23d48b9c5596e448502fc4a1ae375929b91ae907af4afc89de03c9185f10f943

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 06:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7fa4b42616339c1570e3983a0988f19.exe
Size

590KB
MD5

c7fa4b42616339c1570e3983a0988f19
SHA1

2b70bdef79dcacfe2ffc144f928ed3d2312d65bf
SHA256

23d48b9c5596e448502fc4a1ae375929b91ae907af4afc89de03c9185f10f943
SHA512

59690ba596ce11628f0c9161e38572319fba6e44db6cbd684e97e1302139894149e9deddffbf868434ada81d32c05dab3913aaf88b30b8d9c5f45e8914161e82
SSDEEP

12288:41Y8jF/cTGvu/+Qzd5ucq+TNvuw1T6BQ2Y:n8jtcTl/+Q7uclTgw1T6BzY

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a00000001410d-2.dat	aspack_v212_v242
behavioral1/memory/1332-12-0x0000000002320000-0x0000000002329000-memory.dmp	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2356	¶à¿ª¹¤¾ß.exe
2716	RedGirl.exe

Loads dropped DLL 4 IoCs

pid	Process
1332	c7fa4b42616339c1570e3983a0988f19.exe
1332	c7fa4b42616339c1570e3983a0988f19.exe
1332	c7fa4b42616339c1570e3983a0988f19.exe
1332	c7fa4b42616339c1570e3983a0988f19.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RedGirl.exe	c7fa4b42616339c1570e3983a0988f19.exe
File opened for modification	C:\Windows\SysWOW64\RedGirl.exe	c7fa4b42616339c1570e3983a0988f19.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1332	c7fa4b42616339c1570e3983a0988f19.exe
1332	c7fa4b42616339c1570e3983a0988f19.exe
2716	RedGirl.exe
2716	RedGirl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2356	¶à¿ª¹¤¾ß.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2356	1332	c7fa4b42616339c1570e3983a0988f19.exe	28
PID 1332 wrote to memory of 2356	1332	c7fa4b42616339c1570e3983a0988f19.exe	28
PID 1332 wrote to memory of 2356	1332	c7fa4b42616339c1570e3983a0988f19.exe	28
PID 1332 wrote to memory of 2356	1332	c7fa4b42616339c1570e3983a0988f19.exe	28
PID 1332 wrote to memory of 2716	1332	c7fa4b42616339c1570e3983a0988f19.exe	29
PID 1332 wrote to memory of 2716	1332	c7fa4b42616339c1570e3983a0988f19.exe	29
PID 1332 wrote to memory of 2716	1332	c7fa4b42616339c1570e3983a0988f19.exe	29
PID 1332 wrote to memory of 2716	1332	c7fa4b42616339c1570e3983a0988f19.exe	29

C:\Users\Admin\AppData\Local\Temp\c7fa4b42616339c1570e3983a0988f19.exe
"C:\Users\Admin\AppData\Local\Temp\c7fa4b42616339c1570e3983a0988f19.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\Temp\¶à¿ª¹¤¾ß.exe
  "C:\Windows\Temp\¶à¿ª¹¤¾ß.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Windows\SysWOW64\RedGirl.exe
  C:\Windows\System32\RedGirl.exe 1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\RedGirl.exe

Filesize
590KB

MD5
c7fa4b42616339c1570e3983a0988f19

SHA1
2b70bdef79dcacfe2ffc144f928ed3d2312d65bf

SHA256
23d48b9c5596e448502fc4a1ae375929b91ae907af4afc89de03c9185f10f943

SHA512
59690ba596ce11628f0c9161e38572319fba6e44db6cbd684e97e1302139894149e9deddffbf868434ada81d32c05dab3913aaf88b30b8d9c5f45e8914161e82

Download Submit
\Windows\Temp\¶à¿ª¹¤¾ß.exe

Filesize
15KB

MD5
40955f96dcc60c4db41ab21c6c67a7e6

SHA1
8e629827c756e1306101c3b6f87b8baa5b1c7c1f

SHA256
a3c3ed40f34843b147123e16ea9fcaaa76e797823fd7b9c10218b528b52821df

SHA512
7be6d4ee589343783125e8dd7c73762d8de0aa65f6a8cceebde7913a59b79b5389376841485ba8e006957134127bdad90b44e9d5f37ecf0e392c82dfaddba719

Download Submit
memory/1332-8-0x0000000002320000-0x0000000002329000-memory.dmp

Filesize
36KB

Download
memory/1332-12-0x0000000002320000-0x0000000002329000-memory.dmp

Filesize
36KB

Download
memory/2356-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2356-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download