b3f098d7108cb12704938864b6375b27395b54ab92af9aa5dd3334442be490bd

Analysis

max time kernel
145s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a217cf11b0abe9da14ce4ffea4233a7.exe
Size

251KB
MD5

9a217cf11b0abe9da14ce4ffea4233a7
SHA1

d8b98ae3ff4250d73ad144dbf55afe049d440fc8
SHA256

b3f098d7108cb12704938864b6375b27395b54ab92af9aa5dd3334442be490bd
SHA512

c646388b8ecfcaf40f63b23b83d79d14be5f6dfaece67d47cefcea505c8fe25f8a1c82a8c0fb8f7b86a6b75cc81d2b6c5d6a087da8ee4c644763ce35d3ef94e3
SSDEEP

6144:qb9iXkv6DOSCyJFDVhtc9HZlXqBLLXP1MxH:qb9EkKFFXtIHCje

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000100000000002b-8.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-25.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-24.dat	aspack_v212_v242
behavioral2/files/0x0006000000023218-27.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1044	backgroundTaskHost.exe

Loads dropped DLL 3 IoCs

pid	Process
3348	Regsvr32.exe
3348	Regsvr32.exe
4592	Regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RGMYI.EXE = "C:\\Program Files\\svchost.exe"	9a217cf11b0abe9da14ce4ffea4233a7.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\O:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\R:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\K:	backgroundTaskHost.exe
File opened (read-only)	\??\Q:	backgroundTaskHost.exe
File opened (read-only)	\??\N:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\Q:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\S:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\L:	backgroundTaskHost.exe
File opened (read-only)	\??\O:	backgroundTaskHost.exe
File opened (read-only)	\??\E:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\M:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\U:	backgroundTaskHost.exe
File opened (read-only)	\??\G:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\P:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\H:	backgroundTaskHost.exe
File opened (read-only)	\??\G:	backgroundTaskHost.exe
File opened (read-only)	\??\T:	backgroundTaskHost.exe
File opened (read-only)	\??\I:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\V:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\M:	backgroundTaskHost.exe
File opened (read-only)	\??\N:	backgroundTaskHost.exe
File opened (read-only)	\??\P:	backgroundTaskHost.exe
File opened (read-only)	\??\H:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\U:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\I:	backgroundTaskHost.exe
File opened (read-only)	\??\J:	backgroundTaskHost.exe
File opened (read-only)	\??\V:	backgroundTaskHost.exe
File opened (read-only)	\??\K:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\L:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\T:	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened (read-only)	\??\E:	backgroundTaskHost.exe
File opened (read-only)	\??\R:	backgroundTaskHost.exe
File opened (read-only)	\??\S:	backgroundTaskHost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RGMYI.EXE	9a217cf11b0abe9da14ce4ffea4233a7.exe
File created	C:\Windows\SysWOW64\Ms7002.dll	9a217cf11b0abe9da14ce4ffea4233a7.exe
File created	C:\Windows\SysWOW64\IXLDFU.EXE	backgroundTaskHost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\RGMYI.EXE	9a217cf11b0abe9da14ce4ffea4233a7.exe
File opened for modification	C:\Program Files\RGMYI.EXE	9a217cf11b0abe9da14ce4ffea4233a7.exe
File created	C:\Program Files\svchost.exe	9a217cf11b0abe9da14ce4ffea4233a7.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open	backgroundTaskHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files\\RGMYI.EXE \"%1\""	9a217cf11b0abe9da14ce4ffea4233a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile	9a217cf11b0abe9da14ce4ffea4233a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\FDLYQUB.EXE \"%1\""	9a217cf11b0abe9da14ce4ffea4233a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files\\RGMYI.EXE %1"	9a217cf11b0abe9da14ce4ffea4233a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\RGMYI.EXE"	9a217cf11b0abe9da14ce4ffea4233a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	9a217cf11b0abe9da14ce4ffea4233a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	9a217cf11b0abe9da14ce4ffea4233a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	9a217cf11b0abe9da14ce4ffea4233a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	9a217cf11b0abe9da14ce4ffea4233a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\FDLYQUB.EXE %1"	9a217cf11b0abe9da14ce4ffea4233a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	9a217cf11b0abe9da14ce4ffea4233a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	9a217cf11b0abe9da14ce4ffea4233a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	9a217cf11b0abe9da14ce4ffea4233a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	9a217cf11b0abe9da14ce4ffea4233a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	backgroundTaskHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2360	9a217cf11b0abe9da14ce4ffea4233a7.exe
2360	9a217cf11b0abe9da14ce4ffea4233a7.exe
2360	9a217cf11b0abe9da14ce4ffea4233a7.exe
2360	9a217cf11b0abe9da14ce4ffea4233a7.exe
1044	backgroundTaskHost.exe
1044	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3348	2360	9a217cf11b0abe9da14ce4ffea4233a7.exe	94
PID 2360 wrote to memory of 3348	2360	9a217cf11b0abe9da14ce4ffea4233a7.exe	94
PID 2360 wrote to memory of 3348	2360	9a217cf11b0abe9da14ce4ffea4233a7.exe	94
PID 2360 wrote to memory of 1044	2360	9a217cf11b0abe9da14ce4ffea4233a7.exe	96
PID 2360 wrote to memory of 1044	2360	9a217cf11b0abe9da14ce4ffea4233a7.exe	96
PID 2360 wrote to memory of 1044	2360	9a217cf11b0abe9da14ce4ffea4233a7.exe	96
PID 1044 wrote to memory of 4592	1044	backgroundTaskHost.exe	95
PID 1044 wrote to memory of 4592	1044	backgroundTaskHost.exe	95
PID 1044 wrote to memory of 4592	1044	backgroundTaskHost.exe	95

C:\Users\Admin\AppData\Local\Temp\9a217cf11b0abe9da14ce4ffea4233a7.exe
"C:\Users\Admin\AppData\Local\Temp\9a217cf11b0abe9da14ce4ffea4233a7.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3348
- F:\$RECYCLE.BIN\backgroundTaskHost.exe
  F:\$RECYCLE.BIN\backgroundTaskHost.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1044

C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
1⤵
- Loads dropped DLL
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ms7002.dll

Filesize
52KB

MD5
876a2a99b81968f5b26e3cbe12063d2b

SHA1
7afa8f33b691b2651b65eb07220cc2fda4b7537c

SHA256
f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0

SHA512
ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

Download Submit
F:\$RECYCLE.BIN\backgroundTaskHost.exe

Filesize
252KB

MD5
0580073af1c875a28f138d976a674763

SHA1
00c6cfbe813b52be96ba245e3226c00dff673091

SHA256
d96a606a8873378302286a8f55ceb57ac8e4bd94a61a233f2c1913a82dba6866

SHA512
6b73ad782058b872c397615f4455b2cdb9a87615b710618dca934a56208884b0451571e1d6b8a78c726c21872191d26246ce1e3114c25602a79a5250c9804de7

Download Submit
F:\$RECYCLE.BIN\backgroundTaskHost.exe

Filesize
156KB

MD5
13913a6cb79a51d7419427221800998e

SHA1
c1566bd3b6c3dd269fba4e6b7beac1d1ece519d6

SHA256
330aa2e04f8e7716cbbbb506a60ce6aaf422e2f44bbb49fc215d27d9ec8f745a

SHA512
9cf66cdef3d1458b8191ed67df4eb9cda370c586be7bd9d4a491d4596533f46d4db900a2f679234a1cc6ff5a63da994e92280a6ed5899f38452a497fe6320193

Download Submit
memory/1044-26-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1044-28-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2360-10-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2360-29-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download