Malware Analysis Report

2025-01-22 12:26

Sample ID 240516-a9t4qsda54
Target 9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71
SHA256 9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71
Tags
aspackv2 persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71

Threat Level: Known bad

The file 9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence

Detects executables packed with ASPack

Detects executables packed with ASPack

Modifies AppInit DLL entries

ASPack v2.12-2.42

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 00:55

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 00:55

Reported

2024-05-16 00:57

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\wrvdfyg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\wrvdfyg.exe C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe N/A
File created C:\PROGRA~3\Mozilla\klztrnd.dll C:\PROGRA~3\Mozilla\wrvdfyg.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\wrvdfyg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\wrvdfyg.exe
PID 2172 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\wrvdfyg.exe
PID 2172 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\wrvdfyg.exe
PID 2172 wrote to memory of 3036 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\wrvdfyg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe

"C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {95425B78-01E2-46EA-B8C4-53B69FD23985} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\wrvdfyg.exe

C:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia

Network

N/A

Files

memory/1640-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1640-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1640-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1640-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1640-3-0x0000000000270000-0x00000000002CB000-memory.dmp

memory/1640-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1640-7-0x0000000000270000-0x00000000002CB000-memory.dmp

C:\PROGRA~3\Mozilla\wrvdfyg.exe

MD5 bf01c0405456924eee998af527198bd5
SHA1 2fc3f90fdc139ca7fafbc42f09fd9686be545278
SHA256 2e50d0ce7891ff26bc720133f573829946c97a6ac772f3015daa6b42a9f17b8e
SHA512 d288730cf00c16aed104043adfc1785d114e491f9d2aadb7adb7f541dea2cd36c9362b835c55a342114638d47c8b4b93ffdff19f33d48f776c12561bb52d5204

memory/3036-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3036-13-0x00000000002A0000-0x00000000002FB000-memory.dmp

memory/3036-14-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3036-16-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 00:55

Reported

2024-05-16 00:57

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\iodncyc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\iodncyc.exe C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe N/A
File created C:\PROGRA~3\Mozilla\lrtatsc.dll C:\PROGRA~3\Mozilla\iodncyc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe

"C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe"

C:\PROGRA~3\Mozilla\iodncyc.exe

C:\PROGRA~3\Mozilla\iodncyc.exe -szcyzql

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/2168-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2168-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2168-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2168-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2168-3-0x0000000001F60000-0x0000000001FBB000-memory.dmp

C:\ProgramData\Mozilla\iodncyc.exe

MD5 66cae745ca1a9a48fae3b8c3de5e1c11
SHA1 88c1ae678462f54fbc4c3068714e4e94b41c8d5f
SHA256 af5cb06ef4d427a2a62b486c54c7a05fb5577fa21e0145640f4eccfd54850b9d
SHA512 8141e16b738d6c0974bb67a3085b4fdcb02bf013c79d0bf8d7d5f910392480516b4e6ac81cb4ee7933f6d9755285d03c2fa49094cc83f8ceff1617fc95a2f604

memory/2636-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2168-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2636-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2636-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2636-13-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2636-16-0x0000000000400000-0x000000000045B000-memory.dmp