19d0719a1f49c79b3ed60f06e714605bd1544698a04bab29ea0121f953d92d64

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19d0719a1f49c79b3ed60f06e714605bd1544698a04bab29ea0121f953d92d64.exe
Size

80KB
MD5

fa375bae7fb3b119ab0663927a731f78
SHA1

6f99ac114fe8f3f261702acd2d9d326914cf5e24
SHA256

19d0719a1f49c79b3ed60f06e714605bd1544698a04bab29ea0121f953d92d64
SHA512

b542a75a9c8e89092debf6ede12b202f6fe141de099169b7c962b72e18bfc35cda99955462b1cbe9decd743cb409ffd42db83d9de873a3825d4f370f25cc6acb
SSDEEP

1536:+q6r/s2ZA11SEBNH9YGQ/Ki2kbyGCq2iW7z:TmsJ1SEB7Y/qXGCH

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023237-3.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3760	tzLkXF.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	tzLkXF.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	tzLkXF.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	tzLkXF.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	tzLkXF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	tzLkXF.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	tzLkXF.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A187A4B0-CF7C-45E5-A279-8E9315C5F33D}\chrome_installer.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	tzLkXF.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	tzLkXF.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe	tzLkXF.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe	tzLkXF.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	tzLkXF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	tzLkXF.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	tzLkXF.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	tzLkXF.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	tzLkXF.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 3760	4268	19d0719a1f49c79b3ed60f06e714605bd1544698a04bab29ea0121f953d92d64.exe	85
PID 4268 wrote to memory of 3760	4268	19d0719a1f49c79b3ed60f06e714605bd1544698a04bab29ea0121f953d92d64.exe	85
PID 4268 wrote to memory of 3760	4268	19d0719a1f49c79b3ed60f06e714605bd1544698a04bab29ea0121f953d92d64.exe	85

C:\Users\Admin\AppData\Local\Temp\19d0719a1f49c79b3ed60f06e714605bd1544698a04bab29ea0121f953d92d64.exe
"C:\Users\Admin\AppData\Local\Temp\19d0719a1f49c79b3ed60f06e714605bd1544698a04bab29ea0121f953d92d64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\tzLkXF.exe
  C:\Users\Admin\AppData\Local\Temp\tzLkXF.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6441365F.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzLkXF.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/3760-5-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/3760-8-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/4268-0-0x00000000007B0000-0x00000000007CA000-memory.dmp

Filesize
104KB

Download
memory/4268-7-0x00000000007B0000-0x00000000007CA000-memory.dmp

Filesize
104KB

Download