a87831c3199d6c30af70df9871e01214c5a8f1d0e218fb9dc348b9da9aedc7f3

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

580010826dc0a0ce231ceb6c97d62e00.exe
Size

173KB
MD5

580010826dc0a0ce231ceb6c97d62e00
SHA1

64ce875324d662f8da0f269ba7f6923f6a49e541
SHA256

a87831c3199d6c30af70df9871e01214c5a8f1d0e218fb9dc348b9da9aedc7f3
SHA512

1c0f75418766b0aa1ea3e511522e1de068cf88d10364432c0908e03cd2c6f063d7e70ba80c840888dbbadf7f52f7220b3d5732eaacd224a83c462f1a582ca72e
SSDEEP

3072:IUdv8Zim/qoRcLH5Qj8z578v/P/FGNgkf+El48UOmmiC2UGkEK+gHei1ktYct:Pd8Z3J45a/P/FGikWEl48U2EKVT1U5t

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023200-5.dat	aspack_v212_v242

Loads dropped DLL 1 IoCs

pid	Process
4564	580010826dc0a0ce231ceb6c97d62e00.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\king_mg = "C:\\Windows\\system32\\mgking.exe"	580010826dc0a0ce231ceb6c97d62e00.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mgking.exe	580010826dc0a0ce231ceb6c97d62e00.exe
File opened for modification	C:\Windows\SysWOW64\mgking0.dll	580010826dc0a0ce231ceb6c97d62e00.exe
File created	C:\Windows\SysWOW64\mgking0.dll	580010826dc0a0ce231ceb6c97d62e00.exe
File opened for modification	C:\Windows\SysWOW64\mgking.exe	580010826dc0a0ce231ceb6c97d62e00.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1996	4564	WerFault.exe	75
1240	4564	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe
4564	580010826dc0a0ce231ceb6c97d62e00.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 3596	4564	580010826dc0a0ce231ceb6c97d62e00.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\580010826dc0a0ce231ceb6c97d62e00.exe
  "C:\Users\Admin\AppData\Local\Temp\580010826dc0a0ce231ceb6c97d62e00.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 228
    3⤵
    - Program crash
    PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 464
    3⤵
    - Program crash
    PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4564 -ip 4564
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4564 -ip 4564
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mgking0.dll

Filesize
113KB

MD5
a919ffcce9fc97ef023b92092321e7cc

SHA1
1e28d9f3bd7d489b02235e0b9cf444d25cbdcf74

SHA256
53ecb6f88cacb31841717f0793648ef6961126aab8fc1d4d6f381cab80f2a8c8

SHA512
8765b21f4916a61caffb3565735a5921754455addac53d01ccd86d866f25bdd7e2837e1ad330d658519df9a635ec236e2ed39f5d9f73911a21869b159d04eb82

Download Submit
memory/4564-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4564-8-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/4564-9-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4564-10-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download