Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 11:53
Static task
static1
Behavioral task
behavioral1
Sample
ASPack.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ASPack.exe
Resource
win10v2004-20240508-en
General
-
Target
ASPack.exe
-
Size
373KB
-
MD5
a8e5ccfab37f759f2914335d21181b9f
-
SHA1
e64244de48c410cf3b8452597d75c557cd4434bd
-
SHA256
1df4d6648753095803f0fdffaffc39edfc908ffa66d4dca33a1b1d689175a3f0
-
SHA512
329a6d2cb4385a0a53b808f072eaaad81630ecf851f9cc3a6746a2438c853dade6b97eb6701eee7ae909f952f8f331af5bb8b53b2059b289173549efcf0cc91e
-
SSDEEP
6144:HqljTfN8OTNv+jotlGPbymiP8JPAvgWZpg3SyBwOJFfDn+aC0sytWnPV7srfh1QH:Hql3iiNCotlGDydP8JFWHXyG4FzW0XIF
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 ASPack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\FLAGS\ = "0" ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000007d573388122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe7d5733887d5733882a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000042000000 ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0 ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\FLAGS ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\TypeLib ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Version ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0} ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\ ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\VersionIndependentProgID\ ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\win32\ ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\InprocServer32 ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F} ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Version\ ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings ASPack.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\InprocServer32\ = "C:\\Windows\\SysWOW64\\imapi2.dll" ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\TypeLib\ ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\ ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\win32 ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\ ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\ = "Microsoft ActiveMovie Control" ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\0\win32\ = "C:\\Windows\\SysWow64\\amcompat.tlb" ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\VersionIndependentProgID\ = "IMAPI2.MsftDiscFormat2TrackAtOnce" ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a00310000000000a958aa5e102054656d700000360008000400efbe7d573388a958aa5e2a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ProgID\ = "IMAPI2.MsftDiscFormat2TrackAtOnce.1" ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0 ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\InprocServer32\ ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000007d57c48b10204c6f63616c00380008000400efbe7d5733887d57c48b2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ProgID\ ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 ASPack.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Programmable\ ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\TypeLib\ = "{1A7C0DCB-7E87-1C10-693A-00AF448E148F}" ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Version\ = "1.0" ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 ASPack.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ProgID ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\Programmable ASPack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\VersionIndependentProgID ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 ASPack.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" ASPack.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AF96771-4887-4673-F092-38A8F8D9CFD0}\ = "Avaca" ASPack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A7C0DCB-7E87-1C10-693A-00AF448E148F}\2.0\FLAGS\ ASPack.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1372 ASPack.exe