8639dbd698c74a0904a9b89d15c477f1c2f84bb52c40464644780dd5e588e020

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47d1043029c5a4ad3938d17df2c03a64.exe
Size

52KB
MD5

47d1043029c5a4ad3938d17df2c03a64
SHA1

b64a381209b865cc19c223fc810d6c735ac0a6d8
SHA256

8639dbd698c74a0904a9b89d15c477f1c2f84bb52c40464644780dd5e588e020
SHA512

ee436ba1fcb17e70367fa3ae6fbfcc31ac214cfb28d2ff3558163061ed7720003b1d009afa815dd49fc09644b63592b10f40b7322b93c52b61dc461224299033
SSDEEP

1536:jzCEbo8UnZr8FcgEfhBXZaiOAVUzcei09:Kt/PfQ

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000001e5df-5.dat	aspack_v212_v242

Executes dropped EXE 10 IoCs

pid	Process
4924	msniq.exe
3932	msniq.exe
4456	msniq.exe
5020	msniq.exe
2044	msniq.exe
3608	msniq.exe
5000	msniq.exe
3880	msniq.exe
3228	msniq.exe
4832	msniq.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	47d1043029c5a4ad3938d17df2c03a64.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	47d1043029c5a4ad3938d17df2c03a64.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File opened for modification	C:\Windows\SysWOW64\msniq.exe	msniq.exe
File created	C:\Windows\SysWOW64\msniq.exe	msniq.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 4924	2268	47d1043029c5a4ad3938d17df2c03a64.exe	90
PID 2268 wrote to memory of 4924	2268	47d1043029c5a4ad3938d17df2c03a64.exe	90
PID 2268 wrote to memory of 4924	2268	47d1043029c5a4ad3938d17df2c03a64.exe	90
PID 4924 wrote to memory of 3932	4924	msniq.exe	100
PID 4924 wrote to memory of 3932	4924	msniq.exe	100
PID 4924 wrote to memory of 3932	4924	msniq.exe	100
PID 3932 wrote to memory of 4456	3932	msniq.exe	102
PID 3932 wrote to memory of 4456	3932	msniq.exe	102
PID 3932 wrote to memory of 4456	3932	msniq.exe	102
PID 4456 wrote to memory of 5020	4456	msniq.exe	104
PID 4456 wrote to memory of 5020	4456	msniq.exe	104
PID 4456 wrote to memory of 5020	4456	msniq.exe	104
PID 5020 wrote to memory of 2044	5020	msniq.exe	105
PID 5020 wrote to memory of 2044	5020	msniq.exe	105
PID 5020 wrote to memory of 2044	5020	msniq.exe	105
PID 2044 wrote to memory of 3608	2044	msniq.exe	109
PID 2044 wrote to memory of 3608	2044	msniq.exe	109
PID 2044 wrote to memory of 3608	2044	msniq.exe	109
PID 3608 wrote to memory of 5000	3608	msniq.exe	110
PID 3608 wrote to memory of 5000	3608	msniq.exe	110
PID 3608 wrote to memory of 5000	3608	msniq.exe	110
PID 5000 wrote to memory of 3880	5000	msniq.exe	114
PID 5000 wrote to memory of 3880	5000	msniq.exe	114
PID 5000 wrote to memory of 3880	5000	msniq.exe	114
PID 3880 wrote to memory of 3228	3880	msniq.exe	118
PID 3880 wrote to memory of 3228	3880	msniq.exe	118
PID 3880 wrote to memory of 3228	3880	msniq.exe	118
PID 3228 wrote to memory of 4832	3228	msniq.exe	119
PID 3228 wrote to memory of 4832	3228	msniq.exe	119
PID 3228 wrote to memory of 4832	3228	msniq.exe	119

C:\Users\Admin\AppData\Local\Temp\47d1043029c5a4ad3938d17df2c03a64.exe
"C:\Users\Admin\AppData\Local\Temp\47d1043029c5a4ad3938d17df2c03a64.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\msniq.exe
  C:\Windows\system32\msniq.exe 1124 "C:\Users\Admin\AppData\Local\Temp\47d1043029c5a4ad3938d17df2c03a64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\msniq.exe
    C:\Windows\system32\msniq.exe 1132 "C:\Windows\SysWOW64\msniq.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\SysWOW64\msniq.exe
      C:\Windows\system32\msniq.exe 1096 "C:\Windows\SysWOW64\msniq.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 1092 "C:\Windows\SysWOW64\msniq.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 1100 "C:\Windows\SysWOW64\msniq.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 1104 "C:\Windows\SysWOW64\msniq.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 1108 "C:\Windows\SysWOW64\msniq.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 1112 "C:\Windows\SysWOW64\msniq.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 1084 "C:\Windows\SysWOW64\msniq.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\msniq.exe
        
        C:\Windows\system32\msniq.exe 1120 "C:\Windows\SysWOW64\msniq.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msniq.exe

Filesize
52KB

MD5
47d1043029c5a4ad3938d17df2c03a64

SHA1
b64a381209b865cc19c223fc810d6c735ac0a6d8

SHA256
8639dbd698c74a0904a9b89d15c477f1c2f84bb52c40464644780dd5e588e020

SHA512
ee436ba1fcb17e70367fa3ae6fbfcc31ac214cfb28d2ff3558163061ed7720003b1d009afa815dd49fc09644b63592b10f40b7322b93c52b61dc461224299033

Download Submit
memory/2044-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2268-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2268-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3228-38-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3880-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3880-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4456-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4832-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5020-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download