Malware Analysis Report

2025-01-22 12:25

Sample ID 240516-eb878aba63
Target d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f
SHA256 d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f
Tags
aspackv2 bootkit persistence spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f

Threat Level: Likely malicious

The file d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Detects executables containing base64 encoded User Agent

Blocklisted process makes network request

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

ASPack v2.12-2.42

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 03:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 03:47

Reported

2024-05-16 03:49

Platform

win7-20240221-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\scawb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\scawb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\xvewc\\rlsor.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe N/A
N/A N/A \??\c:\scawb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2916 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2916 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2916 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2916 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\scawb.exe
PID 2916 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\scawb.exe
PID 2916 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\scawb.exe
PID 2916 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\scawb.exe
PID 2224 wrote to memory of 1272 N/A \??\c:\scawb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1272 N/A \??\c:\scawb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1272 N/A \??\c:\scawb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1272 N/A \??\c:\scawb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1272 N/A \??\c:\scawb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1272 N/A \??\c:\scawb.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 1272 N/A \??\c:\scawb.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe

"C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\scawb.exe "C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\scawb.exe

c:\scawb.exe "C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\xvewc\rlsor.dll",AbortProc c:\scawb.exe

Network

Country Destination Domain Proto
US 67.229.62.198:803 tcp
US 67.229.62.198:803 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp

Files

memory/2852-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2852-2-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\scawb.exe

MD5 fe248769e72e3e7957b8997870f8f246
SHA1 45e6c0f3b1048ca5337315d1b4e7a6ccb8b9a634
SHA256 d16d68d06d83a6da012a044dacfeeab04faca0aede5d0db03249ebd4f6b88b2b
SHA512 d127916f705f0c10bd09ddbff13cfc2374eebee0d51cb1f49d7b9e83ce04cb49f836b3e5941d4c351b5c638a2c0c17d390c40069887e62b205117cd332a7db1f

memory/2224-6-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2916-5-0x0000000000260000-0x0000000000288000-memory.dmp

memory/2224-8-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\xvewc\rlsor.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/1272-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1272-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1272-16-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1272-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1272-19-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1272-18-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1272-20-0x0000000010033000-0x0000000010034000-memory.dmp

memory/1272-21-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1272-25-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1272-26-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1272-27-0x0000000010000000-0x0000000010036000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 03:47

Reported

2024-05-16 03:49

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\uuokmjvkq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\uuokmjvkq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\sjuvmnj\\rqsve.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe N/A
N/A N/A \??\c:\uuokmjvkq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe

"C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\uuokmjvkq.exe "C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\uuokmjvkq.exe

c:\uuokmjvkq.exe "C:\Users\Admin\AppData\Local\Temp\d2eb10ebe6ac13f003bbad5cea8fa1dafe2e25c786d9e112fe49cbc8fa92304f.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\sjuvmnj\rqsve.dll",AbortProc c:\uuokmjvkq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 67.229.62.198:803 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 67.229.62.194:3201 tcp

Files

memory/4008-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4008-2-0x0000000000400000-0x0000000000428000-memory.dmp

C:\uuokmjvkq.exe

MD5 93c76cbab9e5a6cf589f3fb29c8a3859
SHA1 48e1c0e365fcea3e40c36dc643d2904c1c04e901
SHA256 a4742af6d48934b763ba1d7cf84c99fbf8db82656cf03aa6a5a09aa125443024
SHA512 9ced021a5c19419af0388ab5c39aa4135bcdb717d8452e792fcbf73c4981c193a942ac82031562d64515fdb06debf499840293bfc71c9cd7f01e3a734c28fdbd

memory/2812-6-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2812-8-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\sjuvmnj\rqsve.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/2264-13-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2264-12-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2264-11-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2264-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2264-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2264-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2264-19-0x0000000010000000-0x0000000010036000-memory.dmp