08f5f2ab3e0bbc34381158a523e4d6dbb2e4e8d099d33930bf1fa1f421553b53

General

Target

367cb9b03a746a5b5099e0ebbef9f6ef.exe
Size

492KB
MD5

367cb9b03a746a5b5099e0ebbef9f6ef
SHA1

e24124e17120362e09a80f5bf0ba5fd9d1bbec13
SHA256

08f5f2ab3e0bbc34381158a523e4d6dbb2e4e8d099d33930bf1fa1f421553b53
SHA512

ba928a4e34d0926c6dbb0da7dfee145d24d4b4dd2d2010688b560858e8d4e46693a3b339624b2b892f443a8d118466cc5d5fce8795990fdae190ca788d026956
SSDEEP

12288:EbpJ6kLANDJW5FvacCbIbuYnjxQ8Y8x+iJvqgoNVTk:0pdQoKbIfQ8BxJvqgoTTk

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000d000000012247-33.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	Stevmy.exe

Loads dropped DLL 1 IoCs

pid	Process
2776	Stevmy.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Stevmy.dll	367cb9b03a746a5b5099e0ebbef9f6ef.exe
File created	C:\Windows\SysWOW64\Stevmy.dat	Stevmy.exe
File created	C:\Windows\SysWOW64\Stevmy.exe	Stevmy.exe
File opened for modification	C:\Windows\SysWOW64\Stevmy.exe	Stevmy.exe
File opened for modification	C:\Windows\SysWOW64\Stevmy.dll	Stevmy.exe
File created	C:\Windows\SysWOW64\Stevmy.exe	367cb9b03a746a5b5099e0ebbef9f6ef.exe
File opened for modification	C:\Windows\SysWOW64\Stevmy.exe	367cb9b03a746a5b5099e0ebbef9f6ef.exe
File created	C:\Windows\SysWOW64\Stevmy.dll	367cb9b03a746a5b5099e0ebbef9f6ef.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2912	367cb9b03a746a5b5099e0ebbef9f6ef.exe
2912	367cb9b03a746a5b5099e0ebbef9f6ef.exe
2912	367cb9b03a746a5b5099e0ebbef9f6ef.exe
2776	Stevmy.exe
2776	Stevmy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2912	367cb9b03a746a5b5099e0ebbef9f6ef.exe
Token: SeDebugPrivilege	2776	Stevmy.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2736	2912	367cb9b03a746a5b5099e0ebbef9f6ef.exe	29
PID 2912 wrote to memory of 2736	2912	367cb9b03a746a5b5099e0ebbef9f6ef.exe	29
PID 2912 wrote to memory of 2736	2912	367cb9b03a746a5b5099e0ebbef9f6ef.exe	29
PID 2912 wrote to memory of 2736	2912	367cb9b03a746a5b5099e0ebbef9f6ef.exe	29
PID 2776 wrote to memory of 2540	2776	Stevmy.exe	30
PID 2776 wrote to memory of 2540	2776	Stevmy.exe	30
PID 2776 wrote to memory of 2540	2776	Stevmy.exe	30
PID 2776 wrote to memory of 2540	2776	Stevmy.exe	30
PID 2776 wrote to memory of 2540	2776	Stevmy.exe	30
PID 2776 wrote to memory of 2540	2776	Stevmy.exe	30

C:\Users\Admin\AppData\Local\Temp\367cb9b03a746a5b5099e0ebbef9f6ef.exe
"C:\Users\Admin\AppData\Local\Temp\367cb9b03a746a5b5099e0ebbef9f6ef.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\367CB9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2736

C:\Windows\SysWOW64\Stevmy.exe
C:\Windows\SysWOW64\Stevmy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14735.dat

Filesize
243B

MD5
691104f67a35ba1bf60fa16ec1d8c86a

SHA1
7958d935a791af817b31a700bf7582cafbc09b11

SHA256
e2f3c3be91ea9a23a0f546fe158db808f7c8c2b5f19da907875af6f8b97aa65b

SHA512
c83575800b633a74733e61a1ae241e74b95fd060e0fec0933e8bafa4ce682280a8f36e36126b8dac54e424145283d6bf608f2001f95fffc5a4a79c1221ca937c

Download Submit
C:\Windows\SysWOW64\Stevmy.dll

Filesize
373KB

MD5
6d12be0e15de58ae6608a91b19c41739

SHA1
5b992563c10932b5fbea92b4a3d8d06a9e359e75

SHA256
641da0fa2cb064cd5247c72f373d737e319c3fdb5289096f93139316bd6517e9

SHA512
b8b0e7cec4322a7348ea402b3e540380cc8b6fd884a3ea7a18869e1dc1ba9d38f2a23c902a7e3502a9d0d8c1b6efdc1cf28a7a5c47f12f38e8ee0e4d80139ce7

Download Submit
C:\Windows\SysWOW64\Stevmy.exe

Filesize
492KB

MD5
367cb9b03a746a5b5099e0ebbef9f6ef

SHA1
e24124e17120362e09a80f5bf0ba5fd9d1bbec13

SHA256
08f5f2ab3e0bbc34381158a523e4d6dbb2e4e8d099d33930bf1fa1f421553b53

SHA512
ba928a4e34d0926c6dbb0da7dfee145d24d4b4dd2d2010688b560858e8d4e46693a3b339624b2b892f443a8d118466cc5d5fce8795990fdae190ca788d026956

Download Submit
memory/2776-45-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2776-46-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2776-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2776-39-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2776-40-0x0000000000880000-0x00000000008D4000-memory.dmp

Filesize
336KB

Download
memory/2776-42-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2776-41-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2776-63-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2776-43-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2776-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2776-47-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2776-48-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2776-60-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2776-61-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2776-49-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2912-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing