Malware Analysis Report

2025-08-05 21:21

Sample ID 240304-14r1asfh45
Target b33a36a1718cf0c996c00dce8b76659b
SHA256 07e84078d8d4f3cbf855d5a965d8fe4cbe482929c2c35320fb5535a757232356
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

07e84078d8d4f3cbf855d5a965d8fe4cbe482929c2c35320fb5535a757232356

Threat Level: Shows suspicious behavior

The file b33a36a1718cf0c996c00dce8b76659b was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 22:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 22:12

Reported

2024-03-04 22:15

Platform

win7-20240221-en

Max time kernel

142s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0} C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe

"C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.vokor.com udp
CN 47.103.23.98:80 www.vokor.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\athlon\oemlink.ico

MD5 bc4beff42913d8ccbdaa28bd6986af4f
SHA1 205a6ec66eceaf5db13332fca8f48f49b9c770f8
SHA256 eeaa1205fb8c5b03d74a2cd7547d2e51c71211d59624f292a0a00ac138ad6183
SHA512 98434e747750b1a773f3ad42487dc0da28934e3006ac3da3c8c21c772bd66c0b6958f966d2260e437d94e7c296da7adc2f621181210e0acc7baa0af370c5b989

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\Celeronm\OEMLINK.ICO

MD5 e85685a3cc9728d77eef0a1a1f3d344d
SHA1 b88172fd5515917479e001f3fa2b6719e27bd8e3
SHA256 1be03b5bcb4c8beb6092f973d2bb4d7d23d9b3390dae7c737418b8e3d4c2e0ad
SHA512 fe6c532c1129d1373e781b800af9ec3c7571387dcf68bb500de37cd988bb93ef1fd1b1233d07348e938e1cbdaf6c9fa114e06ed6dded62f8bd7a167db223695e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\viac7m\OEMINFO.INI

MD5 868d80a05759da985ac5dfc18a8b48b0
SHA1 c139d16a4783d07d726f25c7b3d29216896c5a64
SHA256 a602ed6d6302767cb3b17eca3be4b4391a5a666615b0c0678f3b7ea02c2cf775
SHA512 e6eb60e04681a365f6f7b2e08fd8b92b8827537b7c049b7dc1bcb7daff9be7bb506cc9fe139da57d72085547b06170d5e334ba6c5450e40d94d969e3221b2934

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\viac7m\OEMLINK.bmp

MD5 cdb0b2189d180f0bc4d9012255819e8d
SHA1 16271fc9f8ec14ec06dac0f58acd1c3cb2fc8450
SHA256 b6eba1a771610d3d95e4cbda638f3bafa2c89f321d17fd03d3548e29a3eadb62
SHA512 5abd47535325566774ccd7023deb774cda948466f5c59b76c851b16eba083ad20853266219dfe5cccf73eaaf03968c506352394dd1b8982ee5ba0e0fef2f8859

\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe

MD5 ae88e2a3d20aa2d58d27ef444a062c33
SHA1 2aa03d1a8924b10627b36b90edcb80b603fb724d
SHA256 90ea85869ce366be2c0cf3895bd63b40890d2f3b80a2fab9f61e68a98c101f63
SHA512 4e264185c1f13079937e22f9c9e8f3f0437718e1e134f3bb2e7e9ee6d836009e84c11c231fe80bab3616821ca676eb58ecc2b3bca21482cb64edd727c906d923

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdiy.ini

MD5 d1c6afeff964043a631718dd3fdcb559
SHA1 5c6663cafa2274fe05b074ec8f9994faa2781925
SHA256 20e617230be0495fa648de153af6ea6f2ad12ee2ce1df8836b1f742bac249bfc
SHA512 a5332e6cf34347b4d1c8b50c7d27165b0338baf34dac36b8bf188acc87d76ec708c881806627a460346399b701308cba5ebb509f62501f6b3588691ad582b1bf

memory/2188-445-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2864-446-0x0000000000400000-0x00000000004EC000-memory.dmp

memory/2864-450-0x0000000000400000-0x00000000004EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 22:12

Reported

2024-03-04 22:15

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0} C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe

"C:\Users\Admin\AppData\Local\Temp\b33a36a1718cf0c996c00dce8b76659b.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 www.vokor.com udp
CN 47.103.23.98:80 www.vokor.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.178.78.104.in-addr.arpa udp
US 8.8.8.8:53 162.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\athlon\oemlink.ico

MD5 bc4beff42913d8ccbdaa28bd6986af4f
SHA1 205a6ec66eceaf5db13332fca8f48f49b9c770f8
SHA256 eeaa1205fb8c5b03d74a2cd7547d2e51c71211d59624f292a0a00ac138ad6183
SHA512 98434e747750b1a773f3ad42487dc0da28934e3006ac3da3c8c21c772bd66c0b6958f966d2260e437d94e7c296da7adc2f621181210e0acc7baa0af370c5b989

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\Celeronm\OEMLINK.ICO

MD5 e85685a3cc9728d77eef0a1a1f3d344d
SHA1 b88172fd5515917479e001f3fa2b6719e27bd8e3
SHA256 1be03b5bcb4c8beb6092f973d2bb4d7d23d9b3390dae7c737418b8e3d4c2e0ad
SHA512 fe6c532c1129d1373e781b800af9ec3c7571387dcf68bb500de37cd988bb93ef1fd1b1233d07348e938e1cbdaf6c9fa114e06ed6dded62f8bd7a167db223695e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\viac7m\OEMINFO.INI

MD5 868d80a05759da985ac5dfc18a8b48b0
SHA1 c139d16a4783d07d726f25c7b3d29216896c5a64
SHA256 a602ed6d6302767cb3b17eca3be4b4391a5a666615b0c0678f3b7ea02c2cf775
SHA512 e6eb60e04681a365f6f7b2e08fd8b92b8827537b7c049b7dc1bcb7daff9be7bb506cc9fe139da57d72085547b06170d5e334ba6c5450e40d94d969e3221b2934

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdata\viac7m\OEMLINK.bmp

MD5 cdb0b2189d180f0bc4d9012255819e8d
SHA1 16271fc9f8ec14ec06dac0f58acd1c3cb2fc8450
SHA256 b6eba1a771610d3d95e4cbda638f3bafa2c89f321d17fd03d3548e29a3eadb62
SHA512 5abd47535325566774ccd7023deb774cda948466f5c59b76c851b16eba083ad20853266219dfe5cccf73eaaf03968c506352394dd1b8982ee5ba0e0fef2f8859

C:\Users\Admin\AppData\Local\Temp\RarSFX0\diyoem.exe

MD5 ae88e2a3d20aa2d58d27ef444a062c33
SHA1 2aa03d1a8924b10627b36b90edcb80b603fb724d
SHA256 90ea85869ce366be2c0cf3895bd63b40890d2f3b80a2fab9f61e68a98c101f63
SHA512 4e264185c1f13079937e22f9c9e8f3f0437718e1e134f3bb2e7e9ee6d836009e84c11c231fe80bab3616821ca676eb58ecc2b3bca21482cb64edd727c906d923

memory/4140-442-0x00000000006E0000-0x00000000006E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\oemdiy.ini

MD5 d1c6afeff964043a631718dd3fdcb559
SHA1 5c6663cafa2274fe05b074ec8f9994faa2781925
SHA256 20e617230be0495fa648de153af6ea6f2ad12ee2ce1df8836b1f742bac249bfc
SHA512 a5332e6cf34347b4d1c8b50c7d27165b0338baf34dac36b8bf188acc87d76ec708c881806627a460346399b701308cba5ebb509f62501f6b3588691ad582b1bf

memory/216-444-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4140-445-0x0000000000400000-0x00000000004EC000-memory.dmp

memory/4140-449-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/4140-450-0x0000000000400000-0x00000000004EC000-memory.dmp