23d48b9c5596e448502fc4a1ae375929b91ae907af4afc89de03c9185f10f943

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7fa4b42616339c1570e3983a0988f19.exe
Size

590KB
MD5

c7fa4b42616339c1570e3983a0988f19
SHA1

2b70bdef79dcacfe2ffc144f928ed3d2312d65bf
SHA256

23d48b9c5596e448502fc4a1ae375929b91ae907af4afc89de03c9185f10f943
SHA512

59690ba596ce11628f0c9161e38572319fba6e44db6cbd684e97e1302139894149e9deddffbf868434ada81d32c05dab3913aaf88b30b8d9c5f45e8914161e82
SSDEEP

12288:41Y8jF/cTGvu/+Qzd5ucq+TNvuw1T6BQ2Y:n8jtcTl/+Q7uclTgw1T6BzY

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000002322b-4.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c7fa4b42616339c1570e3983a0988f19.exe

Executes dropped EXE 3 IoCs

pid	Process
5052	¶à¿ª¹¤¾ß.exe
872	RedGirl.exe
2264	RedGirl.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RedGirl.exe	c7fa4b42616339c1570e3983a0988f19.exe
File opened for modification	C:\Windows\SysWOW64\RedGirl.exe	c7fa4b42616339c1570e3983a0988f19.exe
File created	C:\Windows\SysWOW64\RedGirl.dat	RedGirl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3564	c7fa4b42616339c1570e3983a0988f19.exe
3564	c7fa4b42616339c1570e3983a0988f19.exe
3564	c7fa4b42616339c1570e3983a0988f19.exe
3564	c7fa4b42616339c1570e3983a0988f19.exe
872	RedGirl.exe
872	RedGirl.exe
872	RedGirl.exe
872	RedGirl.exe
872	RedGirl.exe
872	RedGirl.exe
2264	RedGirl.exe
2264	RedGirl.exe
2264	RedGirl.exe
2264	RedGirl.exe
2264	RedGirl.exe
2264	RedGirl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	RedGirl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5052	¶à¿ª¹¤¾ß.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 5052	3564	c7fa4b42616339c1570e3983a0988f19.exe	100
PID 3564 wrote to memory of 5052	3564	c7fa4b42616339c1570e3983a0988f19.exe	100
PID 3564 wrote to memory of 5052	3564	c7fa4b42616339c1570e3983a0988f19.exe	100
PID 3564 wrote to memory of 872	3564	c7fa4b42616339c1570e3983a0988f19.exe	101
PID 3564 wrote to memory of 872	3564	c7fa4b42616339c1570e3983a0988f19.exe	101
PID 3564 wrote to memory of 872	3564	c7fa4b42616339c1570e3983a0988f19.exe	101
PID 2264 wrote to memory of 4228	2264	RedGirl.exe	103
PID 2264 wrote to memory of 4228	2264	RedGirl.exe	103
PID 2264 wrote to memory of 4228	2264	RedGirl.exe	103

C:\Users\Admin\AppData\Local\Temp\c7fa4b42616339c1570e3983a0988f19.exe
"C:\Users\Admin\AppData\Local\Temp\c7fa4b42616339c1570e3983a0988f19.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\Temp\¶à¿ª¹¤¾ß.exe
  "C:\Windows\Temp\¶à¿ª¹¤¾ß.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5052
- C:\Windows\SysWOW64\RedGirl.exe
  C:\Windows\System32\RedGirl.exe 1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:872

C:\Windows\SysWOW64\RedGirl.exe
C:\Windows\SysWOW64\RedGirl.exe -service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\RedGirl.exe

Filesize
590KB

MD5
c7fa4b42616339c1570e3983a0988f19

SHA1
2b70bdef79dcacfe2ffc144f928ed3d2312d65bf

SHA256
23d48b9c5596e448502fc4a1ae375929b91ae907af4afc89de03c9185f10f943

SHA512
59690ba596ce11628f0c9161e38572319fba6e44db6cbd684e97e1302139894149e9deddffbf868434ada81d32c05dab3913aaf88b30b8d9c5f45e8914161e82

Download Submit
C:\Windows\Temp\¶à¿ª¹¤¾ß.exe

Filesize
15KB

MD5
40955f96dcc60c4db41ab21c6c67a7e6

SHA1
8e629827c756e1306101c3b6f87b8baa5b1c7c1f

SHA256
a3c3ed40f34843b147123e16ea9fcaaa76e797823fd7b9c10218b528b52821df

SHA512
7be6d4ee589343783125e8dd7c73762d8de0aa65f6a8cceebde7913a59b79b5389376841485ba8e006957134127bdad90b44e9d5f37ecf0e392c82dfaddba719

Download Submit
memory/5052-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5052-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download