bcfceeb65c0ae200dfe8fd80c52b338623cd5502a47075c4e844977867c43f1d

Analysis

max time kernel
166s
max time network
167s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50cf6efcaf56ca4efb82598083cc1212.exe
Size

605KB
MD5

50cf6efcaf56ca4efb82598083cc1212
SHA1

d4a80f11768f21d4fb698a7de3a452f65c6cb849
SHA256

bcfceeb65c0ae200dfe8fd80c52b338623cd5502a47075c4e844977867c43f1d
SHA512

8e3aa1ca822f54d23bb1eb58b8d26a245ccf1789396dba2c44db6a34a776d0233bde3a2dfc00c438cbce2a51a5e6f9edc4a02535e1b775dabee1e7c9c1750b8c
SSDEEP

12288:VYSl0MaEq0USMFFBdMElIwIWhJ0a3qo0olzmrJA89CVe/aC4LQY:VYib2jEEkW2ePlzwA8UVe/14l

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b00000001225b-18.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2328	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	system

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HNRXBV.DAT	50cf6efcaf56ca4efb82598083cc1212.exe
File created	C:\Windows\SysWOW64\system	50cf6efcaf56ca4efb82598083cc1212.exe
File opened for modification	C:\Windows\SysWOW64\system	50cf6efcaf56ca4efb82598083cc1212.exe
File opened for modification	C:\Windows\SysWOW64\HNRXBV.DAT	system
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	system
File created	C:\Windows\SysWOW64\SXIYFI.DAT	system
File opened for modification	C:\Windows\SysWOW64\system	system
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	50cf6efcaf56ca4efb82598083cc1212.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	50cf6efcaf56ca4efb82598083cc1212.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	50cf6efcaf56ca4efb82598083cc1212.exe
Token: SeDebugPrivilege	2276	system

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2328	2548	50cf6efcaf56ca4efb82598083cc1212.exe	29
PID 2548 wrote to memory of 2328	2548	50cf6efcaf56ca4efb82598083cc1212.exe	29
PID 2548 wrote to memory of 2328	2548	50cf6efcaf56ca4efb82598083cc1212.exe	29
PID 2548 wrote to memory of 2328	2548	50cf6efcaf56ca4efb82598083cc1212.exe	29
PID 2548 wrote to memory of 2328	2548	50cf6efcaf56ca4efb82598083cc1212.exe	29
PID 2548 wrote to memory of 2328	2548	50cf6efcaf56ca4efb82598083cc1212.exe	29
PID 2548 wrote to memory of 2328	2548	50cf6efcaf56ca4efb82598083cc1212.exe	29

C:\Users\Admin\AppData\Local\Temp\50cf6efcaf56ca4efb82598083cc1212.exe
"C:\Users\Admin\AppData\Local\Temp\50cf6efcaf56ca4efb82598083cc1212.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2328

C:\Windows\SysWOW64\system
C:\Windows\SysWOW64\system
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HNRXBV.DAT

Filesize
293KB

MD5
aa0296edd5f3427d20b3e9fc4bf3d517

SHA1
ff22ab224ebc0d004c3f10109a2399c790e840d7

SHA256
7131fc5d42182927ad529be37c27eaf4d40e9c64a167133937a0317f35ff2e89

SHA512
407ae311428a90244820885759dc0344a4be512f0b4b01e7e4507cf1b21cd9d6d5c035498b8db6c9f64aee543852e3859e0b86b9eaf356ac7c0f1e8ad5e32a82

Download Submit
C:\Windows\SysWOW64\system

Filesize
605KB

MD5
50cf6efcaf56ca4efb82598083cc1212

SHA1
d4a80f11768f21d4fb698a7de3a452f65c6cb849

SHA256
bcfceeb65c0ae200dfe8fd80c52b338623cd5502a47075c4e844977867c43f1d

SHA512
8e3aa1ca822f54d23bb1eb58b8d26a245ccf1789396dba2c44db6a34a776d0233bde3a2dfc00c438cbce2a51a5e6f9edc4a02535e1b775dabee1e7c9c1750b8c

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
c349aaca988489db2f4839527e224eb0

SHA1
40f029312ec2868a08db34160b38a461499c496d

SHA256
791838cea8349393a1c97fb63eeeb841e3bd3f4f8088dfea789edd926cbbedce

SHA512
fa15d80425171d2ef5bac0c76e51d406f8051627985f9fd464623b562e9e891b27f6e49e8d6cf36bf450fffe5bb5f73cc0547dd90d8ef48a9038731e7a4ae741

Download Submit
memory/2276-22-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/2276-17-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2276-16-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2276-15-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/2548-4-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2548-12-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/2548-11-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/2548-10-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2548-8-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/2548-0-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/2548-3-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/2548-2-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/2548-1-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download