bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf

General

Target

bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
Size

10.8MB
MD5

14b8007b18f4d629292bff46eadd418d
SHA1

e87c024699983976673e26e8c8fd01274e6725ee
SHA256

bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf
SHA512

925fcc1b3d593e29411bfa100b5fca46f7a98773118dde01b16b1e88bfbf585a93c335211a43a5553b3c8c7c41bed1a7730a4eca12e08806222e06b3252cd5f2
SSDEEP

196608:OZxiaYhHlDU9ot3qm3EUATWB56ao74vVaAWvjb4mBzW7RgcDjOisEqTFu86/w5eC:OZjYhCyt6m3EJA56L7/AW70mhW+07sN9

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000900000001227d-7.dat	aspack_v212_v242
behavioral1/files/0x000900000001227d-9.dat	aspack_v212_v242
behavioral1/files/0x000900000001227d-13.dat	aspack_v212_v242
behavioral1/files/0x000900000001227d-12.dat	aspack_v212_v242
behavioral1/files/0x000900000001227d-19.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3012	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Loads dropped DLL 2 IoCs

pid	Process
2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\R:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\U:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\V:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\Z:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\B:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\Q:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\X:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\Y:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\G:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\K:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\O:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\S:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\W:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\E:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\H:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\I:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\J:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\L:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\M:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\P:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\T:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\A:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
3012	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
3012	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
3012	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
3012	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
3012	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3012	2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe	28
PID 2104 wrote to memory of 3012	2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe	28
PID 2104 wrote to memory of 3012	2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe	28
PID 2104 wrote to memory of 3012	2104	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe	28

C:\Users\Admin\AppData\Local\Temp\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
"C:\Users\Admin\AppData\Local\Temp\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
  C:\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Filesize
7.2MB

MD5
2da0c4d2669e2b13a325da4bf51f8d6f

SHA1
c6d1db163afa460dc24bb4ece56ea4c8092268e2

SHA256
85209343ffd0841080ba59acbf8a460b3cff4b2f0e01b61127b1944ef9b593d8

SHA512
1305cfea3afbc28e604756683690a006d2f8c76247b9470aa6dcb073909306f11ca56a099611cac7670d5e3262b15b411ac668ba52f5eb483cf52eb9fa086fa8

Download Submit
C:\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Filesize
6.5MB

MD5
1cc3224d542923fc8b1ef6209fcd6e18

SHA1
287902927d4aa248c5b1c113612731c115cb7db8

SHA256
97d2e0c5beb1d2397b97fb517ffe62856682455889f1b70cff9d1c1335bb61fb

SHA512
aba83acd945dfb76bf29a52b302017c21ab751f770dace36e4b8a6a25945e7655b001137981dafe356ba99df6c616b4e15dad641fc0798ec0a8f9725ad16be5b

Download Submit
C:\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Filesize
8.0MB

MD5
743ac4bd01cb142a21b7d266ecb0ab00

SHA1
d7ff9af92ce23fed45f84cb80001798d785ab3a3

SHA256
f260c00e751723f1e477812eedc75286a96acaa047ac5b938b4f6787935923fb

SHA512
c09f16f769bde55333a67a3d6d7f9fa9c52f58e3efee961bcc6bd16e4473633615253ceb8e42ce9c8c89fbf0b793a430ae221fe5b7703136267612348272c1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c5bc84a3b5e0e992b28911da5c4e788.txt

Filesize
18B

MD5
712d4039ae50e2b458e19108321ff5a0

SHA1
4a22a51c26bfc3b675cbb79131f0bd7928469a8a

SHA256
09769b514cc46d0e83d8d0e39a89a1bec7ef56e7f0f3baf2874493edd87e68fe

SHA512
821bc57a5f531f8bc4cafcd25f083051b131326fb8a58e3701efe24ea3afbae1b5ff9a78ca0b59fd6104a207aeaa6ba1bf2488de04d30a3492c41158d80f8ca5

Download Submit
\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Filesize
4.4MB

MD5
12719ac9812f2534dffee8ff09ac2c51

SHA1
1b97607ed46e18da5928ddb0499d98b69fca7f4e

SHA256
9d2c8bc5d979c552b9692f7aa68a7d7906f8a9ef61557a5f97f0318b3022b7ad

SHA512
6f6175c55ed1dbd2e7f56bc46a07983e977f09a88e8de3a104a06d0ea3b4da92b533395974369e89b0aba4658bc64c54327fef0992b40e6c09fc468c8c04ee44

Download Submit
\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Filesize
6.4MB

MD5
23d8ab8c5c2558ce363eb1e00172bc95

SHA1
03c4a1bc648ddeb58732c8dfaa82ca00593c5265

SHA256
3c5e5b1a0177faf362c7ce2743f701d31f46e0d381ffcc29fce411acc901a0dc

SHA512
0e8bab23c09fc794b1f544ba05eebbead7f652a8aa4708a01d27e1c3450846c5ae1f65b07243801e730ab3a15398d34fd840dd8f1d7709586f28bdc228118ec3

Download Submit
memory/2104-2-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/2104-3-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/2104-15-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/3012-17-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/3012-18-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/3012-23-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing