e94674b83aae47c337812a1db03117fc0c34a26da0fc2cdb395b89bccb667cfc

General

Target

b5661fb07d2b3d1a440e2f3e3e3da6f7.exe
Size

1.6MB
MD5

b5661fb07d2b3d1a440e2f3e3e3da6f7
SHA1

f0b641f0023ce69887f1df1bb3933b60096139ee
SHA256

e94674b83aae47c337812a1db03117fc0c34a26da0fc2cdb395b89bccb667cfc
SHA512

70a6200bcc41d8b5c28b514c33a999a23916aeb4475d41f11614874072394a6a709e9c2c9710de6007289410578600db555946c51758d14614107b3af6e7019a
SSDEEP

49152:31R+OAGKRwtsCds9U68eu8SExZGJbPq89o9m8erS:37+o5sCds268evSExwV9o9mw

Score

7^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a0000000231e0-17.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
1060	ssinitar.exe
1660	setup.exe
2736	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
772	Rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2736	setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 1060	4428	b5661fb07d2b3d1a440e2f3e3e3da6f7.exe	92
PID 4428 wrote to memory of 1060	4428	b5661fb07d2b3d1a440e2f3e3e3da6f7.exe	92
PID 4428 wrote to memory of 1060	4428	b5661fb07d2b3d1a440e2f3e3e3da6f7.exe	92
PID 4428 wrote to memory of 1660	4428	b5661fb07d2b3d1a440e2f3e3e3da6f7.exe	93
PID 4428 wrote to memory of 1660	4428	b5661fb07d2b3d1a440e2f3e3e3da6f7.exe	93
PID 4428 wrote to memory of 1660	4428	b5661fb07d2b3d1a440e2f3e3e3da6f7.exe	93
PID 4428 wrote to memory of 772	4428	b5661fb07d2b3d1a440e2f3e3e3da6f7.exe	94
PID 4428 wrote to memory of 772	4428	b5661fb07d2b3d1a440e2f3e3e3da6f7.exe	94
PID 4428 wrote to memory of 772	4428	b5661fb07d2b3d1a440e2f3e3e3da6f7.exe	94
PID 772 wrote to memory of 1436	772	Rundll32.exe	95
PID 772 wrote to memory of 1436	772	Rundll32.exe	95
PID 772 wrote to memory of 1436	772	Rundll32.exe	95
PID 1660 wrote to memory of 2736	1660	setup.exe	97
PID 1660 wrote to memory of 2736	1660	setup.exe	97
PID 1660 wrote to memory of 2736	1660	setup.exe	97

C:\Users\Admin\AppData\Local\Temp\b5661fb07d2b3d1a440e2f3e3e3da6f7.exe
"C:\Users\Admin\AppData\Local\Temp\b5661fb07d2b3d1a440e2f3e3e3da6f7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\ihryqu\ssinitar.exe
  C:\Users\Admin\AppData\Local\Temp\ihryqu\ssinitar.exe -pasdfghij -d"C:\Users\Admin\AppData\Local\Temp\ihryqu\"
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\ihryqu\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\ihryqu\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\ihryqu\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\ihryqu\setup.exe" SEC
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2736
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ihryqu\notedll.txt",acMainDos C:\Users\Admin\AppData\Local\Temp\b5661fb07d2b3d1a440e2f3e3e3da6f7.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c .\danulev1.bat
    3⤵
    PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\danulev1.bat

Filesize
344B

MD5
b3216ce92d3b2f3af3fa61d7f598689b

SHA1
815705214b0a2cc70def8910e0c0c6a84fa6bd8d

SHA256
f2932308db7e187f65ada34ac10bb1a08560cab2271dbc8dfe79784e1747c33f

SHA512
d688d00747686a5cc219da9fa62dd15b62083750169ab128752afea1e1f69b39c92fedf018caf269f496f6f8c71e48a0a0076889d66d534e1f9a796a4865956b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihryqu\notedll.txt

Filesize
517KB

MD5
3a65e80ee8664d1e30ea2b6c604a9d2e

SHA1
67f78c816a1f8a3a6edc9193932bb8193fad541a

SHA256
4aa1e5477a9d9c941f06737cd7d41afdd93ed178863bb16b0afc10f402fa0b67

SHA512
ca40c2068c9ade498e934133cd3c90f80455a68e26cb60f06f319935e96c5062b95128484467b7443509a6ee86128137d9c7f4e7b5c6f89408896da1f63a0713

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihryqu\setup.exe

Filesize
550KB

MD5
4e472e003ee3994635ecb967c8581e1b

SHA1
4d9c60640ab8f0df4dd4fb0ecabd1b49818d48e7

SHA256
dfe6bf380fbde2ccfed76143b0e933231a6b72d970ec8949781c994d83ea9894

SHA512
671b8b0087a1aa14574a613f23b8a30a8622e79e701a071d8aeffc0a0b1aa1b60abf51052c17e341f6c958754e1131b2173c21d3a0ff19c50bba94eb0c6509ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihryqu\setup.txt

Filesize
550KB

MD5
531734e8f228e931663971f7162879fe

SHA1
e049aa2ffdfe9a95d6d7ba49a1e5f553f16a2cf6

SHA256
af1e5c6a29f8b30bed623a644bfe7d7bc6d194db8798f9eb3692877dd4ce3672

SHA512
634354f9feeacd8ba626bf830506dfa7adfbc1e26fc904b54d5f5ff9cc011afed13bd39cc708e5e8bac588ad898480bcb59d8ceeeb91014eefbe5364f13eecae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihryqu\ssinitar.exe

Filesize
1.2MB

MD5
ef8d72a962c1c0b2e7d8858fc1eef73d

SHA1
29c67925d39458abf799a66e689a714558131f73

SHA256
1de80dd1f16cbb2d17d80e2559bf7689dba8883e84de8ce557e02fd71506f9dd

SHA512
12d2fccf6055bf63d0a8eefc469eae45394b0b0da41fdc429c47f318caeaf712515c478e14766ea8e980a95626e1746d546238b2af42019666682a61ff78d8de

Download Submit
memory/1060-11-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1660-23-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1660-27-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/2736-26-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2736-29-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/2736-30-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/2736-31-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2736-32-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4428-0-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4428-28-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads