fc974bb1d58f640869da192d76d7600eeec7e766375066774047f93e8062918a

General

Target

111da61f61dc6b7425f5b6b46de36baa.exe
Size

293KB
MD5

111da61f61dc6b7425f5b6b46de36baa
SHA1

6315924ed224dcc3b6bdfd901a4bba867b72dfb9
SHA256

fc974bb1d58f640869da192d76d7600eeec7e766375066774047f93e8062918a
SHA512

849228e0a0957669c4e0bcb19a563247109407537a0d7e7b860d4758c0e82e0964ebfdcc5f95cc2242bbfba0edbb32e0d131d648340985d940d4305058381052
SSDEEP

6144:wkLcp+1ahqFTCNRExkjn+P55VseLuVLg78/J5R1oVEWSdb3z7ZSS:wjyahqKRExaY0eLuVsA/J5rumz/ES

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b0000000132dc-11.dat	aspack_v212_v242
behavioral1/files/0x000c0000000142bd-18.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2728	Minser.exe
2952	SVCHOSI.EXE

Loads dropped DLL 5 IoCs

pid	Process
2968	111da61f61dc6b7425f5b6b46de36baa.exe
2968	111da61f61dc6b7425f5b6b46de36baa.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\NetMeeting\MINMole.exe	Minser.exe
File created	C:\Program Files\NetMeeting\Mole.Mol	Minser.exe
File created	C:\Program Files\NetMeeting\Install.dll	Minser.exe
File opened for modification	C:\Program Files\NetMeeting\Mole.ini	Minser.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SVCHOSI.EXE	111da61f61dc6b7425f5b6b46de36baa.exe
File opened for modification	C:\Windows\SVCHOSI.EXE	111da61f61dc6b7425f5b6b46de36baa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2728	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE
2952	SVCHOSI.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2728	2968	111da61f61dc6b7425f5b6b46de36baa.exe	28
PID 2968 wrote to memory of 2728	2968	111da61f61dc6b7425f5b6b46de36baa.exe	28
PID 2968 wrote to memory of 2728	2968	111da61f61dc6b7425f5b6b46de36baa.exe	28
PID 2968 wrote to memory of 2728	2968	111da61f61dc6b7425f5b6b46de36baa.exe	28
PID 2728 wrote to memory of 2748	2728	Minser.exe	29
PID 2728 wrote to memory of 2748	2728	Minser.exe	29
PID 2728 wrote to memory of 2748	2728	Minser.exe	29
PID 2728 wrote to memory of 2748	2728	Minser.exe	29
PID 2968 wrote to memory of 2952	2968	111da61f61dc6b7425f5b6b46de36baa.exe	30
PID 2968 wrote to memory of 2952	2968	111da61f61dc6b7425f5b6b46de36baa.exe	30
PID 2968 wrote to memory of 2952	2968	111da61f61dc6b7425f5b6b46de36baa.exe	30
PID 2968 wrote to memory of 2952	2968	111da61f61dc6b7425f5b6b46de36baa.exe	30
PID 2968 wrote to memory of 2644	2968	111da61f61dc6b7425f5b6b46de36baa.exe	31
PID 2968 wrote to memory of 2644	2968	111da61f61dc6b7425f5b6b46de36baa.exe	31
PID 2968 wrote to memory of 2644	2968	111da61f61dc6b7425f5b6b46de36baa.exe	31
PID 2968 wrote to memory of 2644	2968	111da61f61dc6b7425f5b6b46de36baa.exe	31

C:\Users\Admin\AppData\Local\Temp\111da61f61dc6b7425f5b6b46de36baa.exe
"C:\Users\Admin\AppData\Local\Temp\111da61f61dc6b7425f5b6b46de36baa.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\Minser.exe
  "C:\Users\Admin\AppData\Local\Temp\Minser.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2748
- C:\Windows\SVCHOSI.EXE
  C:\Windows\SVCHOSI.EXE -netsvcs
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c Deleteme.bat
  2⤵
  - Deletes itself
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

Filesize
184B

MD5
4471cac4d624f4ab3f0d5e25ea23d1a0

SHA1
be57b1a34632f755f2102b7121dd340e69e9c32d

SHA256
0cbeb4b1b2e2428398dbba149cf48dae4ddd9cca3fb3871373c501f7d3d80737

SHA512
605cfbf3cf0156e9c205194b94dbe484f2de409197e06912fe0ddb0c69b9db8e4233a932cdf3d2c1a3c6eda89c7815825ca9b271f0c1be04d4399f58fdff6168

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minser.exe

Filesize
123KB

MD5
0789ac0e9b18ed0af4881b371714cb6c

SHA1
7a0a7810a5436aa0bfa53d9a1503fc871540a230

SHA256
acdae96260e1e563d207219c271b9d048c55fe0f1f44b2f9b8e8394e385d44b0

SHA512
413df0125646980a0315f0086980edeffd7dc5183175667c91adf3641b4d30996ca07fbbc6745bcd325a4335539a4a493288ecb558dacedafaac9cd8b7cdbb6c

Download Submit
C:\Windows\SVCHOSI.EXE

Filesize
293KB

MD5
111da61f61dc6b7425f5b6b46de36baa

SHA1
6315924ed224dcc3b6bdfd901a4bba867b72dfb9

SHA256
fc974bb1d58f640869da192d76d7600eeec7e766375066774047f93e8062918a

SHA512
849228e0a0957669c4e0bcb19a563247109407537a0d7e7b860d4758c0e82e0964ebfdcc5f95cc2242bbfba0edbb32e0d131d648340985d940d4305058381052

Download Submit
memory/2728-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-21-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2952-33-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2952-36-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2968-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2968-29-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing