39c1bd10011cf515ed3247f7825db50d8e7747e546e5a4a5481d9932e97aa159

General

Target

2dd6651454309d8d292ca2bada052de8.exe
Size

682KB
MD5

2dd6651454309d8d292ca2bada052de8
SHA1

7e63a2b59ef1895a20239b2c323e46caf6a58030
SHA256

39c1bd10011cf515ed3247f7825db50d8e7747e546e5a4a5481d9932e97aa159
SHA512

452e2f185bc63685c83591c2b3dfe6e2f6715f5622a605e7fb2d8344cbcc5f3f746f3adf5076e02fd408f0f427aa8784b4a2103f7329c3ac705cb18ce34a3427
SSDEEP

12288:b1dlZo5y8IBZGSI4RrFVwYnvycm5cg+gLTSnDl7fKX2ykyZbLMAHfDE:b1dlZo53Ki47Vtm5c8QFfKmssAbE

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023224-50.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	2dd6651454309d8d292ca2bada052de8.exe

Executes dropped EXE 2 IoCs

pid	Process
4808	sandrose.exe
4440	MLC21.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\sandrose.exe-up.txt	sandrose.exe
File created	C:\Windows\MLC21.exe	2dd6651454309d8d292ca2bada052de8.exe
File created	C:\Windows\sandrose.exe	2dd6651454309d8d292ca2bada052de8.exe
File opened for modification	C:\Windows\`	2dd6651454309d8d292ca2bada052de8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4808	sandrose.exe
4808	sandrose.exe
4808	sandrose.exe
4808	sandrose.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4808	1404	2dd6651454309d8d292ca2bada052de8.exe	88
PID 1404 wrote to memory of 4808	1404	2dd6651454309d8d292ca2bada052de8.exe	88
PID 1404 wrote to memory of 4808	1404	2dd6651454309d8d292ca2bada052de8.exe	88
PID 4808 wrote to memory of 3500	4808	sandrose.exe	33
PID 4808 wrote to memory of 3500	4808	sandrose.exe	33
PID 4808 wrote to memory of 3500	4808	sandrose.exe	33
PID 4808 wrote to memory of 3500	4808	sandrose.exe	33
PID 1404 wrote to memory of 4440	1404	2dd6651454309d8d292ca2bada052de8.exe	89
PID 1404 wrote to memory of 4440	1404	2dd6651454309d8d292ca2bada052de8.exe	89
PID 1404 wrote to memory of 4440	1404	2dd6651454309d8d292ca2bada052de8.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\2dd6651454309d8d292ca2bada052de8.exe
  "C:\Users\Admin\AppData\Local\Temp\2dd6651454309d8d292ca2bada052de8.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\WINDOWS\sandrose.exe
    "C:\WINDOWS\sandrose.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4808
- - C:\Windows\MLC21.exe
    "C:\Windows\MLC21.exe"
    3⤵
    - Executes dropped EXE
    PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
210B

MD5
bd0032fc3c1d65e8fd446cbb6b2f05ac

SHA1
1965eed65fc4a5e3824eb754648f945d9ae28766

SHA256
58a8eae5107609cdd6c38b62f382b90e9a88c497dde45a186b6bccee70c1d14b

SHA512
58ba9ef16255efde70a6e6f579a371b7b54c5f8020beff82e406fbacb99899cbe567946d8e2293d764d88395acac1b9ddc682e2f692bae05d15da84bcc1d9437

Download Submit
C:\Windows\MLC21.exe

Filesize
423KB

MD5
089fa5c84dde84ddb8756f4e2bd4de93

SHA1
22958286896388d15c10ab03beec9800475d7418

SHA256
4b145b0421c031408be2b24503fa4490f44ea66f3ee6742accb86a16de9f7dd7

SHA512
ec0fb2fe3b071d26f003bf8f1aa494715f9e0001c8ec32fda5a0c6bf9f9b10b700da46df53d986a4c5893016685545cab6caab0e580fe84b568290de9ccf722e

Download Submit
C:\Windows\sandrose.exe

Filesize
92KB

MD5
6023338ce484b13b9205d3e4566ae224

SHA1
1475314abafc038e5bf86ca9cbc7fcd5874ffedc

SHA256
75b5d7492ddfc8d3ee1d114fdcc0e1975fbbdccbd43a9548cff3c3b382695140

SHA512
91f5c90afafa4c3f7937772af45f375bc70401097a8ff8bf3367cf24561c778d666e5f0f4a12e4e236c787eea378a5623bb7b4426ae8d7c9f3a878bbc8648a4d

Download Submit
memory/3500-37-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3500-36-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/4440-55-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/4440-52-0x0000000000400000-0x00000000009CC000-memory.dmp

Filesize
5.8MB

Download
memory/4440-51-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/4808-30-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/4808-43-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4808-28-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4808-27-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/4808-35-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4808-32-0x0000000075ED0000-0x0000000075FC0000-memory.dmp

Filesize
960KB

Download
memory/4808-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4808-29-0x0000000077802000-0x0000000077803000-memory.dmp

Filesize
4KB

Download
memory/4808-42-0x0000000075ED0000-0x0000000075FC0000-memory.dmp

Filesize
960KB

Download
memory/4808-33-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/4808-41-0x00000000008C0000-0x00000000008FD000-memory.dmp

Filesize
244KB

Download
memory/4808-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4808-25-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/4808-26-0x00000000008C0000-0x00000000008FD000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing