Overview

overview

10

Static

static

3

73ae2f529c...fe.exe

windows7-x64

10

73ae2f529c...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 03:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73ae2f529cc85be3df021318041f40fe.exe

  • Size

    373KB

  • MD5

    73ae2f529cc85be3df021318041f40fe

  • SHA1

    37b93f5aabdc32c63ad2cd35f164a26bba9e1294

  • SHA256

    62016a398e0047d22414e322488e63e54f714578497e836a49ce64e90494a9ff

  • SHA512

    38abadd6ec39f587d21868ba86c89f9746c0b9c35a15e7bc9051b1c17c5ba342f1fa6e83c05ae826fbbda6fb8e7a09a9f0f66d420ce2cd2b7c57fcf015461184

  • SSDEEP

    6144:LGFWi0nLzd4VhtV3xfN5fa+Wk/20pP2+T8C7Yi81W4xN6KwKn78VBqqrQ:ji0/d47tV3xVve6P2y77Yb6KPn78jfQ

Score
10/10
aspackv2persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73ae2f529cc85be3df021318041f40fe.exe
    "C:\Users\Admin\AppData\Local\Temp\73ae2f529cc85be3df021318041f40fe.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\DetoX-HACKS.exe
      "C:\Windows\System32\DetoX-HACKS.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\fservice.exe
        C:\Windows\system32\fservice.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Windows\services.exe
          C:\Windows\services.exe -XP
          4⤵
          • Modifies WinLogon for persistence
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies WinLogon
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\NET.exe
            NET STOP srservice
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2996
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 STOP srservice
              6⤵
                PID:2780
            • C:\Windows\SysWOW64\NET.exe
              NET STOP navapsvc
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2736
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 STOP navapsvc
                6⤵
                  PID:2560
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\SysWOW64\DetoX-HACKS.exe.bat
            3⤵
              PID:2496

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\DetoX-HACKS.exe.bat
          Filesize

          105B

          MD5

          86add7cdaae02129f5c4b08dd0dce47d

          SHA1

          bc721be8b7d51d3dee90f8bc60fcc9af7ba4cea7

          SHA256

          cf1f3e2fe9ba13cff848c851e2c91e5c67c81c324bc7b9b9fca18c7c71d54539

          SHA512

          7fe059951b8b74af98a58a78249f9a9f0e4d586a17a59e5e602a5ff460dc5caab9ffcfd2e3a2ea16dcb459049c51d4ff3a85879e53f77345becd4f8bdb320388

          Download Submit

        • C:\Windows\system\sservice.exe
          Filesize

          8KB

          MD5

          415bc3d3b4ca95643c2f040cb6d95792

          SHA1

          1099f8c8891c8477b03f7d4c7d7855af1011c511

          SHA256

          0887a50ed50eb30db5945acda80223f4d4bee64547c974d0aca296ab48fb043a

          SHA512

          a59e4f99f60083fc44e224d15671e73dde380459336ad1e30eee43fabaa691bb57e636dfd03d4919b179922cea7eacddb4f3076a28f240a64c0b8f64889e6698

          Download Submit

        • \Windows\SysWOW64\DetoX-HACKS.exe
          Filesize

          342KB

          MD5

          7e58c655c09466daf23d107b5ad481b8

          SHA1

          0edc33f0694a4fe70f2028b2b8114fa0592a3204

          SHA256

          f8d7a8108aa4bbc139d314f0b624927e15d205ef3e2592492284f70c5fb83bea

          SHA512

          1ea2f52716c22d3e6b7b3f5dd90fbf55d13a2c99f752e3f670f4ba6261f3b901beafa2dfca600fcb256d5b0baf8d46fc225569459c363951f64e9ce1413101ea

          Download Submit

        • \Windows\SysWOW64\reginv.dll
          Filesize

          36KB

          MD5

          562e0d01d6571fa2251a1e9f54c6cc69

          SHA1

          83677ad3bc630aa6327253c7b3deffbd4a8ce905

          SHA256

          c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

          SHA512

          166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

          Download Submit

        • \Windows\SysWOW64\winkey.dll
          Filesize

          13KB

          MD5

          b4c72da9fd1a0dcb0698b7da97daa0cd

          SHA1

          b25a79e8ea4c723c58caab83aed6ea48de7ed759

          SHA256

          45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

          SHA512

          f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

          Download Submit

        • memory/1680-62-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1680-13-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1680-26-0x00000000030F0000-0x00000000032EC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1680-28-0x00000000030F0000-0x00000000032EC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1680-12-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2168-44-0x00000000031A0000-0x000000000339C000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2168-52-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2168-27-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2168-29-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2336-10-0x0000000002F30000-0x000000000312C000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2336-3-0x0000000002F30000-0x000000000312C000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2336-9-0x0000000010000000-0x0000000010066000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2712-70-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-72-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-43-0x0000000010000000-0x000000001000B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2712-64-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-65-0x0000000010000000-0x000000001000B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2712-66-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-67-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-69-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2712-45-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2712-39-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-74-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-76-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-78-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-80-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-82-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-84-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-86-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-88-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-90-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2712-92-0x0000000000400000-0x00000000005FC000-memory.dmp

          Filesize

          2.0MB

          Download