a62cbd252c60c6cfa6dd75ef50afbaafc3a7cc45676b187d2ad638543f160a38

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a62cbd252c60c6cfa6dd75ef50afbaafc3a7cc45676b187d2ad638543f160a38.exe
Size

140KB
MD5

4c9b44e14c56808bdb8023bd81160b27
SHA1

c0c767592e2cd69af4bad203d763f9e3cc10d730
SHA256

a62cbd252c60c6cfa6dd75ef50afbaafc3a7cc45676b187d2ad638543f160a38
SHA512

6faa145db73a1a0d6d2c22b334a47f417bec40b6faf86c8fccb0207347f9a8b1d795572e9caafb17b0ace550fa5b6ffef2e40a3383d51ee615ee0b259cdc2925
SSDEEP

3072:ri0FEplmmNJ/CHd6bOjU2GNUWdyeERIdbph:lEr7J6rQ1NUWdyDRS

Score

9^/10

aspackv2 persistence

Malware Config

Signatures

Detects executables packed with ASPack 5 IoCs

resource	yara_rule
behavioral1/memory/2956-0-0x0000000000400000-0x000000000045E000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2956-1-0x0000000000400000-0x000000000045E000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2956-2-0x0000000000400000-0x000000000045E000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x002a000000015c3c-7.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2652-9-0x0000000000400000-0x000000000045E000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x002a000000015c3c-7.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2652	tbckyxk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\tbckyxk.exe	a62cbd252c60c6cfa6dd75ef50afbaafc3a7cc45676b187d2ad638543f160a38.exe
File created	C:\PROGRA~3\Mozilla\newtrln.dll	tbckyxk.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2956	a62cbd252c60c6cfa6dd75ef50afbaafc3a7cc45676b187d2ad638543f160a38.exe
2652	tbckyxk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2652	3004	taskeng.exe	29
PID 3004 wrote to memory of 2652	3004	taskeng.exe	29
PID 3004 wrote to memory of 2652	3004	taskeng.exe	29
PID 3004 wrote to memory of 2652	3004	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\a62cbd252c60c6cfa6dd75ef50afbaafc3a7cc45676b187d2ad638543f160a38.exe
"C:\Users\Admin\AppData\Local\Temp\a62cbd252c60c6cfa6dd75ef50afbaafc3a7cc45676b187d2ad638543f160a38.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2956

C:\Windows\system32\taskeng.exe
taskeng.exe {6494064D-41D5-4A06-9565-9ECA20CCDD9F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\PROGRA~3\Mozilla\tbckyxk.exe
  C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\tbckyxk.exe

Filesize
140KB

MD5
8dd3c16426171784d56faa9b3db207c2

SHA1
b6850585ef8ebccd6a9377a7e8d5da5e415488eb

SHA256
d204dc1a7140114fc0c748d76652084e8becee2cb3e0bc7b8e2e98ef734a8992

SHA512
3840a61751311f3bb17cf39cf0211a13160ce49740bc3069c24214b71528d93606dfd347fa9e9f741f8c5a1ba8c985a314b7778398db7efa88667b855d1e2aed

Download Submit
memory/2652-9-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2652-12-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2652-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2652-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2956-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2956-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2956-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2956-3-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download
memory/2956-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2956-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download