af65ceffefed977678603f77b2ab42b6aaf3a23c5233ca737464d82f3836fe59

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

befc58153e502b2c3f4eb51fdb762c97.exe
Size

133KB
MD5

befc58153e502b2c3f4eb51fdb762c97
SHA1

9a3e7300d2fcebf973f1752aabb290179d70261d
SHA256

af65ceffefed977678603f77b2ab42b6aaf3a23c5233ca737464d82f3836fe59
SHA512

f38f81ccf3eed3f39677316a2e587e9430ce7b7fcc08e26c8857d78befa7a906ea30ff4650d9827ccb45fef5c7ab1741cc048ff7dbcd0d1215f2ade13b70fa58
SSDEEP

3072:sfuUhYyNLynohJrwenbTgK5OAm3fF5pP4XbRyiNyn:sfuUhYyNLvh7nngK8DtMXbR5e

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000d0000000122b8-6.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1268	File.exe

Loads dropped DLL 5 IoCs

pid	Process
2148	befc58153e502b2c3f4eb51fdb762c97.exe
2148	befc58153e502b2c3f4eb51fdb762c97.exe
1028	WerFault.exe
1028	WerFault.exe
1028	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1028	1268	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	668	7zFM.exe
Token: 35	668	7zFM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
668	7zFM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 668	2148	befc58153e502b2c3f4eb51fdb762c97.exe	28
PID 2148 wrote to memory of 668	2148	befc58153e502b2c3f4eb51fdb762c97.exe	28
PID 2148 wrote to memory of 668	2148	befc58153e502b2c3f4eb51fdb762c97.exe	28
PID 2148 wrote to memory of 668	2148	befc58153e502b2c3f4eb51fdb762c97.exe	28
PID 2148 wrote to memory of 1268	2148	befc58153e502b2c3f4eb51fdb762c97.exe	29
PID 2148 wrote to memory of 1268	2148	befc58153e502b2c3f4eb51fdb762c97.exe	29
PID 2148 wrote to memory of 1268	2148	befc58153e502b2c3f4eb51fdb762c97.exe	29
PID 2148 wrote to memory of 1268	2148	befc58153e502b2c3f4eb51fdb762c97.exe	29
PID 1268 wrote to memory of 1028	1268	File.exe	30
PID 1268 wrote to memory of 1028	1268	File.exe	30
PID 1268 wrote to memory of 1028	1268	File.exe	30
PID 1268 wrote to memory of 1028	1268	File.exe	30

C:\Users\Admin\AppData\Local\Temp\befc58153e502b2c3f4eb51fdb762c97.exe
"C:\Users\Admin\AppData\Local\Temp\befc58153e502b2c3f4eb51fdb762c97.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\_.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:668
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_.rar

Filesize
60B

MD5
a4f8fa6c158e00337a41bb428e223906

SHA1
5cac59eeee5899f60029f898c7f9a61bed0cb031

SHA256
24f73d179f610f45f8f21a625f90bc48f8405ce11b329a0ffb22f4a92f708786

SHA512
9a096139bb28b83fcfab247566e568b087fe2fc3b0b60c9d8143b570f3ec5d9703428196bf12c6b66be834de1237dc0f61b0d4bdd74b7e17d3c2f9575b447645

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
34KB

MD5
4730e66b07c7d4fd1779f0947bca4f6a

SHA1
5ac43b464631dc3ae4f65f9a15a127139dc837ca

SHA256
ee5b46cb3e28b3264a2195191a71594aaf2816af6266dfc7e3b0002b1450d9ce

SHA512
cc018ee24099ecd465e6d1f2258f1167c2d86d505cece5c0c2b3f455ca12022896c2c1aa89cbdd82689c422954a9bd06dda0e84ceb9347d8da4d337e92370616

Download Submit
memory/2148-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2148-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2148-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2148-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download