187a3166a30025e565136799632ef7661513ea257c4dbaa9251aaec973d64d65

Analysis

max time kernel
19s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f648d9e694e58391ffe778f16529d0N.exe
Size

259KB
MD5

a0f648d9e694e58391ffe778f16529d0
SHA1

ef841a1ca3db7608ed041650ab97470a5abb0b77
SHA256

187a3166a30025e565136799632ef7661513ea257c4dbaa9251aaec973d64d65
SHA512

a57ea530c9c3551581903251b36d7064e810040bffd038220178e75af01223f15accb1b04250474004f08113de9b42ceecafd4bbe5b09d7e642b74db26dbe541
SSDEEP

1536:C5JeZFIF5l3I3CbUqdIxCj8ce9PZ+idI1Ax+i2hTltdJJRaCAd1uhNRs8bzu5VAV:C5wTIFT3uCl8ZBbdI6+PltdxcwiAV

Score

7^/10

aspackv2 spyware stealer

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000017342-8.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2444	a0f648d9e694e58391ffe778f16529d0N.exe.exe

Loads dropped DLL 1 IoCs

pid	Process
1820	a0f648d9e694e58391ffe778f16529d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\bin\orbd.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jre7\bin\policytool.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\microsoft office\office14\msosync.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\microsoft office\office14\selfcert.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\uninstall.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\microsoft games\spidersolitaire\spidersolitaire.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jar.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\bin\ktab.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jre7\bin\klist.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\office14\msoxmled.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\odeploy.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\microsoft office\office14\mspub.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\google\chrome\application\106.0.5249.119\installer\chrmstp.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\google\chrome\application\106.0.5249.119\notification_helper.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\inputpersonalization.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\native2ascii.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jre7\bin\keytool.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\office14\oarpmany.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\winword.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\mst.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jre7\lib\zi\mst	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\ink\mip.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\xjc.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\adobe\reader 9.0\setup files\{ac76ba86-7ad7-1033-7b44-a90000000001}\setup.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\shapecollector.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\microsoft office\office14\xlicons.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jre7\bin\java.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\microsoft games\purble place\purbleplace.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jre7\lib\zi\mst	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jre7\lib\zi\wet	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\unpack200.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\internet explorer\iexplore.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\microsoft office\office14\outlook.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jinfo.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\bin\jabswitch.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\google\update\1.3.36.151\googleupdatecomregistershell64.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\microsoft office\office14\scanpst.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\xjc.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jre7\lib\zi\wet.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jinfo.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\office14\oarpmany.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\java.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\est.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\google\update\1.3.36.151\googleupdate.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jre7\bin\java-rmi.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\dw\dwtrig20.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\office14\msoxmled.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\CSRSS.EXE	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\utc.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jre7\lib\zi\cet.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\iecontentservice.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jre7\lib\zi\wet.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files (x86)\google\update\1.3.36.151\googleupdateondemand.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\javafxpackager.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\kinit.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\orbd.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\bin\javaw.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jre7\lib\zi\met.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\adobe\reader 9.0\reader\adobecollabsync.exe.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files\java\jdk1.7.0_80\jre\bin\java.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\uct.txt	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\adobe\reader 9.0\reader\acrobroker.exe	a0f648d9e694e58391ffe778f16529d0N.exe
File created	\??\c:\program files (x86)\microsoft office\office14\infopath.exe	a0f648d9e694e58391ffe778f16529d0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2444	1820	a0f648d9e694e58391ffe778f16529d0N.exe	28
PID 1820 wrote to memory of 2444	1820	a0f648d9e694e58391ffe778f16529d0N.exe	28
PID 1820 wrote to memory of 2444	1820	a0f648d9e694e58391ffe778f16529d0N.exe	28
PID 1820 wrote to memory of 2444	1820	a0f648d9e694e58391ffe778f16529d0N.exe	28

C:\Users\Admin\AppData\Local\Temp\a0f648d9e694e58391ffe778f16529d0N.exe
"C:\Users\Admin\AppData\Local\Temp\a0f648d9e694e58391ffe778f16529d0N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\a0f648d9e694e58391ffe778f16529d0N.exe.exe
  C:\Users\Admin\AppData\Local\Temp\a0f648d9e694e58391ffe778f16529d0N.exe.exe
  2⤵
  - Executes dropped EXE
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
575KB

MD5
ce17302e3be09625bfaf848f5c5862d0

SHA1
593f72919741ede88b587b30320e4ca61f29be06

SHA256
1efe467f73dada37d533ea1f2a3afb82feac6c862743ea5fc53324a4a612aaa1

SHA512
983e57dd149b25c734f555d729a9bb84eaa3d3b58b92014d087f1b56be9d54b5d61126b0119cc8eaf53fde78dd1406f7b79b77c431ce179ef366b2e0bd28419e

Download Submit
\Users\Admin\AppData\Local\Temp\a0f648d9e694e58391ffe778f16529d0N.exe.exe

Filesize
228KB

MD5
88467494a92edf87f196d4889f5dbcc3

SHA1
f4f78e34e69eb87375381614c151f3f911c94401

SHA256
555991ad172e7e6d3977326f7f4ee88a9374849a8254fe5a2ede136b683c1f51

SHA512
1459379fddd38ac3253b731186c5fe6f3a6026543fecce727551dcc1e8f331d3ca24649379f876ba3ca733c52cee2d96d9dd9e72aebae26040735e926dad7e12

Download Submit
memory/1820-320-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download