af65ceffefed977678603f77b2ab42b6aaf3a23c5233ca737464d82f3836fe59

Analysis

max time kernel
136s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

befc58153e502b2c3f4eb51fdb762c97.exe
Size

133KB
MD5

befc58153e502b2c3f4eb51fdb762c97
SHA1

9a3e7300d2fcebf973f1752aabb290179d70261d
SHA256

af65ceffefed977678603f77b2ab42b6aaf3a23c5233ca737464d82f3836fe59
SHA512

f38f81ccf3eed3f39677316a2e587e9430ce7b7fcc08e26c8857d78befa7a906ea30ff4650d9827ccb45fef5c7ab1741cc048ff7dbcd0d1215f2ade13b70fa58
SSDEEP

3072:sfuUhYyNLynohJrwenbTgK5OAm3fF5pP4XbRyiNyn:sfuUhYyNLvh7nngK8DtMXbR5e

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a000000023187-9.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	befc58153e502b2c3f4eb51fdb762c97.exe

Executes dropped EXE 1 IoCs

pid	Process
4624	File.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4940	4624	WerFault.exe	90
2252	4800	WerFault.exe	88

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	befc58153e502b2c3f4eb51fdb762c97.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1984	7zFM.exe
Token: 35	1984	7zFM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1984	7zFM.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1984	4800	befc58153e502b2c3f4eb51fdb762c97.exe	89
PID 4800 wrote to memory of 1984	4800	befc58153e502b2c3f4eb51fdb762c97.exe	89
PID 4800 wrote to memory of 4624	4800	befc58153e502b2c3f4eb51fdb762c97.exe	90
PID 4800 wrote to memory of 4624	4800	befc58153e502b2c3f4eb51fdb762c97.exe	90
PID 4800 wrote to memory of 4624	4800	befc58153e502b2c3f4eb51fdb762c97.exe	90

C:\Users\Admin\AppData\Local\Temp\befc58153e502b2c3f4eb51fdb762c97.exe
"C:\Users\Admin\AppData\Local\Temp\befc58153e502b2c3f4eb51fdb762c97.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\_.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 228
    3⤵
    - Program crash
    PID:4940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1412
  2⤵
  - Program crash
  PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4624 -ip 4624
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4800 -ip 4800
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
34KB

MD5
4730e66b07c7d4fd1779f0947bca4f6a

SHA1
5ac43b464631dc3ae4f65f9a15a127139dc837ca

SHA256
ee5b46cb3e28b3264a2195191a71594aaf2816af6266dfc7e3b0002b1450d9ce

SHA512
cc018ee24099ecd465e6d1f2258f1167c2d86d505cece5c0c2b3f455ca12022896c2c1aa89cbdd82689c422954a9bd06dda0e84ceb9347d8da4d337e92370616

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.rar

Filesize
60B

MD5
a4f8fa6c158e00337a41bb428e223906

SHA1
5cac59eeee5899f60029f898c7f9a61bed0cb031

SHA256
24f73d179f610f45f8f21a625f90bc48f8405ce11b329a0ffb22f4a92f708786

SHA512
9a096139bb28b83fcfab247566e568b087fe2fc3b0b60c9d8143b570f3ec5d9703428196bf12c6b66be834de1237dc0f61b0d4bdd74b7e17d3c2f9575b447645

Download Submit
memory/4800-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4800-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4800-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4800-14-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download