bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf

General

Target

bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
Size

10.8MB
MD5

14b8007b18f4d629292bff46eadd418d
SHA1

e87c024699983976673e26e8c8fd01274e6725ee
SHA256

bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf
SHA512

925fcc1b3d593e29411bfa100b5fca46f7a98773118dde01b16b1e88bfbf585a93c335211a43a5553b3c8c7c41bed1a7730a4eca12e08806222e06b3252cd5f2
SSDEEP

196608:OZxiaYhHlDU9ot3qm3EUATWB56ao74vVaAWvjb4mBzW7RgcDjOisEqTFu86/w5eC:OZjYhCyt6m3EJA56L7/AW70mhW+07sN9

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023210-8.dat	aspack_v212_v242
behavioral2/files/0x0009000000023210-9.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
5004	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\S:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\T:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\W:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\E:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\H:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\I:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\O:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\R:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\Z:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\A:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\J:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\M:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\N:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\Y:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\B:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\G:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\Q:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\X:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\K:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\L:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\U:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
File opened (read-only)	\??\V:	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1768	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
1768	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
1768	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
1768	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
1768	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
5004	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
5004	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
5004	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
5004	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
5004	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 5004	1768	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe	94
PID 1768 wrote to memory of 5004	1768	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe	94
PID 1768 wrote to memory of 5004	1768	bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe	94

C:\Users\Admin\AppData\Local\Temp\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
"C:\Users\Admin\AppData\Local\Temp\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
- C:\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
  C:\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Filesize
6.9MB

MD5
36ad6d4ae0321ab6b4cab731c6e712d1

SHA1
471902222e9f05c93c648ef09a1b1ba830e1b547

SHA256
ceded92ab162555a48d40b2cae3370b56e17faf69bb9cd6d304b3b8962f4afc6

SHA512
9f640358383e94e65f17a822bbf70d28817584a741553cd7fe03012e8745c4fdeb347f0b0fdc8b44b07be7b85e2afb07db41cca7c78ac8ce3e4507f243f16536

Download Submit
C:\1.76ÓÆÈ»ÈýÖ°Òµ\bf47d0dd5ece679d445a904b7e1e2984b3ab924163ec2ece8843e6a14f4eb2bf.exe

Filesize
8.1MB

MD5
e16d0b6a3846b6498a2a013fde84c201

SHA1
6f43f37ff92a5b3bdcda49dc42aa2fce6a2d53d6

SHA256
2bcc9646d13b237c7f6aee52657a5786e2057dfacd95e42f0cb45ecda8bfa233

SHA512
1f32286783b02cb5d1a6ee575e4457cfa55f6982d67a84323932f0fbb3049e42e0f4ef2e8b8d809b9877ae07485b31b8a5e330511382c4df524335a706767bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c5bc84a3b5e0e992b28911da5c4e788.txt

Filesize
18B

MD5
712d4039ae50e2b458e19108321ff5a0

SHA1
4a22a51c26bfc3b675cbb79131f0bd7928469a8a

SHA256
09769b514cc46d0e83d8d0e39a89a1bec7ef56e7f0f3baf2874493edd87e68fe

SHA512
821bc57a5f531f8bc4cafcd25f083051b131326fb8a58e3701efe24ea3afbae1b5ff9a78ca0b59fd6104a207aeaa6ba1bf2488de04d30a3492c41158d80f8ca5

Download Submit
memory/1768-2-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/1768-3-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/1768-14-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/5004-12-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/5004-13-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/5004-18-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing