4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061

General

Target

4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
Size

21.8MB
MD5

959287c67b1dcd8b3b834ae21cf9e523
SHA1

ebcb105af6ddef23cbbcd1f27e2b603d7f528b62
SHA256

4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061
SHA512

f7745e556a4d81a96cdbd92522efc2c4ee43adf212f47199e731dfa76a86ee99db46aaa236a1443ac7a1436edecfb5d0e3523e76ba3478065d21a90d7cc4e9bb
SSDEEP

393216:1Nq14dy9t20XdqYQ8rJv0lVa9tpOjGr2gfDnQu/Kl5H7GxdFUR:q4k2UdqMv0aXpOjGrZMu/PqR

Score

9^/10

aspackv2

Malware Config

Signatures

Detects executables packed with ASPack 32 IoCs

resource	yara_rule
behavioral2/memory/464-0-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/464-1-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/464-2-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/464-3-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/464-4-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2140-7-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2140-8-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2140-9-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2140-10-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2140-11-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/464-15-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0004000000022ea3-20.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0004000000022ea3-21.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-22-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-23-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-24-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-25-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-26-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2140-28-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-34-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-35-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-36-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-40-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-41-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-43-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-45-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-46-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-47-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-48-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-49-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-50-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3268-51-0x0000000000400000-0x0000000001383000-memory.dmp	INDICATOR_EXE_Packed_ASPack

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0004000000022ea3-20.dat	aspack_v212_v242
behavioral2/files/0x0004000000022ea3-21.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
3268	85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Executes dropped EXE 1 IoCs

pid	Process
3268	85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Loads dropped DLL 3 IoCs

pid	Process
2140	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
3268	85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
3268	85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
464	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
464	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
2140	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
2140	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
3268	85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
3268	85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 2140	464	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	97
PID 464 wrote to memory of 2140	464	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	97
PID 464 wrote to memory of 2140	464	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	97
PID 2140 wrote to memory of 3268	2140	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	98
PID 2140 wrote to memory of 3268	2140	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	98
PID 2140 wrote to memory of 3268	2140	4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe	98

C:\Users\Admin\AppData\Local\Temp\4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
"C:\Users\Admin\AppData\Local\Temp\4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464
- C:\Users\Admin\AppData\Local\Temp\4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
  C:\Users\Admin\AppData\Local\Temp\4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\9SFÓÎÏ·ºÐ×Ó\85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
    C:\9SFÓÎÏ·ºÐ×Ó\85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9SFÓÎÏ·ºÐ×Ó\85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Filesize
10.1MB

MD5
285f86a5af0c18c77156224d2f937889

SHA1
f79fb586a08e62372a3918031b8f9e73c895af0b

SHA256
59c42b3a4febf242701be12ee5a9e7dc5de684a77da968b693e69f435a777178

SHA512
93c91ae0a10b9488d97d7f9ce54c4ed68bec0a3461eac14344969067c2dcdf646317eca1b21cce8e929d35e6e1b7158e83ee50ac684864c91ba433d2b641a38a

Download Submit
C:\9SFÓÎÏ·ºÐ×Ó\85420O4af7ce679d3518834ab615e7f15975bb78820e4c3c142f1aad172726c16af061.exe

Filesize
14.7MB

MD5
f4ddcb82fdc204074b0c819b55a9e6b0

SHA1
19e7d4dd5cf3b135be157c21f10239072487305c

SHA256
98f86bfb125b7e405edd4fbeaa799aa7abef48ba898f65f130e423cf58ab0719

SHA512
853b01b1217fb844d5946a190618a5bdc616f48b0f326cd3b9f77ac79103e6313de47cf3cc6c18500b36b1360e7868bf5cd91c381761760d9dc99916f55a0538

Download Submit
C:\9SFÓÎÏ·ºÐ×Ó\node.dll

Filesize
13.5MB

MD5
1e6f8f4b291c1c36f4a8474c94e9ccfd

SHA1
6fddb2f5f5ed542334c8bff44ad19a6d11557f35

SHA256
cdf288acc451a8dc5c1abc50501fc035299e4c210f7d9abb5c1d860bd98a06e6

SHA512
303c796f08670176995f449f26d1d62e4cc8ae2eb58ebf40ffcc5b0f40b91d7df9102af9126fb4d4f2b99be560607ed7903f183449e8661b6e7bf28303715ccb

Download Submit
C:\9SFÓÎÏ·ºÐ×Ó\node.dll

Filesize
13.1MB

MD5
2a20369e68f771df08e83a29f909879c

SHA1
164878b4dc0ca37ad548720b5cf8705d616f278f

SHA256
e73583c9d2a761a30ac50d1960b047fce0473930bb16d0b4bd256385012d7eab

SHA512
bba7aa1905db329f87932da13a01e9e1c049bcfdd388bbaf8572bece98c780faf2d118e35457104d29778fd3661225c35db03f6e7b7423a2cb338be68491449a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230402.lib

Filesize
1.5MB

MD5
a8e76c0a95f5861d4dfbad4ad15cf98f

SHA1
93b0c9398eb812fba8055e2cb48dea7d711b3e15

SHA256
40bb565b262d266950dd1d5d2c40cdf935d6514a82eaecbbe0ac1d2f2455b8c4

SHA512
ac51f98bc8ed1b2f84f92fbf52184e0bad40a6d691687ab11a9cdfb723a74da805ed6453945d018d0458653f98be8484deaa98ae22c6d770b4a10a3412c67437

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.s

Filesize
102B

MD5
88db508fd5316eda9a82edb130996c10

SHA1
9008feb73bdc659b9903a2e57258492b4ec6d8e7

SHA256
7601a2938971491a32a424c92da52c6eb3691c98a99a1b3f415a8e46a5cb7cd2

SHA512
7aa60e90de5d1685ff5947d55adffc935e05d1f0ace4fa2d9288816e2e110aec5b0d307693940c66416f9ffe5517bf2054fa0433ae8f442bea38861a0865bb5d

Download Submit
memory/464-6-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/464-3-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/464-1-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/464-2-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/464-4-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/464-0-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/464-15-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2140-14-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/2140-7-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2140-11-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2140-8-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2140-10-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2140-9-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/2140-28-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-26-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-40-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-25-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-24-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-23-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-22-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-33-0x0000000024180000-0x0000000024181000-memory.dmp

Filesize
4KB

Download
memory/3268-34-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-35-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-36-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-39-0x0000000009610000-0x0000000009724000-memory.dmp

Filesize
1.1MB

Download
memory/3268-29-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/3268-41-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-42-0x0000000009610000-0x0000000009724000-memory.dmp

Filesize
1.1MB

Download
memory/3268-43-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-45-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-46-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-47-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-48-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-49-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-50-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download
memory/3268-51-0x0000000000400000-0x0000000001383000-memory.dmp

Filesize
15.5MB

Download

Analysis

Sharing