4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061

General

Target

4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
Size

21.8MB
MD5

959287c67b1dcd8b3b834ae21cf9e523
SHA1

ebcb105af6ddef23cbbcd1f27e2b603d7f528b62
SHA256

4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061
SHA512

f7745e556a4d81a96cdbd92522efc2c4ee43adf212f47199e731dfa76a86ee99db46aaa236a1443ac7a1436edecfb5d0e3523e76ba3478065d21a90d7cc4e9bb
SSDEEP

393216:1Nq14dy9t20XdqYQ8rJv0lVa9tpOjGr2gfDnQu/Kl5H7GxdFUR:q4k2UdqMv0aXpOjGrZMu/PqR

Score

9^/10

aspackv2

Malware Config

Signatures

Detects executables packed with ASPack 29 IoCs

resource	yara_rule
behavioral1/memory/1208-0-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1208-1-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1208-2-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1208-3-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1208-4-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2992-7-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2992-9-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2992-10-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2992-11-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1208-12-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2992-13-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0029000000015c2f-20.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0029000000015c2f-23.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0029000000015c2f-31.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2992-30-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-41-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-42-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-43-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-44-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-45-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-46-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-48-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-49-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-50-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-51-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-52-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-53-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-54-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2536-55-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0029000000015c2f-20.dat	aspack_v212_v242
behavioral1/files/0x0029000000015c2f-23.dat	aspack_v212_v242
behavioral1/files/0x0029000000015c2f-31.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2536	88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Loads dropped DLL 4 IoCs

pid	Process
2992	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
2992	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
2536	88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
2536	88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1208	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
1208	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
2992	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
2992	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
2536	88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
2536	88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2992	1208	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	28
PID 1208 wrote to memory of 2992	1208	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	28
PID 1208 wrote to memory of 2992	1208	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	28
PID 1208 wrote to memory of 2992	1208	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	28
PID 2992 wrote to memory of 2536	2992	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	29
PID 2992 wrote to memory of 2536	2992	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	29
PID 2992 wrote to memory of 2536	2992	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	29
PID 2992 wrote to memory of 2536	2992	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	29

C:\Users\Admin\AppData\Local\Temp\4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
"C:\Users\Admin\AppData\Local\Temp\4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
  C:\Users\Admin\AppData\Local\Temp\4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\9SFÓÎÏ·ºÐ×Ó\88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
    C:\9SFÓÎÏ·ºÐ×Ó\88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9SFÓÎÏ·ºÐ×Ó\88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Filesize
15.2MB

MD5
80ab5d092c066096e7e3bf5d87f2fb07

SHA1
6444a1576709d0b24a295a01cd9689b1d88c080b

SHA256
2faa61284529d78b8839d74b2beacf9bb93bef4715e2518cc1c824f26d29b4e0

SHA512
4970bc94ac96e9927630c849febafdbbce388aa4629e7cdd5fc99b22ef67ffee1a7f06db987b10d6eb752e1fa3e15819f67e268a55878334faa0deee0215a162

Download Submit
C:\9SFÓÎÏ·ºÐ×Ó\88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Filesize
14.7MB

MD5
f4ddcb82fdc204074b0c819b55a9e6b0

SHA1
19e7d4dd5cf3b135be157c21f10239072487305c

SHA256
98f86bfb125b7e405edd4fbeaa799aa7abef48ba898f65f130e423cf58ab0719

SHA512
853b01b1217fb844d5946a190618a5bdc616f48b0f326cd3b9f77ac79103e6313de47cf3cc6c18500b36b1360e7868bf5cd91c381761760d9dc99916f55a0538

Download Submit
C:\9SFÓÎÏ·ºÐ×Ó\node.dll

Filesize
26.6MB

MD5
2fb52f8e15e7989649ca2b268ceff19e

SHA1
24daf46d95c4dc7753d586258c4e875fd7218ee0

SHA256
5b6de9816495a0367c8d5a5cf004a784f48965bee17e5dd11420ba7ac2f5720a

SHA512
933d37c337ecadc1b4d316d9a08ada848bccc7f7a173d9d59ded88770a33c6cc7780afe6d426e0a5beeaadfc80ec76898fdadb53ecfbca8fbbb71f00df902182

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230402.lib

Filesize
1.5MB

MD5
a8e76c0a95f5861d4dfbad4ad15cf98f

SHA1
93b0c9398eb812fba8055e2cb48dea7d711b3e15

SHA256
40bb565b262d266950dd1d5d2c40cdf935d6514a82eaecbbe0ac1d2f2455b8c4

SHA512
ac51f98bc8ed1b2f84f92fbf52184e0bad40a6d691687ab11a9cdfb723a74da805ed6453945d018d0458653f98be8484deaa98ae22c6d770b4a10a3412c67437

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.s

Filesize
102B

MD5
88db508fd5316eda9a82edb130996c10

SHA1
9008feb73bdc659b9903a2e57258492b4ec6d8e7

SHA256
7601a2938971491a32a424c92da52c6eb3691c98a99a1b3f415a8e46a5cb7cd2

SHA512
7aa60e90de5d1685ff5947d55adffc935e05d1f0ace4fa2d9288816e2e110aec5b0d307693940c66416f9ffe5517bf2054fa0433ae8f442bea38861a0865bb5d

Download Submit
\9SFÓÎÏ·ºÐ×Ó\88851O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Filesize
14.6MB

MD5
dfed80bd7b43a90ea0cf9f8dc298cc2a

SHA1
8a3755966a95129c27c59ca4fa17bf803a6eda8f

SHA256
e7933fb5c1afdfd080a5409290830302d8a5a23fa430449e6bbc5a57db29aa13

SHA512
07fb897fbf232370c443a191a90173ad39806d95ada7a95e2fdeaef53bb63dff44c9069b5497f38a0679318b930d2cd1fc0026642bd8df2011de53c71a6124c2

Download Submit
memory/1208-3-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/1208-4-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/1208-6-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1208-8-0x0000000003520000-0x00000000044A3000-memory.dmp

Filesize
15.5MB

Download
memory/1208-2-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/1208-0-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/1208-12-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/1208-1-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-51-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-55-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-52-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-50-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-53-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-32-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2536-49-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-48-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-54-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-46-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-37-0x000000000D300000-0x000000000D301000-memory.dmp

Filesize
4KB

Download
memory/2536-40-0x00000000083B0000-0x00000000084C4000-memory.dmp

Filesize
1.1MB

Download
memory/2536-41-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-42-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-43-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-44-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2536-45-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2992-11-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2992-33-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2992-30-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2992-24-0x0000000004620000-0x00000000055A3000-memory.dmp

Filesize
15.5MB

Download
memory/2992-16-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2992-13-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2992-10-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2992-9-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2992-7-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download

Analysis

Sharing