b881cbf09afdfebad4498fc26069d795dedbd2b94615b0525a9471037243539e

Analysis

max time kernel
3s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc65d04c6c226b94dd69dab82b71963.exe
Size

381KB
MD5

1bc65d04c6c226b94dd69dab82b71963
SHA1

3baab18e077adaec6b2425ea12a40cea69519a5b
SHA256

b881cbf09afdfebad4498fc26069d795dedbd2b94615b0525a9471037243539e
SHA512

ceeabb833fc9a997f8e345daf67a239d8267ba98cc425248e0cc7c39e5219c6587902ac772a1e3bac9ce598c4613d0b0eb94ae97a2d6d712310d660886973d6a
SSDEEP

6144:mRqmpp+amNOGokzLyM9tsLAitQo6tzOKkzIt8gKyfjxfR9D2j4y6yCZ4IGfF:WqmpplpGoGL3etQoMiXM8gxf/Sj4yy4t

Score

7^/10

aspackv2 upx

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023239-39.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
3580	lncom_.exe
768	lncom.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000001e716-12.dat	upx
behavioral2/memory/768-17-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/files/0x000400000001e716-15.dat	upx
behavioral2/files/0x000400000001e716-14.dat	upx
behavioral2/memory/4056-26-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-35-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/files/0x0006000000023237-36.dat	upx
behavioral2/memory/768-55-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4056-53-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/files/0x0006000000023237-34.dat	upx
behavioral2/files/0x0006000000023236-30.dat	upx
behavioral2/files/0x0006000000023235-25.dat	upx
behavioral2/files/0x0006000000023235-24.dat	upx
behavioral2/memory/4544-58-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-61-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-64-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-66-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-68-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-70-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-72-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-74-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-76-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-78-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-80-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-82-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-84-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-86-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/4544-88-0x0000000000400000-0x00000000005FC000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lncom.exe	1bc65d04c6c226b94dd69dab82b71963.exe
File created	C:\Windows\SysWOW64\lncom_.exe	1bc65d04c6c226b94dd69dab82b71963.exe

Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3580	4800	Process not Found	81
PID 4800 wrote to memory of 3580	4800	Process not Found	81
PID 4800 wrote to memory of 3580	4800	Process not Found	81
PID 4800 wrote to memory of 768	4800	Process not Found	82
PID 4800 wrote to memory of 768	4800	Process not Found	82
PID 4800 wrote to memory of 768	4800	Process not Found	82

C:\Users\Admin\AppData\Local\Temp\1bc65d04c6c226b94dd69dab82b71963.exe
"C:\Users\Admin\AppData\Local\Temp\1bc65d04c6c226b94dd69dab82b71963.exe"
1⤵
- Drops file in System32 directory
PID:4800
- C:\Windows\SysWOW64\lncom_.exe
  "C:\Windows\system32\lncom_.exe"
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\SysWOW64\lncom.exe
  "C:\Windows\system32\lncom.exe"
  2⤵
  - Executes dropped EXE
  PID:768
- - C:\Windows\SysWOW64\fservice.exe
    C:\Windows\system32\fservice.exe
    3⤵
    PID:4056
  - - C:\Windows\services.exe
      C:\Windows\services.exe -XP
      4⤵
      PID:4544
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP navapsvc
        5⤵
        
        PID:2388
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        6⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP srservice
        5⤵
        
        PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\lncom.exe.bat
    3⤵
    PID:3196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
1⤵
PID:3264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fservice.exe

Filesize
122KB

MD5
597762c0c7f4283f8c6844b2d59abfc1

SHA1
77ab95fb35e730c96cfd2f299b2b347535783fcd

SHA256
a127e7c60e1774482d65c8ebaa8a33cfd46e994e328aaceaf997f7d11bcdc7f5

SHA512
926b55483a2ac520fad3e3b51cf5ab10949eed116597729795b6603ed0623589f55428ee97c9ac5d6ec81c6cab03db6c56c86432827f8e635e506311f1bfcc75

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
136KB

MD5
2c4344978c3a0d85503975a38c49f8b6

SHA1
7f93cc0c5f0b82ebc966eb9f09c96dbc1e6a8522

SHA256
fdf0fb26fdfc1538760451c92793b3183cdd95cae930245c57142745bc0fba5f

SHA512
0bd47b05ada2e80706cc84d62345356e23c7a17f6922d446bff33f165007455b6b434424bba28acfb85aaa8206f8b28bd6b5bb887e3839708883648d1f0462f3

Download Submit
C:\Windows\SysWOW64\lncom.exe

Filesize
30KB

MD5
f4baea575b03d9e0783dd5e2d874a2b6

SHA1
b09fe45cd503d58354d88c1db64924a5dc76f61f

SHA256
42607d705a219ab17aee25e77c96662fe2d518a4b368d355e97978ffba6423e2

SHA512
4c7561fdf6eb7989667273f18bd95c146962bca9c608d6b7ba711c19767bec41379ede30618f63930e7149b7643b681cf41c5b5270596cf15a6732a95918c2c6

Download Submit
C:\Windows\SysWOW64\lncom.exe

Filesize
29KB

MD5
eec3ebfe28ba55f73356bac7c69de9ac

SHA1
fa641341005e4f787ec1727e26f361b23634ae85

SHA256
8a3f70a3bc0204436f0ca42afb88317571fc309233bb1a9c93d761b8855847d8

SHA512
257bc71664915ba9d9123e8dbd5f94597bc8be268680fdc22f7a6ea844f8715ee98031b18a408974a750485fa220d8f9ef347e30a7f680d3f77a81e13b88f21c

Download Submit
C:\Windows\SysWOW64\lncom.exe

Filesize
40KB

MD5
1ae206763a8c4e04d892d8247edd8448

SHA1
04ce37337090c08b0a662e3a150dab921d08e615

SHA256
f4ef65ca18259ba1ae076b235e6ead13ce7f130a454604f063930c20a6bb6438

SHA512
2031f36e7a4c3bb7c83a5ff102ac6c26ee2e5ffe889a9aa91d2de7ff7c7d5c5091f3a3c9e0d39d073634b36da664f2cb322ac872bd4aabfed3b2608609a51f19

Download Submit
C:\Windows\SysWOW64\lncom.exe.bat

Filesize
99B

MD5
1f73e450d92934cd37c041eb3f1ff51f

SHA1
f3e9dece5d6b7d7a0e4966c16ffe31437539d4a0

SHA256
3a57d154715459926a51a9e3925687c0c78ec9c88bc39c303b5b93385d34d67e

SHA512
5f982d614e54870ae3ad212f049ca3685602812c1bb066a5f6155e694adb994d6d1608ca7a25bcab605812c6e7e6b22817aaf0dba9e906787add9b0a8e3f32a5

Download Submit
C:\Windows\SysWOW64\lncom_.exe

Filesize
35KB

MD5
1bbe77facc3af81c6726894555effac5

SHA1
bcf5cd69ef7b1f2da1fcb7d148e0d38558ed6e04

SHA256
c3971a22e1247b009c4227ec87799b54171134c75401d24764433fc7cbb23e36

SHA512
1ffc5b228cb24e6bc15006e023ad3e758f085bd3ef2f91d8b1c615dd889c226bd03b06055dcbbe0d40b2fefdcfe2071e29b767454b54647e1afd0946d92a0164

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
1KB

MD5
7d22e72fdb2e7b3aa6da3114145ea840

SHA1
c713c0c79fbe65349f359dd6b96d859d6269a4e9

SHA256
c636a1a1ec7d708cbae1b10d1c6350c6bdf3f97851b8cce40e758db128486929

SHA512
8cd4f3e23280dcd34ee5f1b0e5e90a25d42a219de87456678eea65d750800df00804375fee76b92d97533c14fa850631ec78ef5c90f5c080474f8c48bbd2b674

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
C:\Windows\services.exe

Filesize
168KB

MD5
60d2ed67e2e4e363c06af6d5379b3bd4

SHA1
ffbe4e49dfe3170bf7245c20866bdba3f118f1d9

SHA256
222f6f5387ee4f861f4d3d3fbb9d19e95dc8158753f4a05cf490af0ec27c6cd7

SHA512
f3e893838f43b5cf7887d8b2eef309582d86097ad605fafd63c60d959c53c31a63fcfde4e6816e62704973a6ae07dc8113e03297a9681933ad48e2b480aa0885

Download Submit
C:\Windows\services.exe

Filesize
1KB

MD5
cdc698871f534be75a7a042a09238941

SHA1
f20fba01242f1458eb351f2cdc479348b2ccf8f7

SHA256
7179cb4034dc1100bd008ee86af7b8670ffa9c739ab0377bc406b4ac61fed569

SHA512
8aa64985e7a0815b59c0f03875176289de4136572681ec4e0631d9663f48964ac4958adfe9af11e6b3ef00762031d708229609136445caff61e73d9bc47f0f11

Download Submit
C:\Windows\system\sservice.exe

Filesize
157KB

MD5
efeacc57ac87db10150589107287d44c

SHA1
b6fa9f435eb7a9bd5366754ecb5c5b848f7702cc

SHA256
b77025009fae1a36b3f365b43151eaeda838cdfc58bfadc0d95b9d17a52ff0de

SHA512
db622b8689422985aa456bc5eecc750d4072b22c52d17b114efe1c66f6b989761593487208780d2cc6cb2987c0879d7d2dd6856fa4384557cd37c2fa6efa80f7

Download Submit
memory/768-55-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/768-18-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/768-17-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3580-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3580-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3580-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4056-27-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4056-53-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4056-26-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-66-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-68-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-58-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-42-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/4544-62-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4544-61-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-88-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-64-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-37-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4544-35-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-70-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-72-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-74-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-76-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-78-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-80-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-82-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-84-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-86-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/4800-16-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download