Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 00:55
Behavioral task
behavioral1
Sample
9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe
Resource
win10v2004-20240508-en
General
-
Target
9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe
-
Size
137KB
-
MD5
1e2982b931241693f424227d9f8f2a22
-
SHA1
931215b5ba1ae459851e333b2c334d6530749db1
-
SHA256
9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71
-
SHA512
f80dec4f7d81e3f49ad736bd5b989fe9ef0d86245e6df56ece5ab63d0879fc975b62c62e6d362aaa384c4d9ddbef687961889ea1bb4cc64d1cc209342dd489bf
-
SSDEEP
3072:AE9ByF5wP7Ht99mbaa+vKAzWvSVJSwpi6DsB:7907wTr9mea+i6WKQJ
Malware Config
Signatures
-
Detects executables packed with ASPack 5 IoCs
resource yara_rule behavioral1/memory/1640-0-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1640-2-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1640-1-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x00320000000139f1-8.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/3036-10-0x0000000000400000-0x000000000045E000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x00320000000139f1-8.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3036 wrvdfyg.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\wrvdfyg.exe 9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe File created C:\PROGRA~3\Mozilla\klztrnd.dll wrvdfyg.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1640 9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe 3036 wrvdfyg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2172 wrote to memory of 3036 2172 taskeng.exe 29 PID 2172 wrote to memory of 3036 2172 taskeng.exe 29 PID 2172 wrote to memory of 3036 2172 taskeng.exe 29 PID 2172 wrote to memory of 3036 2172 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe"C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1640
-
C:\Windows\system32\taskeng.exetaskeng.exe {95425B78-01E2-46EA-B8C4-53B69FD23985} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\PROGRA~3\Mozilla\wrvdfyg.exeC:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD5bf01c0405456924eee998af527198bd5
SHA12fc3f90fdc139ca7fafbc42f09fd9686be545278
SHA2562e50d0ce7891ff26bc720133f573829946c97a6ac772f3015daa6b42a9f17b8e
SHA512d288730cf00c16aed104043adfc1785d114e491f9d2aadb7adb7f541dea2cd36c9362b835c55a342114638d47c8b4b93ffdff19f33d48f776c12561bb52d5204