Malware Analysis Report

2025-08-11 01:27

Sample ID 240229-jh2tyaae4t
Target ae0af1ab4da45887861b4b328c7b4858
SHA256 8aac244c63b70915cde5e42da5ea49ff0b020adbc10bf91f2b5ce40d64a1f052
Tags
aspackv2 upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8aac244c63b70915cde5e42da5ea49ff0b020adbc10bf91f2b5ce40d64a1f052

Threat Level: Shows suspicious behavior

The file ae0af1ab4da45887861b4b328c7b4858 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 upx

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-29 07:40

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 07:40

Reported

2024-02-29 07:43

Platform

win7-20240221-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\APP-2.Exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\APP-2nq.dll C:\Users\Admin\AppData\Local\Temp\APP-2.Exe N/A
File opened for modification C:\Windows\SysWOW64\APP-2nq.dll C:\Users\Admin\AppData\Local\Temp\APP-2.Exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\APP-2.Exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe

"C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe"

C:\Users\Admin\AppData\Local\Temp\APP-2.Exe

C:\Users\Admin\AppData\Local\Temp\APP-2.Exe

Network

N/A

Files

memory/1672-0-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\APP-2.exe

MD5 7c2833f55aa78343d8b455f7ec0e9060
SHA1 ab82ed6864e0b9e21cc4778bde467d173984e795
SHA256 908b253dfcde4383ae96bf0ae02cf1348f7006fbc365dd66f3954229a241f874
SHA512 826d756e5e9f9f21315ad7a505ae88a81d9b1a28da6bc16e3aa7c83c8d7e77ffa661ec6e0bb91e5118bff4ddd649698ef8515d8a77d31caff11b92251c413c00

memory/1672-11-0x00000000002F0000-0x0000000000307000-memory.dmp

memory/1672-12-0x00000000002F0000-0x0000000000307000-memory.dmp

memory/1444-14-0x0000000000400000-0x0000000000417000-memory.dmp

\Windows\SysWOW64\APP-2nq.dll

MD5 5fb7c17be1034d6b7b092183b85c9954
SHA1 08e769ff257c308a7eca835513d7e230121f8eed
SHA256 d2226759a52ee530eac71beabbf06fcff7b7625a6c9d57439da9224ba7432592
SHA512 a8119981c97196e1dcf54e0c73eb257f59beca2205b2b50a7da72d640fe766efa7e172faa0c5bd3afe1be41019beabbe27f16cbc8681eb45fb89514df040f3fd

memory/1444-20-0x0000000000310000-0x000000000031E000-memory.dmp

memory/1672-23-0x0000000000320000-0x000000000032E000-memory.dmp

memory/1672-24-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1444-26-0x0000000000310000-0x000000000031E000-memory.dmp

memory/1672-27-0x00000000002F0000-0x0000000000307000-memory.dmp

memory/1672-28-0x00000000002F0000-0x0000000000307000-memory.dmp

memory/1444-29-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 07:40

Reported

2024-02-29 07:43

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\APP-2.Exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\APP-2nq.dll C:\Users\Admin\AppData\Local\Temp\APP-2.Exe N/A
File opened for modification C:\Windows\SysWOW64\APP-2nq.dll C:\Users\Admin\AppData\Local\Temp\APP-2.Exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\APP-2.Exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe

"C:\Users\Admin\AppData\Local\Temp\ae0af1ab4da45887861b4b328c7b4858.exe"

C:\Users\Admin\AppData\Local\Temp\APP-2.Exe

C:\Users\Admin\AppData\Local\Temp\APP-2.Exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2448-0-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\APP-2.exe

MD5 7c2833f55aa78343d8b455f7ec0e9060
SHA1 ab82ed6864e0b9e21cc4778bde467d173984e795
SHA256 908b253dfcde4383ae96bf0ae02cf1348f7006fbc365dd66f3954229a241f874
SHA512 826d756e5e9f9f21315ad7a505ae88a81d9b1a28da6bc16e3aa7c83c8d7e77ffa661ec6e0bb91e5118bff4ddd649698ef8515d8a77d31caff11b92251c413c00

memory/2704-6-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\APP-2nq.dll

MD5 5fb7c17be1034d6b7b092183b85c9954
SHA1 08e769ff257c308a7eca835513d7e230121f8eed
SHA256 d2226759a52ee530eac71beabbf06fcff7b7625a6c9d57439da9224ba7432592
SHA512 a8119981c97196e1dcf54e0c73eb257f59beca2205b2b50a7da72d640fe766efa7e172faa0c5bd3afe1be41019beabbe27f16cbc8681eb45fb89514df040f3fd

memory/2704-16-0x00000000005B0000-0x00000000005BE000-memory.dmp

memory/2704-17-0x00000000005B0000-0x00000000005BE000-memory.dmp

memory/2448-21-0x0000000002290000-0x000000000229E000-memory.dmp

memory/2448-22-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2448-23-0x0000000002290000-0x000000000229E000-memory.dmp

memory/2704-25-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2448-30-0x0000000002290000-0x000000000229E000-memory.dmp

memory/2448-63-0x0000000002290000-0x000000000229E000-memory.dmp