8639dbd698c74a0904a9b89d15c477f1c2f84bb52c40464644780dd5e588e020

Analysis

max time kernel
151s
max time network
37s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47d1043029c5a4ad3938d17df2c03a64.exe
Size

52KB
MD5

47d1043029c5a4ad3938d17df2c03a64
SHA1

b64a381209b865cc19c223fc810d6c735ac0a6d8
SHA256

8639dbd698c74a0904a9b89d15c477f1c2f84bb52c40464644780dd5e588e020
SHA512

ee436ba1fcb17e70367fa3ae6fbfcc31ac214cfb28d2ff3558163061ed7720003b1d009afa815dd49fc09644b63592b10f40b7322b93c52b61dc461224299033
SSDEEP

1536:jzCEbo8UnZr8FcgEfhBXZaiOAVUzcei09:Kt/PfQ

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000300000000b1f7-8.dat	aspack_v212_v242
behavioral1/files/0x000300000000b1f7-46.dat	aspack_v212_v242
behavioral1/memory/1724-49-0x0000000001ED0000-0x0000000001F12000-memory.dmp	aspack_v212_v242

Executes dropped EXE 10 IoCs

pid	Process
2804	msniq.exe
2576	msniq.exe
1344	msniq.exe
2904	msniq.exe
1724	msniq.exe
2776	msniq.exe
2220	msniq.exe
2336	msniq.exe
444	msniq.exe
388	msniq.exe

Loads dropped DLL 20 IoCs

pid	Process
2972	47d1043029c5a4ad3938d17df2c03a64.exe
2972	47d1043029c5a4ad3938d17df2c03a64.exe
2804	msniq.exe
2804	msniq.exe
2576	msniq.exe
2576	msniq.exe
1344	msniq.exe
1344	msniq.exe
2904	msniq.exe
2904	msniq.exe
1724	msniq.exe
1724	msniq.exe
2776	msniq.exe
2776	msniq.exe
2220	msniq.exe
2220	msniq.exe
2336	msniq.exe
2336	msniq.exe
444	msniq.exe
444	msniq.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	47d1043029c5a4ad3938d17df2c03a64.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	47d1043029c5a4ad3938d17df2c03a64.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2804	2972	47d1043029c5a4ad3938d17df2c03a64.exe	30
PID 2972 wrote to memory of 2804	2972	47d1043029c5a4ad3938d17df2c03a64.exe	30
PID 2972 wrote to memory of 2804	2972	47d1043029c5a4ad3938d17df2c03a64.exe	30
PID 2972 wrote to memory of 2804	2972	47d1043029c5a4ad3938d17df2c03a64.exe	30
PID 2804 wrote to memory of 2576	2804	msniq.exe	31
PID 2804 wrote to memory of 2576	2804	msniq.exe	31
PID 2804 wrote to memory of 2576	2804	msniq.exe	31
PID 2804 wrote to memory of 2576	2804	msniq.exe	31
PID 2576 wrote to memory of 1344	2576	msniq.exe	32
PID 2576 wrote to memory of 1344	2576	msniq.exe	32
PID 2576 wrote to memory of 1344	2576	msniq.exe	32
PID 2576 wrote to memory of 1344	2576	msniq.exe	32
PID 1344 wrote to memory of 2904	1344	msniq.exe	33
PID 1344 wrote to memory of 2904	1344	msniq.exe	33
PID 1344 wrote to memory of 2904	1344	msniq.exe	33
PID 1344 wrote to memory of 2904	1344	msniq.exe	33
PID 2904 wrote to memory of 1724	2904	msniq.exe	34
PID 2904 wrote to memory of 1724	2904	msniq.exe	34
PID 2904 wrote to memory of 1724	2904	msniq.exe	34
PID 2904 wrote to memory of 1724	2904	msniq.exe	34
PID 1724 wrote to memory of 2776	1724	msniq.exe	35
PID 1724 wrote to memory of 2776	1724	msniq.exe	35
PID 1724 wrote to memory of 2776	1724	msniq.exe	35
PID 1724 wrote to memory of 2776	1724	msniq.exe	35
PID 2776 wrote to memory of 2220	2776	msniq.exe	36
PID 2776 wrote to memory of 2220	2776	msniq.exe	36
PID 2776 wrote to memory of 2220	2776	msniq.exe	36
PID 2776 wrote to memory of 2220	2776	msniq.exe	36
PID 2220 wrote to memory of 2336	2220	msniq.exe	37
PID 2220 wrote to memory of 2336	2220	msniq.exe	37
PID 2220 wrote to memory of 2336	2220	msniq.exe	37
PID 2220 wrote to memory of 2336	2220	msniq.exe	37
PID 2336 wrote to memory of 444	2336	msniq.exe	38
PID 2336 wrote to memory of 444	2336	msniq.exe	38
PID 2336 wrote to memory of 444	2336	msniq.exe	38
PID 2336 wrote to memory of 444	2336	msniq.exe	38
PID 444 wrote to memory of 388	444	msniq.exe	39
PID 444 wrote to memory of 388	444	msniq.exe	39
PID 444 wrote to memory of 388	444	msniq.exe	39
PID 444 wrote to memory of 388	444	msniq.exe	39

C:\Users\Admin\AppData\Local\Temp\47d1043029c5a4ad3938d17df2c03a64.exe
"C:\Users\Admin\AppData\Local\Temp\47d1043029c5a4ad3938d17df2c03a64.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\msniq.exe
  C:\Windows\system32\msniq.exe 500 "C:\Users\Admin\AppData\Local\Temp\47d1043029c5a4ad3938d17df2c03a64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\msniq.exe
    C:\Windows\system32\msniq.exe 516 "C:\Windows\SysWOW64\msniq.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\msniq.exe
      C:\Windows\system32\msniq.exe 524 "C:\Windows\SysWOW64\msniq.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 508 "C:\Windows\SysWOW64\msniq.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 540 "C:\Windows\SysWOW64\msniq.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 512 "C:\Windows\SysWOW64\msniq.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 528 "C:\Windows\SysWOW64\msniq.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 520 "C:\Windows\SysWOW64\msniq.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 536 "C:\Windows\SysWOW64\msniq.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 532 "C:\Windows\SysWOW64\msniq.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msniq.exe

Filesize
52KB

MD5
47d1043029c5a4ad3938d17df2c03a64

SHA1
b64a381209b865cc19c223fc810d6c735ac0a6d8

SHA256
8639dbd698c74a0904a9b89d15c477f1c2f84bb52c40464644780dd5e588e020

SHA512
ee436ba1fcb17e70367fa3ae6fbfcc31ac214cfb28d2ff3558163061ed7720003b1d009afa815dd49fc09644b63592b10f40b7322b93c52b61dc461224299033

Download Submit
memory/388-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-78-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/444-76-0x0000000002570000-0x00000000025B2000-memory.dmp

Filesize
264KB

Download
memory/444-77-0x0000000002570000-0x00000000025B2000-memory.dmp

Filesize
264KB

Download
memory/444-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/444-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1344-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1344-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1344-33-0x00000000023B0000-0x00000000023F2000-memory.dmp

Filesize
264KB

Download
memory/1724-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1724-49-0x0000000001ED0000-0x0000000001F12000-memory.dmp

Filesize
264KB

Download
memory/1724-47-0x0000000001ED0000-0x0000000001F12000-memory.dmp

Filesize
264KB

Download
memory/1724-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2220-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2220-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2220-62-0x0000000000490000-0x00000000004D2000-memory.dmp

Filesize
264KB

Download
memory/2336-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2336-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2336-69-0x0000000002500000-0x0000000002542000-memory.dmp

Filesize
264KB

Download
memory/2576-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2576-26-0x0000000001EB0000-0x0000000001EF2000-memory.dmp

Filesize
264KB

Download
memory/2576-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-51-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-55-0x0000000001C80000-0x0000000001CC2000-memory.dmp

Filesize
264KB

Download
memory/2804-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-20-0x00000000024A0000-0x00000000024E2000-memory.dmp

Filesize
264KB

Download
memory/2804-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-41-0x0000000002880000-0x00000000028C2000-memory.dmp

Filesize
264KB

Download
memory/2972-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-12-0x0000000002840000-0x0000000002882000-memory.dmp

Filesize
264KB

Download
memory/2972-5-0x0000000002840000-0x0000000002882000-memory.dmp

Filesize
264KB

Download