Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 03:02
Behavioral task
behavioral1
Sample
d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe
-
Size
151KB
-
MD5
82fa99987d4a4e4c6add3bfecddd43d9
-
SHA1
01a86a7262e5430b2b6ec0e88fe2e4e29497c148
-
SHA256
d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb
-
SHA512
24d60f2c7fa8be61d28b95c941435209278304cc9f37835bd3e9ae41b1baf93271ee3b6352a4923d2acdf1e396133071d1092e9ffda5c75b327370038637532b
-
SSDEEP
1536:oOoq1XuNCQy7vm9iV+sW6VQcFa/SNmBtBneGr4qjOOiE5gVehKOjNrG58Z3qOT/w:SK66hW6k6uBneGEq6OiE5uehKyazo/w
Score
9/10
Malware Config
Signatures
-
Detects executables packed with ASPack 15 IoCs
resource yara_rule behavioral2/memory/1440-0-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x000700000002321f-9.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-52-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-100-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-218-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-338-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-492-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-657-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-770-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-910-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-1073-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-1221-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-1385-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-1484-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1440-1623-0x0000000000400000-0x000000000042F000-memory.dmp INDICATOR_EXE_Packed_ASPack -
resource yara_rule behavioral2/files/0x000700000002321f-9.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 1492 d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mshlta = "mshlta.exe" d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened (read-only) \??\B: d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Magnify.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\mstsc.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\Netplwiz.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\cmd.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\colorcpl.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\setupugc.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\wiaacmgr.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\newdev.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\cttune.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\proquota.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\SystemPropertiesComputerName.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\mobsync.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\charmap.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\TpmInit.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\mmc.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\OpenWith.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\wbem\WinMgmt.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\dccw.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\DevicePairingWizard.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\perfmon.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\psr.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\ComputerDefaults.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\ndadmin.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\OpenWith.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\certutil.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\cmd.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\sethc.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\wusa.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\printui.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\wscript.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\wscript.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIC.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\cttune.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\Taskmgr.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\mmc.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\msiexec.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\PresentationHost.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\SearchFilterHost.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\mshlta.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\SystemPropertiesHardware.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\regedit.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\hdwwiz.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\quickassist.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\UserAccountControlSettings.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\wusa.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\ComputerDefaults.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesRemote.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\SystemPropertiesRemote.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SysWOW64\unregmp2.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\HelpPane.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\HelpPane.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\splwow64.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\splwow64.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\CameraBarcodeScannerPreview.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\CameraBarcodeScannerPreview.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File opened for modification C:\Windows\explorer.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe File created C:\Windows\explorer.exe d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeTcbPrivilege 2132 svchost.exe Token: SeRestorePrivilege 2132 svchost.exe Token: SeTcbPrivilege 2132 svchost.exe Token: SeRestorePrivilege 2132 svchost.exe Token: SeTcbPrivilege 2132 svchost.exe Token: SeRestorePrivilege 2132 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1492 d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1492 d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1440 wrote to memory of 1492 1440 d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe 91 PID 1440 wrote to memory of 1492 1440 d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe 91 PID 1440 wrote to memory of 1492 1440 d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe 91 PID 2132 wrote to memory of 2940 2132 svchost.exe 93 PID 2132 wrote to memory of 2940 2132 svchost.exe 93 PID 2132 wrote to memory of 4188 2132 svchost.exe 94 PID 2132 wrote to memory of 4188 2132 svchost.exe 94 PID 2132 wrote to memory of 952 2132 svchost.exe 96 PID 2132 wrote to memory of 952 2132 svchost.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe"C:\Users\Admin\AppData\Local\Temp\d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\ d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe"C:\Users\Admin\AppData\Local\Temp\ d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1492
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\dashost.exedashost.exe {df152304-f587-40f4-85ee4548f7c8460a}2⤵PID:2940
-
-
C:\Windows\system32\dashost.exedashost.exe {3d526bea-ae45-4c51-9bd773b3329c108a}2⤵PID:4188
-
-
C:\Windows\system32\dashost.exedashost.exe {0a2e541a-e15d-4517-85ff3782b247422b}2⤵PID:952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ d09039c17434d523b01e13468ed9446dc26c9a8061875a654de8747605df20eb.exe
Filesize81KB
MD5321b68d735ace871f0925934911044c1
SHA1e8a5e39dddd1d595bdd43639c0ed1e6ffb537563
SHA256f2fdb7bf291962f08f575b94a3701217fe35b74bfa389f4ef241246ffe2a61f9
SHA512a7ce9f0d08076648c679871d04df52e2b91a93316922c586735ec8ace25d077cb798e465c79532f332f028b3c77e16eb8d7f3269bc9a374ffdbc97840fe0547b
-
Filesize
70KB
MD5f8b821b34d4c35253cea622ccae97b3e
SHA1f0a9c97031a802de62a55e80234188219eb73f04
SHA256d40117b82bd74498d3d0e5c5ffc7dda9b5eaa393cd03528b7d102a541d85b418
SHA512ef0276fe604f9fb58f13db9cc5de7dc19cbf6bb9f4c4eb0546d543f864d63c544d3466d25823084159caea0ead0966f6f11cb0e5dc53314f3105cc848b747164