bdb98e74e9444ae9d6048f6c7a8feb5f09c1a804e7765b049d4fa70307c0f811

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49fb3a7c250761a5b91a5cfe5088f4c.exe
Size

83KB
MD5

d49fb3a7c250761a5b91a5cfe5088f4c
SHA1

acae9ae24b823fdea2ee62bd7f4d82501a77e58b
SHA256

bdb98e74e9444ae9d6048f6c7a8feb5f09c1a804e7765b049d4fa70307c0f811
SHA512

9bdf85cfdafa0d6d656b8fc655133495bc2a087b5884c7d971273aba15206025fc034d9b1276a7301351e1d36b280532affc2bd9f22a335d1658f71d77e207a0
SSDEEP

1536:Er9uDi4Yrfqik9xuCr5IuCArQ+OqpLEytSSejie5Kcn:7erfqpuClIuxrU+Eyt1emU

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000012247-1.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
2500	kjk.exe
3008	d49fb3a7c250761a5b91a5cfe5088f4c.sys
2512	kjk.exe
2684	kjk.sys

Loads dropped DLL 3 IoCs

pid	Process
2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe
2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe
2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\kjk = "C:\\Windows\\kjk.exe"	d49fb3a7c250761a5b91a5cfe5088f4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\kjk = "C:\\Windows\\kjk.exe"	d49fb3a7c250761a5b91a5cfe5088f4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\kjk = "C:\\Windows\\kjk.exe"	d49fb3a7c250761a5b91a5cfe5088f4c.sys
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\kjk = "C:\\Windows\\kjk.exe"	d49fb3a7c250761a5b91a5cfe5088f4c.sys
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\kjk = "C:\\Windows\\kjk.exe"	kjk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\kjk = "C:\\Windows\\kjk.exe"	kjk.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\kjk.exe	kjk.exe
File created	C:\Windows\kjk.exe	d49fb3a7c250761a5b91a5cfe5088f4c.exe
File created	C:\Windows\kjk.sys	kjk.exe
File opened for modification	C:\Windows\kjk.sys	kjk.exe
File created	C:\Windows\kjk.exe	d49fb3a7c250761a5b91a5cfe5088f4c.sys

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2	kjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\WinX = "1"	kjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\NowCount = "0"	kjk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe
2500	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe
2512	kjk.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3008	2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe	28
PID 2380 wrote to memory of 3008	2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe	28
PID 2380 wrote to memory of 3008	2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe	28
PID 2380 wrote to memory of 3008	2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe	28
PID 2380 wrote to memory of 2500	2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe	29
PID 2380 wrote to memory of 2500	2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe	29
PID 2380 wrote to memory of 2500	2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe	29
PID 2380 wrote to memory of 2500	2380	d49fb3a7c250761a5b91a5cfe5088f4c.exe	29
PID 3008 wrote to memory of 2512	3008	d49fb3a7c250761a5b91a5cfe5088f4c.sys	30
PID 3008 wrote to memory of 2512	3008	d49fb3a7c250761a5b91a5cfe5088f4c.sys	30
PID 3008 wrote to memory of 2512	3008	d49fb3a7c250761a5b91a5cfe5088f4c.sys	30
PID 3008 wrote to memory of 2512	3008	d49fb3a7c250761a5b91a5cfe5088f4c.sys	30
PID 2500 wrote to memory of 2684	2500	kjk.exe	31
PID 2500 wrote to memory of 2684	2500	kjk.exe	31
PID 2500 wrote to memory of 2684	2500	kjk.exe	31
PID 2500 wrote to memory of 2684	2500	kjk.exe	31

C:\Users\Admin\AppData\Local\Temp\d49fb3a7c250761a5b91a5cfe5088f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d49fb3a7c250761a5b91a5cfe5088f4c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\d49fb3a7c250761a5b91a5cfe5088f4c.sys
  C:\Users\Admin\AppData\Local\Temp\d49fb3a7c250761a5b91a5cfe5088f4c.sys /zhj
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\kjk.exe
    C:\Windows\kjk.exe /zhj
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2512
- C:\Windows\kjk.exe
  C:\Windows\kjk.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\kjk.sys
    C:\Windows\kjk.sys /zhj
    3⤵
    - Executes dropped EXE
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\kjk.sys

Filesize
60KB

MD5
732e3d252f7805b9b75246d8b6879c21

SHA1
fdaea0a522d35714c5e802ef20c555bb9c66cfcd

SHA256
6eedcc6cfb370c47f7a06983e98aa29fbfd3a914d34545f9af1c76acf6ff4c94

SHA512
3c80e053af88fe1933218c76a0223a2c6ed45e977e19ac9b934700a4b657bd6c3f58954f564e56509a4ae1f6af3409ef4c9828352e649316e60f4b7704c769b1

Download Submit
\Users\Admin\AppData\Local\Temp\d49fb3a7c250761a5b91a5cfe5088f4c.sys

Filesize
83KB

MD5
d49fb3a7c250761a5b91a5cfe5088f4c

SHA1
acae9ae24b823fdea2ee62bd7f4d82501a77e58b

SHA256
bdb98e74e9444ae9d6048f6c7a8feb5f09c1a804e7765b049d4fa70307c0f811

SHA512
9bdf85cfdafa0d6d656b8fc655133495bc2a087b5884c7d971273aba15206025fc034d9b1276a7301351e1d36b280532affc2bd9f22a335d1658f71d77e207a0

Download Submit
memory/2380-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2500-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-34-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-46-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-42-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-43-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download