d6afcce63997e5f072c32edcc0409fdcd3fe695468933c4e7271e9ddcf471ee5

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be2200f8a4cc7c28ff19270892118293.exe
Size

624KB
MD5

be2200f8a4cc7c28ff19270892118293
SHA1

cfa00c4099caa993cbea984fc576f67e89134c92
SHA256

d6afcce63997e5f072c32edcc0409fdcd3fe695468933c4e7271e9ddcf471ee5
SHA512

3ab366dcdc803b724b250ba592e4d10c7c7cd327226609f13a442048c7dfd46a23c7a0a06a3c2bce036abf16d22826017b560e1e74e22ba5834bb54d763758e0
SSDEEP

12288:WOwNxGUDwMeIkZajwu4diroeJsISWAT4lFMvwmb1TLnWI5NVmpI:WOsxGUDIa0ZirRsrWAT4lFWwmb1/WYNT

Score

7^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0034000000015cb6-91.dat	aspack_v212_v242
behavioral1/files/0x0007000000015d4e-107.dat	aspack_v212_v242

Executes dropped EXE 5 IoCs

pid	Process
2732	dtxservice.exe
2456	fps.exe
2968	mps.exe
2772	iss32.exe
2804	CRSS.EXE

Loads dropped DLL 2 IoCs

pid	Process
2240	be2200f8a4cc7c28ff19270892118293.exe
2240	be2200f8a4cc7c28ff19270892118293.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015d42-99.dat	upx
behavioral1/memory/2772-103-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\dtxservice.exe -atm"	be2200f8a4cc7c28ff19270892118293.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dtxservice.exe	be2200f8a4cc7c28ff19270892118293.exe
File opened for modification	C:\Windows\SysWOW64\dtxservice.exe	be2200f8a4cc7c28ff19270892118293.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ktd32.atm	CRSS.EXE
File opened for modification	C:\Windows\ktd32.atm	dtxservice.exe
File created	C:\Windows\fps.exe	dtxservice.exe
File created	C:\Windows\mps.exe	dtxservice.exe
File created	C:\Windows\icq.dll	dtxservice.exe
File created	C:\Windows\kdd32.atm	dtxservice.exe
File created	C:\Windows\mps.atm	mps.exe
File created	C:\Windows\iss32.exe	dtxservice.exe
File created	C:\Windows\CRSS.EXE	dtxservice.exe
File created	C:\Windows\kt.atm	dtxservice.exe
File created	C:\Windows\fps.atm	fps.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2240	be2200f8a4cc7c28ff19270892118293.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	CRSS.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2732	2240	be2200f8a4cc7c28ff19270892118293.exe	28
PID 2240 wrote to memory of 2732	2240	be2200f8a4cc7c28ff19270892118293.exe	28
PID 2240 wrote to memory of 2732	2240	be2200f8a4cc7c28ff19270892118293.exe	28
PID 2240 wrote to memory of 2732	2240	be2200f8a4cc7c28ff19270892118293.exe	28
PID 2732 wrote to memory of 2456	2732	dtxservice.exe	29
PID 2732 wrote to memory of 2456	2732	dtxservice.exe	29
PID 2732 wrote to memory of 2456	2732	dtxservice.exe	29
PID 2732 wrote to memory of 2456	2732	dtxservice.exe	29
PID 2732 wrote to memory of 2968	2732	dtxservice.exe	30
PID 2732 wrote to memory of 2968	2732	dtxservice.exe	30
PID 2732 wrote to memory of 2968	2732	dtxservice.exe	30
PID 2732 wrote to memory of 2968	2732	dtxservice.exe	30
PID 2732 wrote to memory of 2772	2732	dtxservice.exe	31
PID 2732 wrote to memory of 2772	2732	dtxservice.exe	31
PID 2732 wrote to memory of 2772	2732	dtxservice.exe	31
PID 2732 wrote to memory of 2772	2732	dtxservice.exe	31
PID 2732 wrote to memory of 2804	2732	dtxservice.exe	32
PID 2732 wrote to memory of 2804	2732	dtxservice.exe	32
PID 2732 wrote to memory of 2804	2732	dtxservice.exe	32
PID 2732 wrote to memory of 2804	2732	dtxservice.exe	32

C:\Users\Admin\AppData\Local\Temp\be2200f8a4cc7c28ff19270892118293.exe
"C:\Users\Admin\AppData\Local\Temp\be2200f8a4cc7c28ff19270892118293.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\dtxservice.exe
  C:\Windows\system32\dtxservice.exe -atm
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\fps.exe
    C:\Windows\fps.exe /stext C:\Windows\fps.atm
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2456
- - C:\Windows\mps.exe
    C:\Windows\mps.exe /stext C:\Windows\mps.atm
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2968
- - C:\Windows\iss32.exe
    C:\Windows\iss32.exe
    3⤵
    - Executes dropped EXE
    PID:2772
- - C:\Windows\CRSS.EXE
    C:\Windows\CRSS.EXE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CRSS.EXE

Filesize
13KB

MD5
067c3c377e0346290862dc8791e81fb0

SHA1
9a4d3a6ad5fd102eb32a6f1229c80c15dc495409

SHA256
18cbf1415419f9f27425cea06c32e9a2f041ec52a39d78d58922efbb698b9d76

SHA512
0c0f0a1e4144accb97d159096cbd4003e77ca0ac792727002c2fe402dc12471a16e90ae3622f1f96d25a333af36a4dccbe80a6689bed080ba32e28dd845960aa

