16cd7a02ee8ff9c21989477b31a55e6fb4bf406142bc164f9e0556d4f57c8934

General

Target

5a438591b5746bfdc8bd6383d75d0db8.exe
Size

896KB
MD5

5a438591b5746bfdc8bd6383d75d0db8
SHA1

3650bd35145ac6b42a126177885f51a7687b57fc
SHA256

16cd7a02ee8ff9c21989477b31a55e6fb4bf406142bc164f9e0556d4f57c8934
SHA512

7d8336870f012c77ca2b75ad682a8c09cc5442c40d056e969e9d8d3bcb04461ff613f89e164f4288631268d7be1c8792bfe1160a9291bdef6e36eaf35f6cb4cc
SSDEEP

12288:yYNfqsvkQsFvtxcCZeGsU71YmV1sl5h3/vKHUqXV7S+4dkJ0utF3Z4mxxTUn00yV:zbvs/x/AAHqlDxqXI60utQmXT2dy5QkT

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000f000000016d52-16.dat	aspack_v212_v242
behavioral1/files/0x000f000000016d52-20.dat	aspack_v212_v242
behavioral1/files/0x000f000000016d52-18.dat	aspack_v212_v242
behavioral1/files/0x000f000000016d52-22.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2804	HKFXOK.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	5a438591b5746bfdc8bd6383d75d0db8.exe
1956	5a438591b5746bfdc8bd6383d75d0db8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a438591b5746bfdc8bd6383d75d0db8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2804	1956	5a438591b5746bfdc8bd6383d75d0db8.exe	28
PID 1956 wrote to memory of 2804	1956	5a438591b5746bfdc8bd6383d75d0db8.exe	28
PID 1956 wrote to memory of 2804	1956	5a438591b5746bfdc8bd6383d75d0db8.exe	28
PID 1956 wrote to memory of 2804	1956	5a438591b5746bfdc8bd6383d75d0db8.exe	28

C:\Users\Admin\AppData\Local\Temp\5a438591b5746bfdc8bd6383d75d0db8.exe
"C:\Users\Admin\AppData\Local\Temp\5a438591b5746bfdc8bd6383d75d0db8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFXOK.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFXOK.exe
  2⤵
  - Executes dropped EXE
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFXOK.exe

Filesize
306KB

MD5
364a792134ac05ffbe99e19df195f0a2

SHA1
0bee9b3e8215aff8a82d8ae7b8b886466c96f444

SHA256
72f76ae897c118ddad93a3a1b3b6324ac1086879342c8082ad2e67757adc5546

SHA512
517c4f5ddd9f2bd2801b3b24f4db3b2d60e21fff398dc57b3e34ff0c1e9c03364aeda9c081aa238ffea7765b84fc1f1126f364be94d50b3b9e862934976d0ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFXOK.exe

Filesize
244KB

MD5
85353f489321cda6340c79ec5cf8d047

SHA1
c037f6e60c0ba746a5f28b26d452a395e12116e4

SHA256
05b7a20e0ca9088f4e4fe7d8768ad7e6de95c4c5cd8c3106744739a12b16ef8e

SHA512
f7820eca857270fef560a9b5557922a481cddb98b7352aa06097802117ad83272d12fc93fec1a11bbf0859425e2ca9ea0e59e84d6c86d4e6e44fc2dd7e59ff62

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFXOK.exe

Filesize
198KB

MD5
ddcc1d747154525d842b182737d863f1

SHA1
fe8db9bf9a486cd86828ea4345daf597516a949a

SHA256
e5c4d500ba531c50387fb98805e49debe8b0cef15fd21f6b06a811a7794dc33b

SHA512
cd913ae456197f620d7d7f6be489507bfeed5b7e3b144c9da16066551fbf91dbe4ae269235270f636579806a7a19efae5e6ae3d03183fc6d80b5dc93687cb053

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFXOK.exe

Filesize
460KB

MD5
2aacf34b9f0a04b084aa5ce32e2f4436

SHA1
c2aa9beded111b32f306fa6608dfd50aac1ca0e0

SHA256
2ef2bb8e09e45fefca3c10313fcdfade01ce92d35b18dd7678d67408e8c53c7f

SHA512
167dcdb2665502ae01d388f09cefd45d9d1fb3916226dfd3088a2224e7a168d69e4b3b376cbcf79a95ed49fda48108bb0b24f97837b77742c22bdfb354002be1

Download Submit
memory/1956-7-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1956-15-0x0000000003300000-0x0000000003380000-memory.dmp

Filesize
512KB

Download
memory/1956-5-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1956-6-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1956-9-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1956-12-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1956-8-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1956-13-0x0000000003300000-0x0000000003380000-memory.dmp

Filesize
512KB

Download
memory/1956-14-0x0000000003300000-0x0000000003380000-memory.dmp

Filesize
512KB

Download
memory/1956-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/1956-4-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1956-3-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1956-2-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1956-0-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1956-26-0x0000000001000000-0x00000000011ED000-memory.dmp

Filesize
1.9MB

Download
memory/1956-27-0x0000000003300000-0x0000000003380000-memory.dmp

Filesize
512KB

Download
memory/1956-28-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/1956-23-0x0000000003300000-0x0000000003380000-memory.dmp

Filesize
512KB

Download
memory/1956-29-0x0000000003300000-0x0000000003380000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads