3aed26d1efa8acde0ec9e9535e5c2510a9e388f5c0847aa33614c4a76a59c2d4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6efeba412758aba4e024940e2a595db.exe
Size

100KB
MD5

d6efeba412758aba4e024940e2a595db
SHA1

2e88a7747ed3566a28d5efa84085fb3249dd39f8
SHA256

3aed26d1efa8acde0ec9e9535e5c2510a9e388f5c0847aa33614c4a76a59c2d4
SHA512

da50a472e2583b0e701b22ba6ca6b653e0243a31b0d115172c35a7740414f84a746fd9488e248596c2c988e2a80f069d1ac7df1f2bdca83ad4f35c09267720de
SSDEEP

3072:tGu99lfzqIbXWm+w0JW5lFy1tqUuBI0F5Wggi:t/cuoH1tXEFX

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023231-4.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2612	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d6efeba412758aba4e024940e2a595db.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 2612	4712	d6efeba412758aba4e024940e2a595db.exe	87
PID 4712 wrote to memory of 2612	4712	d6efeba412758aba4e024940e2a595db.exe	87
PID 4712 wrote to memory of 2612	4712	d6efeba412758aba4e024940e2a595db.exe	87

C:\Users\Admin\AppData\Local\Temp\d6efeba412758aba4e024940e2a595db.exe
"C:\Users\Admin\AppData\Local\Temp\d6efeba412758aba4e024940e2a595db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  2⤵
  - Executes dropped EXE
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
38KB

MD5
215e3a34a7385b66d0e905503d41a3de

SHA1
1b7ade5e02615707e28c01ba80c4126243135739

SHA256
e6a27174edacf3f3ccb68cc9d015ed684e7a5cc17af310c5650b72eae07de89b

SHA512
c50f969a62045e65c086ad580ff9b136861d58ae83ffdca8a5c8eedb3cd174d86428d96e2d5a45a9f00827779a0b3cbaabdfce77af7f59f625bc56a83e41339d

Download Submit
memory/2612-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2612-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2612-8-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/2612-9-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2612-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads