f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3

General

Target

f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
Size

7.0MB
MD5

6fefce66c033ab32cb9abb593aaa6871
SHA1

43f6ab4e141ac61d0bb6ed42ebdeb4dabacd21c9
SHA256

f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3
SHA512

e53c3588f0b8137663848f7d28a3506a4da7a16969aab57280669330d620227c86ae645768d563edd3ea21bb55407d145b81111ba79fc72118363ffb9de2ac3d
SSDEEP

196608:ApYo36Iydc1IAxHbG6rjYrz9IXmO/r/rPOGSePUcSUj:g6IzeANC6PY1Q/rTOGSecMj

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0035000000015609-7.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2768	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe

Loads dropped DLL 3 IoCs

pid	Process
2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2768	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\R:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\W:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\I:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\N:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\O:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\Y:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\L:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\H:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\J:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\P:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\S:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\U:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\X:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\G:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\B:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\E:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\M:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\Q:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\T:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\V:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\Z:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
File opened (read-only)	\??\A:	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2768	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2768	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2768	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2768	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
2768	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2768	2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe	29
PID 2116 wrote to memory of 2768	2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe	29
PID 2116 wrote to memory of 2768	2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe	29
PID 2116 wrote to memory of 2768	2116	f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe	29

C:\Users\Admin\AppData\Local\Temp\f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
"C:\Users\Admin\AppData\Local\Temp\f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\ÍÀÁú´«Ææ\f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
  C:\ÍÀÁú´«Ææ\f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25079bcdfacfd06293408201a2035b9e.txt

Filesize
12B

MD5
b79cd9723b56283e44163f04ca15a734

SHA1
df2927a94d68cd8888a00c9e4e8f456968c920b9

SHA256
6fb46317b6ab58f39a0c68bb8a83fa0e5f32d829283e832abe279a72fe9a935a

SHA512
0763a2660e1cb491eb303a24c384cc64474b8af34e405e74617155aa9361ca262374fd16f8fd0d2d26878dfc87e2f32d405ff3c7427fa79f66aba860f2669eba

Download Submit
\ÍÀÁú´«Ææ\f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3.exe

Filesize
7.0MB

MD5
6fefce66c033ab32cb9abb593aaa6871

SHA1
43f6ab4e141ac61d0bb6ed42ebdeb4dabacd21c9

SHA256
f8438eaecd4b5ef43222567a8401434be487490e62abf5bbb9cb11121192dcb3

SHA512
e53c3588f0b8137663848f7d28a3506a4da7a16969aab57280669330d620227c86ae645768d563edd3ea21bb55407d145b81111ba79fc72118363ffb9de2ac3d

Download Submit
memory/2116-2-0x00000000004F7000-0x00000000004F8000-memory.dmp

Filesize
4KB

Download
memory/2116-3-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/2768-17-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/2768-16-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download
memory/2768-23-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing