3efa912e8efc58f2d8964cc83ebb0e6e2a0239c5

SHA256
f4bdbf3e320be2e86ff06e3e1681133d2169540d4f605b2ef9cd851632858309

SHA512
69ddaf05ea93ecac40ab45bc7e859d968fc5290bcde1e35e361a84deec66e8d4414a9e409329a35998ff6bf23245c5f8a79e12be4045bba61cad6814453150ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6224be12573907561489a11f4689b56

SHA1
3fb606027e742a1de7976ca320b188e63f30f301

SHA256
2caeb5b9ba757d2be8ff97009df0f2dd0ff01323104450b9e5c497fb9b5b511e

SHA512
a9cc17c6d685d956650f80e966a28cf290a1d78b8f3912f090bb97c839b6a7ae7a05704a56a4309381c30696e2c5e24c583d964c8285893415bf33d9e90bcb3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dbcb0bd2b0b7adf51b114e5f3f849167

SHA1
3c6a150f8c4e43b6a9c015fdc5dd541e30828a8b

SHA256
e3689e106275908f3838898d0032a2df5ea9d669b8b4c4906a30d45b176e67b1

SHA512
dc894a199b5ae557ee491ad5e678765e9fcb8c63d140da124021da4924c43e20aa8c259e0daa8315d8c9ca3fc6e42ec86455dc1cc240cab85daaf6fe9db89b23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d18cec9a71b9af56ca8b18d1cbdb879

SHA1
6d8dddd78e1e1722832d94dd4044616f2fb1ce03

SHA256
8da4f651fdc3dcf672ea00c662cb2887a02daf7be6d2dc18f7145aa1a8287656

SHA512
333a26b10ad83f51c4db55ebed65f189b7a176912ff512801d04b2191f1d7ac1728fa4359841f1fe6ea5538a685cd56f8bec380fda23065ac47d9a70a01f9434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b91a37c53cc68238faa7d04ca442fc7

SHA1
4eccac3a1e0707fc5c9043095c33533ce03cfbee

SHA256
56ad3c9bfd4dded4fc559444078ba7f5511456b528f5a73815a359ac9546ac56

SHA512
586c5a455b31eee24d86e30bc3864257c03f0a833630c3e42fa7e09b361ce5c47366f0c8a0ecdf08f089b7e2bf6f62c41d58765d4474792a156a4a5fb6a119c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b098bfb2bae0a5a35ce5d22edbe56070

SHA1
b931de4f39c19e17dd073910fe19d90396464757

SHA256
e0401a4a2ac7f809727a9ee124a11270a2b4750d2c01c99ed38d660a81a0f020

SHA512
97be48e5bc29d8b315e341fb128d37bd221af682d7d9f0d811b2281cd9043ab55b0c7636c617bb84298dbfd908d393212261dffa813f8761ee4f194a997450b9

Download Submit
C:\Windows\svcr.exe

Filesize
187KB

MD5
17820a3f5b449a18367048096f35e07e

SHA1
ac1b5befc490f4ebaa0276e17f18918d002892a3

SHA256
94421be3f113142c7f2703720069fbe8cbf24bca5d415255ec732a7963ec37b0

SHA512
578a2e3048d2cbc8fd4d1b1f0e8542418ef6ba920380690a4311ca9978c662d2897a41d2c36ac6669d9b26520e15eac17f3517f7cdfa781954074afb32b7cd3c

Download Submit
memory/2416-0-0x0000000000400000-0x00000000007BE000-memory.dmp

Filesize
3.7MB

Download
memory/2416-1-0x0000000002250000-0x0000000002360000-memory.dmp

Filesize
1.1MB

Download
memory/2416-12-0x0000000000400000-0x00000000007BE000-memory.dmp

Filesize
3.7MB

Download
memory/2416-13-0x0000000003870000-0x0000000003C2E000-memory.dmp

Filesize
3.7MB

Download
memory/2416-11-0x0000000002250000-0x0000000002360000-memory.dmp

Filesize
1.1MB

Download
memory/2780-24-0x0000000000400000-0x00000000007BE000-memory.dmp

Filesize
3.7MB

Download
memory/2780-16-0x0000000010410000-0x000000001042E000-memory.dmp

Filesize
120KB

Download
memory/2780-14-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download