Malware Analysis Report

2025-08-11 01:27

Sample ID 240229-dfp5gabg4x
Target aa3d0852067bd1fd257472f5af3c2b17.bin
SHA256 56cfb7b5579b036bbb080149dd5bfdb6dfa1ed68c9c630f487549d4adb05c242
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

56cfb7b5579b036bbb080149dd5bfdb6dfa1ed68c9c630f487549d4adb05c242

Threat Level: Shows suspicious behavior

The file aa3d0852067bd1fd257472f5af3c2b17.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 02:57

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 02:57

Reported

2024-02-29 03:00

Platform

win7-20240221-en

Max time kernel

119s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\76ZIHMEZJI.sys N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\76ZIHMEZJI.sys C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Fonts\76ZIHMEZJI.sys

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe C:\Windows\Fonts\76ZIHMEZJI.sys
PID 2324 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe C:\Windows\Fonts\76ZIHMEZJI.sys
PID 2324 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe C:\Windows\Fonts\76ZIHMEZJI.sys
PID 2324 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe C:\Windows\Fonts\76ZIHMEZJI.sys
PID 2956 wrote to memory of 2532 N/A C:\Windows\Fonts\76ZIHMEZJI.sys C:\Windows\SysWOW64\WerFault.exe
PID 2956 wrote to memory of 2532 N/A C:\Windows\Fonts\76ZIHMEZJI.sys C:\Windows\SysWOW64\WerFault.exe
PID 2956 wrote to memory of 2532 N/A C:\Windows\Fonts\76ZIHMEZJI.sys C:\Windows\SysWOW64\WerFault.exe
PID 2956 wrote to memory of 2532 N/A C:\Windows\Fonts\76ZIHMEZJI.sys C:\Windows\SysWOW64\WerFault.exe
PID 2324 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe C:\Windows\SysWOW64\WScript.exe
PID 2324 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe C:\Windows\SysWOW64\WScript.exe
PID 2324 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe C:\Windows\SysWOW64\WScript.exe
PID 2324 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe

"C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"

C:\Windows\Fonts\76ZIHMEZJI.sys

C:\Windows\Fonts\\76ZIHMEZJI.sys

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 36

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"

Network

N/A

Files

memory/2324-0-0x0000000000400000-0x0000000000565000-memory.dmp

\Windows\Fonts\76ZIHMEZJI.sys

MD5 a7008ec876370b1fef6b9a594ffd1009
SHA1 46774968567c74145dcc8b15f6b127547e90a581
SHA256 25572294ebbb1e757b38cdb894e80c7031ca8034afe97fe11d05e3eb27d68574
SHA512 87f43cf5951c3c6533e35a70c2d5e1285dacaeff69387e230e458063e356aa0baa1b0ef5f9fdca46b4294f66bde33c96dd079743da0a5a2e92975c3b72bae5bc

memory/2324-11-0x0000000002020000-0x00000000020E7000-memory.dmp

memory/2956-10-0x0000000000400000-0x00000000004C63E0-memory.dmp

memory/2324-8-0x0000000002020000-0x00000000020E7000-memory.dmp

memory/2324-19-0x0000000000400000-0x0000000000565000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tem.vbs

MD5 a027919e332b58969f064e8da9155a4d
SHA1 0ecf2b41e09461983b4a6f4b325442cb958fb2e9
SHA256 8269e89541f3cd23aca5798682a98815162a6bef4394b1c988d42e5c8b1522f7
SHA512 851cb81bbf8f51fc35e432c920abc52d58934f4d799aef1b31095c9dea1efcd926dbed8aeededfc5774a389f4d88c27af143d90e7a8f4546978f9b57973aa803

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 02:57

Reported

2024-02-29 02:59

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\76ZIHMEZJI.sys N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\76ZIHMEZJI.sys C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Fonts\76ZIHMEZJI.sys

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe

"C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"

C:\Windows\Fonts\76ZIHMEZJI.sys

C:\Windows\Fonts\\76ZIHMEZJI.sys

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 228

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

memory/3548-0-0x0000000000400000-0x0000000000565000-memory.dmp

C:\Windows\Fonts\76ZIHMEZJI.sys

MD5 a7008ec876370b1fef6b9a594ffd1009
SHA1 46774968567c74145dcc8b15f6b127547e90a581
SHA256 25572294ebbb1e757b38cdb894e80c7031ca8034afe97fe11d05e3eb27d68574
SHA512 87f43cf5951c3c6533e35a70c2d5e1285dacaeff69387e230e458063e356aa0baa1b0ef5f9fdca46b4294f66bde33c96dd079743da0a5a2e92975c3b72bae5bc

memory/4908-5-0x0000000000400000-0x00000000004C63E0-memory.dmp

memory/3548-7-0x0000000000400000-0x0000000000565000-memory.dmp

memory/3548-8-0x0000000000400000-0x0000000000565000-memory.dmp

memory/4908-11-0x0000000000400000-0x00000000004C63E0-memory.dmp

memory/3548-12-0x0000000000400000-0x0000000000565000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tem.vbs

MD5 a027919e332b58969f064e8da9155a4d
SHA1 0ecf2b41e09461983b4a6f4b325442cb958fb2e9
SHA256 8269e89541f3cd23aca5798682a98815162a6bef4394b1c988d42e5c8b1522f7
SHA512 851cb81bbf8f51fc35e432c920abc52d58934f4d799aef1b31095c9dea1efcd926dbed8aeededfc5774a389f4d88c27af143d90e7a8f4546978f9b57973aa803