140c37210d057d81b9e7a8a6c63483699812bf1b12dcd3f634bac5f8918ba896

General

Target

5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Size

497KB
MD5

5be6e2c83e2ed19e4b2c9ea83b734860
SHA1

f1e4b6ef5b36d2098b652fd2ee5c2bad936ef7dc
SHA256

140c37210d057d81b9e7a8a6c63483699812bf1b12dcd3f634bac5f8918ba896
SHA512

c051251bb6d8dd4e79aaa50f1a7450e3954c2168ebd68c3589cb2a03c24183d1c920925aa4727609aa2b1924f2ff9a48379273084b44755916bd9d011b140f03
SSDEEP

6144:yiNjjdOCJnUNKMEPDGeoo1HyisWW4g0QTxbGctE6Jm20tdVgWwAidpNCgrBF:TjjwULQoN84XQT08JoVgWwAkAQ

Score

7^/10

aspackv2 discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00060000000193ae-20.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3044	lsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2328	Regsvr32.exe
2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISMJA.EXE = "C:\\Program Files (x86)\\svchost.exe"	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\I:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\M:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\J:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\K:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\L:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\U:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\V:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\E:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\O:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\R:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\T:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\G:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\N:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\P:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\Q:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\S:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ISMJA.EXE	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File created	C:\Windows\SysWOW64\Ms7002.dll	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\lsm.exe	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File created	C:\Program Files (x86)\HTAKJ.EXE	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File created	C:\Program Files (x86)\ISMJA.EXE	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened for modification	C:\Program Files (x86)\ISMJA.EXE	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File created	C:\Program Files (x86)\svchost.exe	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsm.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files (x86)\\ISMJA.EXE \"%1\""	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files (x86)\\ISMJA.EXE %1"	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile	lsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files (x86)\\ISMJA.EXE %1"	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files (x86)\\ISMJA.EXE \"%1\""	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\ISMJA.EXE"	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002"	Regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	lsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2328	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	30
PID 2312 wrote to memory of 2328	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	30
PID 2312 wrote to memory of 2328	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	30
PID 2312 wrote to memory of 2328	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	30
PID 2312 wrote to memory of 2328	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	30
PID 2312 wrote to memory of 2328	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	30
PID 2312 wrote to memory of 2328	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	30
PID 2312 wrote to memory of 3044	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	31
PID 2312 wrote to memory of 3044	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	31
PID 2312 wrote to memory of 3044	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	31
PID 2312 wrote to memory of 3044	2312	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	31

C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe
"C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2328
- C:\Program Files\lsm.exe
  "C:\Program Files\lsm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ISMJA.EXE

Filesize
497KB

MD5
7ecb24548701903684a96c8f159c9f34

SHA1
b7f5079f6b8c70ae8e9804ee65ff8626db676f85

SHA256
fc9bc9b87aca32784f46eedbee8fca1c995594e754475400ecfed26eba44151d

SHA512
815e6d4cd2aa2a916c7fc385b6a403ac952022bb650e86dab97a8e046da7f39e4059e822f726b92dfad008851e42d930267487680a77d3c924a502549d8db853

Download Submit
C:\Windows\SysWOW64\Ms7002.dll

Filesize
52KB

MD5
876a2a99b81968f5b26e3cbe12063d2b

SHA1
7afa8f33b691b2651b65eb07220cc2fda4b7537c

SHA256
f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0

SHA512
ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

Download Submit
C:\filedebug

Filesize
297B

MD5
45dc5582860c3591de1a78a70bb8cd9e

SHA1
a3ced7a8f5d29f902c6918f6be0f0977a12db90a

SHA256
c1f05731d3bfd34d0eab593a6628bcb006ae2a69811487c68d7e3c1957adb729

SHA512
e94428bca22732e3495c0a0db25fc6cebd2f4d6a61c5d88a0d4e3da562dd93e1a2cae727e509e1e780f8303563ca00c64ae900cf435172e284aae07029686afc

Download Submit
\Program Files\lsm.exe

Filesize
497KB

MD5
ee060f1825be1963a3d8b11ff77a8bd6

SHA1
09e1e64be05abaaca46e621cd1805e48d6fb4da3

SHA256
2495982fc8826ae508684e9a5a8a6fec0b46f090003ef9ee41646645b10d6af0

SHA512
1b6d48073d97b5ece74e9db4950c0c9cd6b19dc2c351808959070d1fa0053bc67b4b0f06a1b792a35d4baf98de4161c524b6bc1d77459c4b3c4d27ceeb3630ac

Download Submit
memory/2312-2-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/3044-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3044-30-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads