e32c195fb56acfc6ab9f95ad196c74d3bf58ad5ab42a1271b1055199b668855c

General

Target

240eadb1801d62f4c068b23f4edf2bc8.exe
Size

145KB
MD5

240eadb1801d62f4c068b23f4edf2bc8
SHA1

20d344344108d68a1d465b04aa229ff802817f00
SHA256

e32c195fb56acfc6ab9f95ad196c74d3bf58ad5ab42a1271b1055199b668855c
SHA512

53e8ff556d30fd55ab806ff4a7bd013e075200f6ca51ccf2565034407a7953bf73d3cc8e3518257622ef416d8823c72277cf5d2cbed5d5b35cec0d98bb8c8bb5
SSDEEP

3072:b4eYZ4+1JXJJfL1s7tc4lfhhYxEwmz1klfGGc9i9VdfQ:U5O8bLSS4FhCmV1kcGc9ipY

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000016247-23.dat	aspack_v212_v242

Loads dropped DLL 2 IoCs

pid	Process
2212	240eadb1801d62f4c068b23f4edf2bc8.exe
2212	240eadb1801d62f4c068b23f4edf2bc8.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\21.ico	240eadb1801d62f4c068b23f4edf2bc8.exe
File created	C:\Program Files\Internet Explorer\22.ico	240eadb1801d62f4c068b23f4edf2bc8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\IME\vbs\pp.vbs	240eadb1801d62f4c068b23f4edf2bc8.exe
File created	C:\windows\ime\netsecc\cc	240eadb1801d62f4c068b23f4edf2bc8.exe
File created	C:\windows\ime\vbs\pp	240eadb1801d62f4c068b23f4edf2bc8.exe
File created	C:\Windows\IME\netsecc\ime.dll	240eadb1801d62f4c068b23f4edf2bc8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
2356	regedit.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2356	2212	240eadb1801d62f4c068b23f4edf2bc8.exe	28
PID 2212 wrote to memory of 2356	2212	240eadb1801d62f4c068b23f4edf2bc8.exe	28
PID 2212 wrote to memory of 2356	2212	240eadb1801d62f4c068b23f4edf2bc8.exe	28
PID 2212 wrote to memory of 2356	2212	240eadb1801d62f4c068b23f4edf2bc8.exe	28
PID 2212 wrote to memory of 2356	2212	240eadb1801d62f4c068b23f4edf2bc8.exe	28
PID 2212 wrote to memory of 2356	2212	240eadb1801d62f4c068b23f4edf2bc8.exe	28
PID 2212 wrote to memory of 2356	2212	240eadb1801d62f4c068b23f4edf2bc8.exe	28

C:\Users\Admin\AppData\Local\Temp\240eadb1801d62f4c068b23f4edf2bc8.exe
"C:\Users\Admin\AppData\Local\Temp\240eadb1801d62f4c068b23f4edf2bc8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2212
- \??\c:\windows\SysWOW64\regedit.exe
  c:\windows\regedit.exe -s "C:\Users\Admin\AppData\Local\Temp\ime"
  2⤵
  - Modifies registry class
  - Runs regedit.exe
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21

Filesize
63KB

MD5
6bf0f9c879a81592aa7ea31bcf3809fe

SHA1
0bbda0d4690043483a763482f1a36ceb494a093c

SHA256
a9f18d4d50f36ac471ff1a5595fd5e14284ade4d1b33ad7f7ad55d14ce4e0cf8

SHA512
ee0bcd7a361ade265a66ea7ec9af96948ea58dffb8537a10515ccbae65c1a40e5f765c4356a96415bcab74519f7f5ffd9ef7cec8ebffa231adcdce93ba0f28e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\22

Filesize
45KB

MD5
80e2ab16c14b6b913d8a10a5eba91f47

SHA1
117dd794f5b463e2631af4dff7d53d5ea55f6207

SHA256
bf2ada441f58b47069c22b287385d434d1f78b10e7c1ba73d653393de30f26f6

SHA512
9b0d45a22d0deba46299887c99f63e1b0e0e5fabe833ed10fb9619f299f79534589cd07e51ab405c52fab7574a57258e7a527c736783f7a99c1c08fb2e9cbfcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ime

Filesize
720B

MD5
b4b5116fa29b89ca06f3c9f6c0913ffb

SHA1
b466679ec6d6602b6b5bb83d0d88dead906bd311

SHA256
0ec0ece77cc15137a98d210716c77d5a67d964a90788cbf07b7f39ea206d2f16

SHA512
2717b2d1c05127ec17c34f152ab75a5384bcf5578f8f9c12980ce680a2a878c795d6d8e5804bd8e112127a55f0a46967e7b8e85ed3793e6da47346ac7764f685

Download Submit
C:\Windows\IME\netsecc\cc

Filesize
22KB

MD5
89e9bf04b487907bb86538cb6d79ceca

SHA1
066c2b1ba496a54c93aab26f6fa8bddfae0166ca

SHA256
3875a81da066ca29fb47f6d8877473a7cdb9a190e9f6fbb278b43776643fa3a9

SHA512
e28b5d89e06126bc28a2d6bca503a8eabe45992bf16df64237a0754f61c379b11e241b94384ef8e0352a686be179590dbbbdeee1f2b089064eb06cb3eadf22cd

Download Submit
C:\Windows\IME\vbs\pp

Filesize
831B

MD5
8177421fa532e36ff6cfd14b2c45144e

SHA1
d4130c283b6f95577160e7a7f17a7a801e0c54ea

SHA256
0697c43c45a668f2c7a8f5f8e185dbbaeef5b76ad92b09f6f73ea203c2a920c8

SHA512
f5f01e7684f8a2e22ef1c6a5c3930230e5712a57147386f8a335d078861449e212446e4e5559959be783ae91505edd453887504978b85cba365352f6a3a759ef

Download Submit
\Users\Admin\AppData\Local\Temp\nso4DE3.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nso4DE3.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit

Analysis

Sharing