a01f816685647191a3be7995cf24752c64af700c4bb08f1b0e500e5e8bf9a0d5

Analysis

max time kernel
155s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1175544db87b63303f1f6e394ba6fd46.exe
Size

31KB
MD5

1175544db87b63303f1f6e394ba6fd46
SHA1

3e58b4dccfe8aa4b67b3e3e356273067267bab3d
SHA256

a01f816685647191a3be7995cf24752c64af700c4bb08f1b0e500e5e8bf9a0d5
SHA512

1185c0cba7e6d77387d37fcf5f993818bbb49101ff8e7314bc13fbdf8a1dd44041ee9f6d5630d22c665315f130a4a29e5d3672fcc6114e895fa551e8b5b36f32
SSDEEP

768:RfeSXJ1TnWX2ZeAf+ZCbZ+V52LoeZBy9QHxnSBw/44N:RfVnWmo7obc2UeZ1RnTP

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	win32sp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\11 = "win32sp.exe"	win32sp.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000300000001e7dc-3.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4164	win32sp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/368-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/368-4-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\win32sp.dll	1175544db87b63303f1f6e394ba6fd46.exe
File created	C:\Windows\SysWOW64\win32sp.exe	1175544db87b63303f1f6e394ba6fd46.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4164	win32sp.exe
4164	win32sp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	win32sp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 4164	368	1175544db87b63303f1f6e394ba6fd46.exe	92
PID 368 wrote to memory of 4164	368	1175544db87b63303f1f6e394ba6fd46.exe	92
PID 368 wrote to memory of 4164	368	1175544db87b63303f1f6e394ba6fd46.exe	92
PID 4164 wrote to memory of 680	4164	win32sp.exe	4

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\1175544db87b63303f1f6e394ba6fd46.exe
"C:\Users\Admin\AppData\Local\Temp\1175544db87b63303f1f6e394ba6fd46.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\win32sp.exe
  C:\Windows\system32\win32sp.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\win32sp.exe

Filesize
16KB

MD5
d83815368c90aad76f1bec27b9724509

SHA1
71caf9a23f2dd5f9cdc43e6f2f691a15adf244c0

SHA256
d0c33c64a0a0482b32da31af98536fd1683f8f93facf3257d50fb52a2c2ebede

SHA512
f1495a2b858ca67148949007eaae8c7151693447279d31b7804857a970c528f2ba39f09f1d3f2b11205596b88e7c91615150e554870929c204a5ba44795dbfce

Download Submit
memory/368-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/368-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4164-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4164-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download