Download Submit
C:\Windows\fps.exe

Filesize
14KB

MD5
16d0b87ea242e563ccbf13fbfc279915

SHA1
a56a456b48f5318ca57cce4d75e2f0e3493850d4

SHA256
1a4cef71598d42e1765c89fa5f0d91141e313c89d25418d7dc5e2b4b9bfc07aa

SHA512
ee9b92a5c17bcf17812d18bb9f0e993537a9a1c1bb4938442aef9005046c4547be61380cf5cf01c7a710b07d5d0e116a4a8e8263d3ad73fef1e0c1de196f6cc0

Download Submit
C:\Windows\iss32.exe

Filesize
3KB

MD5
d36a7e657fb830da92a59bccb67948a5

SHA1
730d2499b9ffffa7a3e29b9f973728f2c9547827

SHA256
0f855337f81800b5df27abd91f85c9a4187ac553e0a65b2a9719d5db1df08b39

SHA512
0a24a2f87fcf35937520bde130862af7f40b3fcb29c8f09a197faa5e11a33b7db35b765b2494f719b28ef51060add5324aff441a825a3c87287fa64665e140c8

Download Submit
C:\Windows\kdd32.atm

Filesize
8KB

MD5
51abb91f79fc8057f9ac61877fb480d5

SHA1
42790a05bb6cc05292977d70bf9ae60350aca1d7

SHA256
6bd988e0c55f611e20ff740c76870dc892505725e9852580fe23bade1a8978fa

SHA512
4b115ec069cecd082e72c5728aab8902ee018705ed9ad11731e47efd0f6d5d8e2412485d4713cb4ab20bfdd3d03f5919b2bb60a361af6ac69e7566a4fc015413

Download Submit
C:\Windows\kt.atm

Filesize
29B

MD5
d4d0a66ac4c1820c90f62f77099b547a

SHA1
c8f96649ec9865804efc925472b931005925f3ff

SHA256
997394c51fb18768bbb7a8e6cfe7bdec1efa0bdd82ed3507f3f1cc46ab459ff1

SHA512
9ab9b7d786bdbd2e5bd596060930c64ee1496cbdf423bd283fbecee13501adeb149d4aa7290d410dd153a255ef6513e6a8356a88740efa4badb3190fb5388ebb

Download Submit
C:\Windows\mps.exe

Filesize
17KB

MD5
4bad43105d4d557ae90d2f094e4bb833

SHA1
1d80ae0e7806c6cb2425131604373acb62ef8991

SHA256
918d1c42a73d79c4296f8fe3683070803916df4f5a236e84aabf665215e266e2

SHA512
278a11bb0fb2f17b91e1dc63d6b9a6376c332a41fdcedcd55d96b208b39b769e7edd1f41a614a80e24f409ba098a06b3da6848a6ab9ad0ff37e5154376ef681c

Download Submit
\Windows\SysWOW64\dtxservice.exe

Filesize
624KB

MD5
be2200f8a4cc7c28ff19270892118293

SHA1
cfa00c4099caa993cbea984fc576f67e89134c92

SHA256
d6afcce63997e5f072c32edcc0409fdcd3fe695468933c4e7271e9ddcf471ee5

SHA512
3ab366dcdc803b724b250ba592e4d10c7c7cd327226609f13a442048c7dfd46a23c7a0a06a3c2bce036abf16d22826017b560e1e74e22ba5834bb54d763758e0

Download Submit
memory/2240-40-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2240-46-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/2240-18-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2240-17-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2240-37-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2240-15-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2240-14-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2240-26-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/2240-13-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2240-12-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2240-11-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2240-10-0x0000000002810000-0x0000000002812000-memory.dmp

Filesize
8KB

Download
memory/2240-9-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2240-8-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2240-7-0x0000000002820000-0x0000000002822000-memory.dmp

Filesize
8KB

Download
memory/2240-6-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2240-5-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/2240-27-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2240-4-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2240-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2240-2-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2240-28-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/2240-55-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/2240-54-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2240-53-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2240-52-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2240-51-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2240-50-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/2240-49-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2240-48-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/2240-47-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2240-36-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2240-45-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2240-44-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2240-43-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2240-42-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/2240-41-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/2240-0-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2240-39-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2240-38-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/2240-16-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2240-19-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2240-35-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2240-34-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2240-33-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2240-30-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2240-29-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2240-56-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2240-20-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2240-59-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2240-58-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2240-60-0x0000000003A40000-0x0000000003B9C000-memory.dmp

Filesize
1.4MB

Download
memory/2240-67-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2240-1-0x0000000000300000-0x000000000034C000-memory.dmp

Filesize
304KB

Download
memory/2240-69-0x0000000000300000-0x000000000034C000-memory.dmp

Filesize
304KB

Download
memory/2240-25-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2240-24-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2240-23-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2240-22-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2240-21-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/2456-86-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2732-160-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-85-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/2732-138-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-144-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-142-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-68-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/2732-132-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-140-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-77-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/2732-136-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-158-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-83-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/2732-84-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/2732-146-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-148-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-150-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-152-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-154-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2732-156-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2772-103-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2804-133-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download