f7873d50c4c15636f9a5cee2051b3f0f36ed5d1ec16977dd67a5b7d0fcbdd497

General

Target

2cd535edb48b7cefbb14494688c67190.exe
Size

412KB
MD5

2cd535edb48b7cefbb14494688c67190
SHA1

0b06f52cc6826baacb63408ae3ab529ca696f21d
SHA256

f7873d50c4c15636f9a5cee2051b3f0f36ed5d1ec16977dd67a5b7d0fcbdd497
SHA512

31cc0d7e90d88c4c14f5169f16774129e9ed1f6ea1629a826876d8b0aba13a76f8a1bbb796b410453c08f836bf81ef1777b05ccffd99a23b937bf59673c27163
SSDEEP

6144:yBlZxyTW4/AWZ2PaPN49K13NoRY+Eqn3dDODD9Uv0mJjPOJ6MMKLs4UL7FsY:ElTyS22PO49K1NyYJq31ONUZr36veWY

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000001e7f0-11.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2024	Svchost
2584	Svchost

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 4704	2404	2cd535edb48b7cefbb14494688c67190.exe	93
PID 2024 set thread context of 2584	2024	Svchost	97
PID 2584 set thread context of 776	2584	Svchost	98

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Svchost	2cd535edb48b7cefbb14494688c67190.exe
File created	C:\Windows\Svchost	2cd535edb48b7cefbb14494688c67190.exe
File created	C:\Windows\uninstal.bat	2cd535edb48b7cefbb14494688c67190.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4704	2cd535edb48b7cefbb14494688c67190.exe
Token: SeDebugPrivilege	2584	Svchost

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4704	2404	2cd535edb48b7cefbb14494688c67190.exe	93
PID 2404 wrote to memory of 4704	2404	2cd535edb48b7cefbb14494688c67190.exe	93
PID 2404 wrote to memory of 4704	2404	2cd535edb48b7cefbb14494688c67190.exe	93
PID 2404 wrote to memory of 4704	2404	2cd535edb48b7cefbb14494688c67190.exe	93
PID 2404 wrote to memory of 4704	2404	2cd535edb48b7cefbb14494688c67190.exe	93
PID 2024 wrote to memory of 2584	2024	Svchost	97
PID 2024 wrote to memory of 2584	2024	Svchost	97
PID 2024 wrote to memory of 2584	2024	Svchost	97
PID 2024 wrote to memory of 2584	2024	Svchost	97
PID 2024 wrote to memory of 2584	2024	Svchost	97
PID 2584 wrote to memory of 776	2584	Svchost	98
PID 2584 wrote to memory of 776	2584	Svchost	98
PID 2584 wrote to memory of 776	2584	Svchost	98
PID 2584 wrote to memory of 776	2584	Svchost	98
PID 2584 wrote to memory of 776	2584	Svchost	98
PID 4704 wrote to memory of 3568	4704	2cd535edb48b7cefbb14494688c67190.exe	99
PID 4704 wrote to memory of 3568	4704	2cd535edb48b7cefbb14494688c67190.exe	99
PID 4704 wrote to memory of 3568	4704	2cd535edb48b7cefbb14494688c67190.exe	99

C:\Users\Admin\AppData\Local\Temp\2cd535edb48b7cefbb14494688c67190.exe
"C:\Users\Admin\AppData\Local\Temp\2cd535edb48b7cefbb14494688c67190.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\2cd535edb48b7cefbb14494688c67190.exe
  C:\Users\Admin\AppData\Local\Temp\2cd535edb48b7cefbb14494688c67190.exe
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:3568

C:\Windows\Svchost
C:\Windows\Svchost
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\Svchost
  C:\Windows\Svchost
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\WINDOWS\SysWOW64\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    3⤵
    PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 776 -ip 776
1⤵
PID:4628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Svchost

Filesize
412KB

MD5
2cd535edb48b7cefbb14494688c67190

SHA1
0b06f52cc6826baacb63408ae3ab529ca696f21d

SHA256
f7873d50c4c15636f9a5cee2051b3f0f36ed5d1ec16977dd67a5b7d0fcbdd497

SHA512
31cc0d7e90d88c4c14f5169f16774129e9ed1f6ea1629a826876d8b0aba13a76f8a1bbb796b410453c08f836bf81ef1777b05ccffd99a23b937bf59673c27163

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
c6709fc4092ad172c294da247d573808

SHA1
d56003a69aac74b8e6b6c5fc48c636e7d7dc4411

SHA256
e192657ea3ab56baf735dadf489e621a0ce3d04a9d945470e780b2586cb2f4db

SHA512
e2de15219c870b008b15f748eba8537105fe6a60128b4b547cead91b1c4ebce920f49ed2d7ed7e47bc04393e8239cf2b79b6f3af16ce869c20c39ca688be109f

Download Submit
memory/776-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2024-15-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2404-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2404-3-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2584-19-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2584-20-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2584-25-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4704-7-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4704-10-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4704-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4704-6-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4704-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4704-4-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing