Analysis Overview
SHA256
56cfb7b5579b036bbb080149dd5bfdb6dfa1ed68c9c630f487549d4adb05c242
Threat Level: Shows suspicious behavior
The file aa3d0852067bd1fd257472f5af3c2b17.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 02:57
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 02:57
Reported
2024-02-29 03:00
Platform
win7-20240221-en
Max time kernel
119s
Max time network
132s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\76ZIHMEZJI.sys | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\76ZIHMEZJI.sys | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Fonts\76ZIHMEZJI.sys |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe
"C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"
C:\Windows\Fonts\76ZIHMEZJI.sys
C:\Windows\Fonts\\76ZIHMEZJI.sys
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 36
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
Network
Files
memory/2324-0-0x0000000000400000-0x0000000000565000-memory.dmp
\Windows\Fonts\76ZIHMEZJI.sys
| MD5 | a7008ec876370b1fef6b9a594ffd1009 |
| SHA1 | 46774968567c74145dcc8b15f6b127547e90a581 |
| SHA256 | 25572294ebbb1e757b38cdb894e80c7031ca8034afe97fe11d05e3eb27d68574 |
| SHA512 | 87f43cf5951c3c6533e35a70c2d5e1285dacaeff69387e230e458063e356aa0baa1b0ef5f9fdca46b4294f66bde33c96dd079743da0a5a2e92975c3b72bae5bc |
memory/2324-11-0x0000000002020000-0x00000000020E7000-memory.dmp
memory/2956-10-0x0000000000400000-0x00000000004C63E0-memory.dmp
memory/2324-8-0x0000000002020000-0x00000000020E7000-memory.dmp
memory/2324-19-0x0000000000400000-0x0000000000565000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tem.vbs
| MD5 | a027919e332b58969f064e8da9155a4d |
| SHA1 | 0ecf2b41e09461983b4a6f4b325442cb958fb2e9 |
| SHA256 | 8269e89541f3cd23aca5798682a98815162a6bef4394b1c988d42e5c8b1522f7 |
| SHA512 | 851cb81bbf8f51fc35e432c920abc52d58934f4d799aef1b31095c9dea1efcd926dbed8aeededfc5774a389f4d88c27af143d90e7a8f4546978f9b57973aa803 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 02:57
Reported
2024-02-29 02:59
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Fonts\76ZIHMEZJI.sys | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\76ZIHMEZJI.sys | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Fonts\76ZIHMEZJI.sys |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3548 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | C:\Windows\Fonts\76ZIHMEZJI.sys |
| PID 3548 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | C:\Windows\Fonts\76ZIHMEZJI.sys |
| PID 3548 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | C:\Windows\Fonts\76ZIHMEZJI.sys |
| PID 3548 wrote to memory of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 3548 wrote to memory of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 3548 wrote to memory of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe | C:\Windows\SysWOW64\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe
"C:\Users\Admin\AppData\Local\Temp\aa3d0852067bd1fd257472f5af3c2b17.exe"
C:\Windows\Fonts\76ZIHMEZJI.sys
C:\Windows\Fonts\\76ZIHMEZJI.sys
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 228
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
memory/3548-0-0x0000000000400000-0x0000000000565000-memory.dmp
C:\Windows\Fonts\76ZIHMEZJI.sys
| MD5 | a7008ec876370b1fef6b9a594ffd1009 |
| SHA1 | 46774968567c74145dcc8b15f6b127547e90a581 |
| SHA256 | 25572294ebbb1e757b38cdb894e80c7031ca8034afe97fe11d05e3eb27d68574 |
| SHA512 | 87f43cf5951c3c6533e35a70c2d5e1285dacaeff69387e230e458063e356aa0baa1b0ef5f9fdca46b4294f66bde33c96dd079743da0a5a2e92975c3b72bae5bc |
memory/4908-5-0x0000000000400000-0x00000000004C63E0-memory.dmp
memory/3548-7-0x0000000000400000-0x0000000000565000-memory.dmp
memory/3548-8-0x0000000000400000-0x0000000000565000-memory.dmp
memory/4908-11-0x0000000000400000-0x00000000004C63E0-memory.dmp
memory/3548-12-0x0000000000400000-0x0000000000565000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tem.vbs
| MD5 | a027919e332b58969f064e8da9155a4d |
| SHA1 | 0ecf2b41e09461983b4a6f4b325442cb958fb2e9 |
| SHA256 | 8269e89541f3cd23aca5798682a98815162a6bef4394b1c988d42e5c8b1522f7 |
| SHA512 | 851cb81bbf8f51fc35e432c920abc52d58934f4d799aef1b31095c9dea1efcd926dbed8aeededfc5774a389f4d88c27af143d90e7a8f4546978f9b57973aa803 |